Searching Logs for Hackers. What you need to know and how to catch them presented at saintcon 2016

by Michael Gough,

Summary : Commodity malware and advanced attacks are hitting enterprises more often than ever before. When such an attack hits your organization can you detect it in one hour? One day? What if I were to tell you that I could compromise your backup, management and Anti-Virus software and utilize them to persist after reboot? What if I were to then show you how we detected this type of attack with adequately configured Windows logs? This talk will cover what tools and methods worked well and what you can start doing today to improve your detection and incident response capabilities. How commodity malware like Dridex, APT like Winnti were detected and how the many Retail PoS breaches could have easily been detected with good logging.
A walk through of an advanced and commodity attack, what the attackers did, where they hid, how they persisted and how we detected them will be shared. This talk will demonstrate why effective log management matters, and how a new log and malicious detection tool (LOG-MD) can be used for incident response to discover advanced attacks, as well as other tools used as a part of an efficient incident response and active defense program. Resources will also be provided so the attendees can begin using this methodology upon return to their workplace. We must learn from, understand and share the needed information, data and artifacts from publicized breaches and advanced attacks to better defend ourselves from these persistent adversaries.