Leveraging Endpoints to Boost Incident Response Capabilities presented at DeepSecVienna 2018

by Francisco Galian, Mauro Silva, Jules Massey,

Summary : In our day to day we constantly see how most of the organisations fail to respond properly to real incidents and a lot of times this is due to the lack of visibility on endpoints.The aim of this talk is to help the Blue teams to understand what they can do in order to improve their detection mechanisms, and at the same time to show what is important when responding to a real incident.We have built a lab with an Active Directory and other common crown jewels found in most organisations. From this point of consideration we have chosen some of the attacks and techniques that we've faced during incident response cases, from Threat Financial groups to some APTs ones. Next, we have ingested the logs produced on the different endpoints and used different incident response techniques to find multiples IOCs that would detect the different attacks.