A Process is No One: Hunting for Token Manipulation

DerbyCon 8.0 - Evolution

Presented by: Jared Atkinson, Robby Winchester
Date: Friday October 05, 2018
Time: 12:30 - 12:55
Location: Kentucky C & D
Track: Stable

Does your organization want to start Threat Hunting, but you’re not sure how to begin? Most people start with collecting ALL THE DATA, but data means nothing if you’re not able to analyze it properly. This talk begins with the often overlooked first step of hunt hypothesis generation which can help guide targeted collection and analysis of forensic artifacts. We will demonstrate how to use the MITRE ATTACK Framework and our five-phase Hypothesis Generation Process to develop actionable hunt processes, narrowing the scope of your Hunt operation and avoiding “analysis paralysis.” We will then walk through a detailed case study of detecting access token impersonation/manipulation from concept to technical execution by way of the Hypothesis Generation Process.

Jared Atkinson

Jared Atkinson is the Adversary Detection Technical Lead at SpecterOps who specializes in DFIR. Jared spent two years at Veris Group’s Adaptive Threat Division (ATD) and four years with the U.S. Air Force Hunt Team. Passionate about PowerShell and the open source community, Jared is the lead developer of the PowerForensics project, Uproot, and PSReflect Functions.

Robby Winchester

Robby Winchester is an experienced threat hunter and penetration tester. Over the course of his career, he has developed and supervised penetration testing, physical security, and breach assessments for several private sector and government clients. Previously, Robby worked for the U.S. Air Force Information Aggressors, providing full-scope network and physical red team operational assessments, and worked to integrate information security operations within traditional military operations for the U.S. Air Force’s RED FLAG exercise.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats