Modern, sustained attacks (aka APTs) that lead to the data breaches you regularly read about ultimately require the bad guy to deploy and execute one or more pieces of malware on your network. This is true even with the trend toward greater stealth and “living off the land”. For instance password hash harvesting, pass-the-ticket and other sophisticated techniques require advanced code – not just a few native system utilities.
In the past couple years, I've shown you a number of different ways to detect new or unknown programs on your network including
- Process Tracking Events in the Windows Security Log
- AppLocker Events
- Device Guard Audit Mode in Windows 10
- File Integrity Monitoring
But finding a suspicious program is only the first step. What happens next? How do you determine if this is a real security issue or just another innocuous piece of software that you've never seen before, but that it isn't a threat either?
In this webinar I will show you six steps you can take to identify if a program is safe or to flush it out as malware. Some of the resources we will use include:
- National Software Reference Library
- Authenticode signatures
- Indicators of Evil check list
- Automated checking against malware sites like VirusTotal
- Baselining your environment
- A true quarantine lab
Determining the unknown from the unsafe is a critical process that requires you to think globally (using threat intelligence gathered world-wide) but to act locally (leveraging the dynamics of your local network and business processes). Our sponsor is EventTracker and A. N. Ananth will briefly show you how this “think globally/act locally” strategy has been built into EventTracker.
This is will be a practical and technical real training for free ™ event. Please join us.