When a bad guy gets control of one system – that’s bad enough for you but it’s seldom enough for them. They need to spread out like a deadly fungus, taking over a succession of accounts and systems in order to find what they are looking for or to reach a critical mass of pwned systems, to where they can pull the trigger on an extortion threat.
The good news is, they can’t move around on your network without making some noise. But are you listening? If you are only monitoring domain controller security logs, you are hearing only a fraction of what you should be. The best indicators of lateral movement are only available from the security logs on the servers and workstation endpoints – not domain controllers.
In this real training for free session, we will dive into the Windows Security Log and we are going deep. I will show you:
- how to detect lateral movement attempts only visible from local member servers and workstations
- how to distinguish between lateral movement attempts involving local accounts and domain accounts
- why you can’t see/detect these attacks from domain controller logs
- how to recognize mapping and discovery efforts by attackers
- how to use Windows Firewall to detect strange outbound connection attempts and scanning
This session will draw on events from these categories of Windows Auditing:
- Logon/Logoff
- Account Logon
- Filtering Platform
- Account Management
Enabling auditing for these events is the easy part. Next you need to get all these events to a central place where you can ingest them with the SIEM or analytics system of your choice. That’s where our sponsor, LOGbinder comes in with Supercharger for Windows Event Collection. Barry Vista will briefly demonstrate how literally within seconds; Supercharger can have every system in your domain sending selected events to a handful of Windows Event Collectors with zero-touch.
Join us for this technical Security Log focused session.