Explore a comprehensive conference talk on disrupting the kill chain in a Windows environment. Delve into a defender's approach to minimizing cyber-adversary access and success, building upon previous work on defending Microsoft environments at scale. Learn about the most effective and efficient controls in Windows 10 and associated Microsoft systems to disrupt the kill chain. Examine the Lockheed Martin kill chain in conjunction with the MITRE ATT&CK framework and understand how they are used to build a defense model. Discover specific capabilities of the Windows subsystem to detect and respond to various stages of an attack lifecycle, including persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, execution, collection, exfiltration, and command and control. Gain insights into a working defense model that addresses several attack categories using higher efficiency controls, with sample deployment guides available on GitHub. Explore methods for collecting and analyzing logging and monitoring data at scale, including Windows Event Forwarding, Sysmon deployment, and Windows Defender telemetry data. Learn about automated remediation and incident response capabilities built into Windows Defender ATP, including handsfree triage and remediation through automation playbooks. Investigate basic malware hunting techniques such as frequency analysis, process trees, and other indicators of suspicious behavior. Conclude with a reinforcement of the importance of basic hygiene and properly implemented controls in effectively disrupting the kill chain.
Overview
Syllabus
15 - BruCON 0x0A - Disrupting the Kill Chain - Vineet Bhatia
Taught by
BruCON Security Conference