When: Friday, January 29th 12:15 - 13:45
Where: Zoom Meeting ID: 960 9632 6675, Passcode: 535135
https://rwth.zoom.us/j/96096326675?pwd=dUwzWllnTFRETTNaVHJBajBFdUtzdz09
Titel: From Network Intrusion Detection To Threat Hunting
Abstract
Cyber attacks pose one of the most challenging risks that many organizations face today. Reports of compromises & leaks are making the mainstream news on a daily basis now, affecting targets from the smallest mom-and-pop online store to national critical infrastructure. Regularly, even some of the best protected networks discover that attackers have been roaming around inside for months unnoticed. While researchers and industry alike have been developing intrusion detection systems for decades, these evidently remain unable to find many such attacks. In this lecture, we revisit some of the classic intrusion detection approaches, along with their challenges and shortcomings in practice. We then examine a different, proactive approach that an increasing number of organizations is now turning to: "threat hunting" flips intrusion detection upside-down by starting with an assumption of attackers likely being inside the network *already*, and then relying primarily on the expertise & skill set of human analysts to uncover them. While intrusion detection and other automation do remain in place, they now support the analysts' investigation rather than drive the process. We conclude by looking at one of the most popular tools among threat hunters: Zeek (formerly Bro), an open source network security monitor providing comprehensive visibility into a network's operation.
Speaker Bio
Robin Sommer is a co-founder, and the CTO, at Corelight, a San Francisco-based startup providing open-core network protection to large enterprises and government organizations. Robin received a doctorate from the Technical University München in 2005. He then joined the International Computer Science Institute (ICSI) in Berkeley, California, as a staff researcher. Over the years, Robin led a range of research efforts on network security and privacy, with an emphasis on high-performance network monitoring in operational settings. Robin leads the technical team behind Zeek, a widely deployed open source network security monitor. In 2013, the creators of Zeek founded Corelight to bring the technology to corporate customers. Robin has served as General Chair for the IEEE Symposium on Security & Privacy, as well as on program & steering committees for a range of academic security conferences.
This December, COMSYS researcher Johannes Lohmöller attended the BuildSEC '24 conference in New...
COMSYS researcher Jan Pennekamp presented our latest interdisciplinary collaboration with the...