How to make (better) decisions in security teams  

Hinne Hettema, Mainfreight

Tech Level: Low

This is a workshop about how to think well under adversary circumstances. In this workshop, we’ll re-use some ideas deriving from philosophy of science and systems thinking to determine what is true in incident response, how the nature of what is true may change during an investigation in a process of revision, and how teams can best handle the constraints on their behavior and thinking under conditions of uncertainty. 

This workshop will draw on a number of traditions, especially philosophy of science and systems thinking.

Philosophers of science have long considered the creation, operation and nature of epistemic structures – scientific theories – that need to be true to be valuable. They have done so by focusing on how we develop and test explanations and theories. Another focus is the features good explanations have in comparison to poor or erroneous explanations. 

In addition, we’ll use some ideas from systems thinking that will allow us to map out our current situation and its likely evolution in times of uncertainty allowing us to act in the environment we find ourselves in. The focus of action entails that we act on information, which is true, operate within the boundaries set by constraints, and operate in a way that is most effective. 

The approach focuses on the principles that govern incident response and how they can regulate our behavior even when the endpoint of our interventions isn’t clearly in scope.

Scaling threat detection and response in AWS

Alice Farr, AWS

Tech Level: Medium

This hands-on workshop is where you will learn about AWS services involved with threat detection and response as we walk through real-world scenarios. 

Learn about the threat detection capabilities of AWS and some of the available response options. For each hands-on scenario, we review methods to detect and respond to threats in AWS accounts and considerations for monitoring and automation. 

Gloves Off: Hands on Threat Simulation and Detection Engineering with Splunk

James Young, David Gamer and Simon O'Brien, Splunk

Tech Level: Medium

Participants will each receive a dedicated cloud hosted lab environment that they will access using their own laptop via a web interface (participant devices will simply require a modern web browser (Chrome, Safari, Firefox, Edge) using conference Wifi or their own mobile hotspots. This lab will be largely preconfigured and based on the open source tool, Splunk attack_range (https://attack-range.readthedocs.io/en/latest/index.html) and utilise open source tooling from Atomic Red Team (ART) to simulate common techniques from MITRE ATT&CK and perform analysis of the resulting data in Splunk. Participants will be guided step by step through this process and gain an understanding of the process to perform attack simulation and analyse resulting data using open source tooling they can adapt to suit their own purposes. We will also provide a detailed overview and demonstration of the process to configure and build the lab environments so they can use this knowledge in their own time after the workshop (their lab environments will be preconfigured for the sake of time/efficiency). We will also cover techniques to build efficient and high fidelity detection of threats through alignment with MITRE ATT&CK using an approach that can be adapted to other security analytics or SIEM solutions based on the data generated from these attack simulations.