Class log: Getting Started in Security with BHIS and MITRE ATT&CK, Day 3

Subject: User Entity Behavior Analytics

Traditional logging is not reliable and a substandard method of discovering IoCs. An unbelievable 5% of attacks are detected through logs. The solution is to look at multiple logs and to try and understand the context. Sysmon can be very powerful when tuned correctly.

Exercise: Used DeepBlueCLI, a powershell module, to check for new users being added, a common attack technique, as well as password spraying. Used BlueSpawn to monitor for attacks and Atomic Red Team as our malware and seeing what the results looked like.

Conclusion: Logs without context and the benefit of a holistic perspective don't mean a hill of beans. You need to be using more advanced and multiple methods to paint a more complete picture of what is going on in your system.