BlackHat 2017: A Guide to Threat Hunting Utilizing the Elk Stack and PowerShell

While it may seem a bit early to start planning your annual pilgrimage to Vegas for BlackHat 2017, now’s a good time to start talking to your team or your boss about signing on for additional technical trainings during the conference.

Ongoing trainings keep incident responders and researchers learning about new ways to defend against attackers, who continue to hone their skills on a daily basis.

On July 22 - 23 and July 24 and 25, 2017, Cylance will show you how to create your own enterprise-wide hunting platform using ELK with data enrichment feeds. In addition, you’ll learn how to retrieve the data from various endpoints and data sources. You’ll deploy PowerShell scripts across a customized network environment to gather the critical data necessary to respond to an incident.

This course will teach you how to not only set up an ELK server specifically geared to facilitate powerful threat hunting, but will also show you how to collect data efficiently from every single endpoint on your network in a very short span of time, thereby enabling you to proactively hunt on a regular basis. 

Being proactive in security means everything – it helps you prevent attacks before they happen, rather than responding to breaches after the fact.

In this course, you’ll be conducting 3-4 labs each day. Labs will include functional components of building out the ELK stack and its respective modules as well as highlighting how those components can be leveraged to assist you in rooting out malicious activity in your environment.

The days of using Excel logs to find malicious activity are over. Breaches are only expanding in size and complexity, so incident responders need their own way of growing out of the days of using spreadsheets to hunt through mountains of data.

Sign up by May 19 at 11:59 PT to get the early registration rate! 

Trainers

Thomas Pace is a Principal Consultant with Cylance within the Incident Response and Forensics services organization, where he assists organizations in remediating incidents and developing incident response policies and procedures. He graduated with a Master's Degree from the University of Pittsburgh in Information Security. He also possesses CISSP, SFCP, GCFA, GCIH, GCWN and GCIA certifications. Thomas has worked in incident response and forensics investigations for PNC Bank and the Department of Energy. He is an Adjunct Professor at Tulane University where he teaches an undergraduate cybersecurity course.

Michael Scott is a Principal Consultant for Cylance where he is responsible for proactively hunting on very large enterprise environments as well as responding to all levels of breaches. He is an active developer and enjoys offensive work as well. Before joining Cylance, he was an IR team lead for the Marine Corps Cyber Warfare Group and was also a Cyber Threat Emulation specialist for MARFORCYBER, under US Cyber Command.

Eric Cornelius is the Director of Critical Infrastructure and Industrial Control Systems (ICS) at Cylance, Inc. where he is responsible for thought leadership, architecture, and consulting implementations. Eric brings a wealth of ICS knowledge, and his leadership keeps organizations safe, secure, and resilient against advanced attackers. Eric is also currently a SANS Certified Instructor and has provided invaluable thought leadership in developing the Industrial Control System security curriculum at SANS. Previously, Eric served as the Deputy Director and Chief Technical Analyst for the Control Systems Security Program at the US Department of Homeland Security. Eric co-authored "Recommended Practice: Creating Cyber Forensics Plans for Control Systems" as part of the DHS National Cyber Security Division, Control Systems Security Program, 2008. He is a frequent speaker and instructor at ICS events across the globe.