Research to Detection: Developing Content to Counter APT-Class Threats
Speaker: Michael Cloppert, Intel Fusion Team Lead, LM-CIRT, Lockheed Martin Corporation
This session discusses the lifecycle of new detection methods, from initial analysis through functional custom data feeds and content in ArcSight ESM. Understanding and executing this lifecycle is critical for combating the most sophisticated adversaries who use custom tools to steal sensitive data. Skills and approaches to be covered include analysis of a particular sophisticated backdoor; development of custom tools to augment existing logs; enhancement of existing connectors to accommodate new attributes added to logs by custom tools; and ArcSight ESM content to support alerting and analysis within the ArcSight infrastructure. Those familiar with command-line analysis methods, Perl, connector configuration and ArcSight ESM content development are encouraged to attend.