Join Chris Peacock for a three hour Hands-On Purple Team Exercise Workshop focused on Detection Engineering. This is an intermediate level workshop that does not require, but does recommend, you to have taken the Introduction to Purple Team Exercise workshop.
**Please use a real email address so we can provision your VMware lab environment before the workshop**
The workshop will guide attendees through the detection engineering process. Attendees will take curated threat actor procedures to emulate and detect. The process will include how to determine which log sources to target for investigation. After verifying the appropriate log sources, attendees will learn to hunt through and narrow down results until they have an actionable query to deploy as detection logic.
First, we will cover the structured process of detection engineering. Then, after going over each step of the cycle, we will dive into a hands-on workshop to put the method to practical use.
Not everyone will have a threat intelligence team to prioritize new detections. Therefore, attendees will walk through a cyber intelligence process of collecting and extracting Tactics, Techniques, and Procedures (TTPs) to guide content development.
Next, attendees will emulate procured Tactics, Techniques, and Procedures (TTPs) commonly found in modern attacks. Each emulation phase will generate data to use in detection engineering. Then, leveraging MITRE ATT&CK, we will pivot from the emulations to potential log sources. At times, log sources may not exist yet, and we will go over troubleshooting log sources to resolve logging issues.
In the final stage attendees will learn to develop hypotheses to conduct hunting through data that drives rule creation to uncover the adversary procedures. Attendees will develop hunting queries that transition into polished alert rules. Lastly, for instances where direct pattern matching will not suffice, attendees will learn how to baseline and detect anomalies.
What do you need?
All you need is a web browser on a workstation/laptop (no iPads, sorry).