Defcon BTV 2020¶
Data Analysis for Detection Research Through Jupyter Notebooks 101¶
From a detection research perspective, even after learning how to simulate a threat actor technique and generate some data in your lab environment, you might still struggle to know what to do with it. In some cases, you might need to filter, transform, correlate and visualize your data to come up with the right detection logic. In this workshop, we will walk you through a few basic data analysis techniques using open source and SIEM agnostic tools such as Jupyter Notebooks which are not only used by large organizations, but also can be deployed at home for free.
Basics of Python
A computer with Docker installed (optional).
If you are planning on deploying Jupyter in your own system, we will show you how to deploy it via Docker. It is not necessary since we are going to use BinderHub to interact with Jupyter Notebooks throughout the whole workshop.
Introduction to Jupyter Notebooks (10 mins)
Introduction to Apache Spark (5 mins)
Spark SQL & DataFrames
Data Analysis Process 101 (10 mins)
We need data! (Mordor Project) (5 mins)
Raw Data -> DataFrame
A few data analysis techniques: (1 hour)
Speaker: Jose Rodriguez¶
Twitter Handle: @Cyb3rPandaH
Jose is currently part of the ATT&CK team where he is currently revamping the concept of data sources. He is also one of the founders of Open Threat Research (OTR) and author of open source projects such as Infosec Jupyter Book, Open Source Security Event Metadata (OSSEM), Mordor, and Openhunt.
Speaker: Roberto Rodriguez¶
Roberto Rodriquez is a threat researcher and security engineer at the Microsoft Threat Intelligence Center (MSTIC) R&D team.
He is also the author of several open source projects, such as the Threat Hunter Playbook, Mordor, OSSEM, HELK and others, to aid the community development of techniques and tooling for threat research. He is also the founder of a new community movement to empower others in the InfoSec community named Open Threat Research.
Twitter Handle: @Cyb3rWard0g