BSides Philly 2017 – Threat Hunting: Defining the Process While Circumventing Corporate Obstacles

by Kevin Foster, Matt Schneck and Ryan Andress | Dec 26, 2017

BSides Philadelphia

Security Risk Advisors is proud to have been a Platinum Sponsor at BSides Philly on Friday, December 8th. In addition to continued involvement in and support for the BSides organization, Security Risk Advisors’ Kevin Foster, Matt Schneck and Ryan Andress also presented valuable Threat Hunting techniques that can be implemented within your cyber program while avoiding common “red-tape” barriers.  The presentation is available to watch on YouTube, and slides are available on Slideshare, below:


Presented at BSides Philadelphia, December 8, 2017

Threat hunting is a hot topic spurred on by the thought that it’s not a matter of if, but when, your organization will be breached. Mature security organizations are shifting in their approach from solely relying on reactive response and black box security tools to proactive hunting. This shift in approach requires large amounts of network and endpoint data to tie together attacker tools, tactics, and procedures. Security teams often have their hands tied due to limited budgets, politics and their ability to affect change with what information gets logged (just try getting a DNS admin to check a box that says “Debug” in prod). Hypothesis driven data acquisition can be used to overcome environmental challenges, provide a specific goal, and reduce analysis paralysis. This presentation will discuss hypothesis driven threat hunting using free and commercial tools for organizations which face common corporate roadblocks.





Kevin Foster
Sr. Manager, GCFA, GREM, GCDA, GDSA | Archive

Kevin leads defensive security strategy and implementation projects for clients in financial services, telecom, aerospace, manufacturing, and healthcare.

He advises his clients on technical risk mitigation strategies through program development and controls implementation and engineering.

Kevin specializes in projects related to Threat Hunting, Endpoint Detection and Response (EDR), analytics and Security Information and Event Management (SIEM), and Incident Response (IR) activities.

Kevin is a GIAC Certified Forensic Analyst (GCFA) and has also obtained GIAC Reverse Engineering Malware (GREM), GIAC Certified Detection Analyst (GCDA), and GIAC Defensible Security Architecture (GDSA) certifications.

Matt Schneck
Manager, GCFE | Archive

Matt focuses on incident response, forensics, and advanced endpoint security solutions with various Endpoint Detection and Response (EDR) platforms including Tanium, CarbonBlack, CrowdStrike, Cybereason, and others.

Matt works to develop detection rules for emerging attacks and has significant experience engineering and implementing detection solutions with a focus on mining endpoint data.

Matt frequently crosses the bounds of technical configuration and effective communication to solve problems for clients. He frequently works with clients in the financial, pharmaceutical, and manufacturing fields, among others.

Matt is a GIAC Certified Forensic Examiner (GCFE).