Packets don’t lie – Threat Hunting with Zeek

Earlier today, I presented a webinar on ‘Packets don’t lie – Threat Hunting with Zeek.

Thanks to the kind folks at APNIC for initiating the request and starting the email thread.

The gist of the presentation was about using Zeek to look for anomalies. Before jumping into Zeek, I introduced Network Security Monitoring. Spoke about conn.log and dns.log and used PCAPs from Stratosphere IPS Project to demonstrate threat hunting with Zeek.

Zeek logs are a great source in the context of threat hunting and Incident Response.

A total of 203 folks had registered for the webinar, and around 55-60 attended. That’s been my experience with online webinars and workshops – many folks will register, but a small fraction attend.

While one hour webinar is a brief period to talk about all-things-zeek, I hope the webinar gives a quick introduction to getting started.

But the most important thing was the interactive Q&A session at the end.

The webinar was recorded and should be available in a few days. I will update the blog post with a link to the recording and the slides.

Also, since I am on the topic of Zeek, ZeekWeek 2022 is an in-person event on October 12th – 14th in Austin, TX.

An excellent line-up of speakers, and the schedule is packed with goodness.

APNIC 52 – Threat Hunting using DNS

I presented on how we at my $dayjob do Threat Hunting using DNS at APNIC 52.

This is the same presentation I gave at SANOG 37, but luckily, I had the full quota of 20 minutes to complete the presentation without rushing into it.

Here is the video of the presentation,

Happy hunting!

SANOG 37 – Threat Hunting using DNS

PC: Mohan Thomas

At SANOG 37, I had the opportunity to share some of the ways in which we have been doing Threat Hunting using DNS at my $dayjob.

Here is the video of the presentation.

I also had a little demo but I decided to improvise and add slides instead, since the program was running a little behind schedule and I was the only one standing between everyone and their lunch. trouble was also lurking.

That aside, the same paper ‘Threat Hunting using DNS’ has been accepted at APNIC 52 and hopefully, I will be able to demo the juicy bits.