This course aims to teach learners how to apply law enforcement paradigms to enhance information security practices. By utilizing Modus Operandi modeling and Link Analysis, participants will learn to connect events effectively, reduce operational strain, and generate higher-level operational events. The course covers topics such as event detection, classification, suspect-centric investigations, host analysis, and MO analysis. The teaching method involves practical demonstrations and case studies to illustrate the concepts. This course is intended for cybersecurity professionals looking to improve their threat detection and investigation skills using innovative approaches inspired by law enforcement techniques.
Overview
Syllabus
Intro
WitFoo Mission
Research Effectively
Detection 1.0 - Event Proan
Detectio Classification
Detection 1.1 - Classification
Detection 1.2 -Triage Part 1: Priority
Suspect Centric Investigations WANTED
Detection 2.0 - Host Analysis
Connecting Facts
New Hypothesis • Using Modus Operandi modeling, events can be connected to produce operational levels of higher level events reducing operational strain. • Plan: Create sets of member types and query flow tools to look for connections between the sets.
What is the right MO?
Not all Gang Murders are Drive-bys
Synthetic MO Candidate Experiment . Check every possible pathway (n factorial) (5,040 for 7 sets)
Detection 3.0 - MO Analysis
30 Bullets = 30 Investigations?
Evidence Board - Link Analysis
New Hypothesis • Using Link Analysis, events can be connected to produce operational levels of higher level events reducing operational strain. . Plan: Connect incidents from 3.0 using Bioinformatics (cytoscape)
4.0 - Link Board (via Cytoscape)
"Cloud of Death" = Noise
Bad Tips
Beta Program
