Damir Paladin is an information security consultant. He is professionally engaged in information technology over 25 years, and in 1998th he started with his own company Borea, where he works today. His areas of expertise are computer forensics, audit and testing security of information systems. He owns professional certificates CISSP, CISA and CISM. He is a permanent court expert in IT. He cooperates with some of the most important Croatian companies and institutions providing professional services in the field of information security.
How to follow the trail of advanced attacks?
The initial operational phases of advanced threats go largely unnoticed, resulting in risk of their unnoticed activities, sometimes going on in periods of up to several months. The data on the initial events remain mostly unavailable for forensic investigation. The presentation will describe the method of recording relevant events that accompany advanced threats by using freely available application systems Sysmon and ELK. It will also present the analytical procedures to identify indicators of presence of advanced threats and describe the methods of forensic analysis of data on advanced threats collected through systems Sysmon / ELK. Finally, practical aspects of implementation of the systems Sysmon / ELK will be discussed.