CypherCon 2023

Hunting Before Day Zero

Ryan LaBouve

Abstract:

 “Hunting Before Day Zero” is a talk that will delve into details of file and network access on Linux to expose signals of compromise that might indicate our systems are infected and possibly by a zero-day vulnerability! We’ll cover techniques for observing processes for patterns in file access and network connections. Over time, we can see when our systems deviate from normal patterns. And finally we can aggregate behavior data between related systems (e.g. your computers in your network) for deeper insight. The tools and methods we’ll cover  can be used to hunt for potential threats, especially aiming for zero day vulnerabilities.

Importance: There are a few layers to why I believe this talk is important. First, it’s a good way to learn about how to observe a process running on a Linux host. Second, it’s a good prompt for listeners to think through how learning more about processes running on their system can provide valuable signals of compromise. And third is a moonshot hope, which is an exploration of possible techniques that could be used to find zero day vulnerabilities.

Ryan LaBouve

Exposing signals of compromise!

Ryan is a security engineer who scales and secures systems for fast growing companies. He is obsessed with developing a deep understanding of the systems that power the world. In his free time he loves helping with disaster recovery (storms not hard drives).

Ryan is a founder at startup.security and spends his days helping to secure the startups, technologies, and tools that are building the future. His background began as a hooligan making and breaking things on the web. And now he focuses on adversarial software and attacking / defending the infrastructure that runs the apps we all know and love.