This website uses its own and third party cookies to collect information that helps to optimize your visit to their web pages. Cookies will not be used to collect personal information. You can either allow or reject their use. You can also change their settings at any time. You will find more information on our Cookie Policy page.


DS4N6 Blog >> Getting Ready Knowledge-wise for My Talk "Me, My Adversary and AI" at the RSA Conference '21

Getting Ready Knowledge-wise for My Talk "Me, My Adversary & AI" at the RSA Conference '21

370x370_jess-garcia.jpg [30/04/21] April 30, 2021
Jess Garcia - One eSecurity
Twitter: j3ssgarcia - LinkedIn: garciajess

As some of you already know, I will have the honor to speak at the upcoming RSA Conference on May 17th.

In a previous post I gave some more details about what the talk will be about (without spoiling the talk, of course), since the original abstract I wrote was somewhat generic.

Since the talk (and the work behind it) is based on several other projects and background technical knowledge that, due to time constraints, I will only discuss very briefly, I wanted to give you the opportunity to check them beforehand so you can make the most of it.

For the most low-level technical people in the audience you will probably have MUCH more fun if you understand at the low level what's going on behind the scenes.

However, note that reviewing these references is not necessary to fully understand the talk, the presentation is self-contained. As mentioned, I wrote this post only for those of you who want to get familiar with the low level technology details beforehand.

Getting Ready for the Conference - Background Knowledge

Previous Talks

  • Jess Garcia's SANS DFIR '20 Summit Talk: Data Science for DFIR - The Force Awakens
    • This talks covers multiple aspects of the applicability of Data Science to DFIR, including Visualization and Machine Learning.
    • Around minute 30:00 of the video you will find a discussion about Machine Learning applied to Malicious Logon detection which, while different than what is presented at the RSA Conference constitutes previous research in the same field.

DFIR / Threat Hunting

TIP: Pay special attention to Technique T1053.005 / Scheduled Tasks. ;-)

DS4N6 Projects

Visit our DS4N6 Tools page to learn more about several of the tools / formats we will be talking about:

Project Description
ds4n6_lib python library that provides an easy way to ingest forensic tool output (plaso, kape, kansa, volatility, etc.) in Jupyter and perform multiple types of Data Science and Machine Learning analysis.
DAISY DAISY (DFIR Data Science & AI) is a Virtual Machine designed to carry out Data Science and Machine/Deep Learning Analysis on DFIR data
ADAM The DS ADversAry eMulator allows you to define a sequence of malicious artifact data and inject it in the multiple Artifact-specific DataFrames.
This allows you to test your detection capabilities by mimicking real attacks, all in a “virtual” DataFrame environment.
D4ML D4ML are the DS4N6 extensions for Machine Learning, i.e. easy-to-use ML functions that you can apply to your artifact-specific dataframes to, for instance, detect anomalies which may correspond to malicious events.
HAM The Harmonized Artifact Model (HAM) is a model that harmonizes the output of different forensic tools so the underlying artifact data has the same format regardless of the tool that generated it.

Machine Learning

In my talk I will be discussing the use of a Machine Learning model called Autoencoder, and a very interesing variation, the LSTM Autoencoder.

If you want to get familiar with these models before the talk, to better understand what they are and how they work, check the following references:

These references will give you a general idea of what (LSTM) Autoencoders are, how they can be used for anomaly detection, and how they can be built in python/keras.

After the conference I will release the source code of the actual Autoencoders used in the presentation, and I will publish a couple of blog posts to explain in-depth how they are applied specifically to our DFIR scenario.

You Are All Set!

As mentioned before, you do not to be afraid if you don't have the time to, since the talk is self-contained and I will be explaining everything you need to know to understand the content presented.

But if you are able to review the content listed on this page beforehand, you will be ready to get 1000% of the content of my talk!!

I humbly believe that you will have quite some fun with my talk and you will learn quite a few things in different areas (DFIR, Data Science, Machine Learning), so it would be great to have you in the audience!

See you at the RSA Conference on May 17!