threat hunting Archives - Jean-Christoph von Oertzen

What Fantasy Role-Playing Games Can Teach Us About Cybersecurity Roles

jean-christoph — Fri, 14 Nov 2025 18:34:47 +0000

— And why your SOC might actually need a Bard 🐉⚔️ Cybersecurity teams are often compared to armies, fire brigades, or special forces. Personally? I think they’re much closer to a party of heroes in a classic fantasy role-playing game. No matter how many frameworks, SIEMs, or AI tools we summon, defending a digital kingdom […]

The post What Fantasy Role-Playing Games Can Teach Us About Cybersecurity Roles appeared first on Jean-Christoph von Oertzen.

Webinar takeaway – Applying The Threat Hunter’s Runbook

jean-christoph — Thu, 31 Mar 2022 18:48:33 +0000

My key takeaways threat hunting runbook Identify connection persistency Identify if there is a business need Protocol analysis Investigate external IP address Investigate internal IP address Threat hunting is stealthy only when in IR mode, the adversary should be allowed to notice we are after him set the TCP timeout from 5min to 1h in […]

The post Webinar takeaway – Applying The Threat Hunter’s Runbook appeared first on Jean-Christoph von Oertzen.

Webinar takeaway – The Ins and Outs of RITA

jean-christoph — Tue, 15 Mar 2022 19:21:55 +0000

My key takeaways RITA is made to detect beacons and long connections open source tool Signature based detection of malicious code is outdated Average detect time is over 6 month > 50% of compromised systems are detected by outsiders RITA is behaviour based Needs a bunch of pakets to work on min 1h, default 24h […]

The post Webinar takeaway – The Ins and Outs of RITA appeared first on Jean-Christoph von Oertzen.

Webinar takeaway – Malware of the Day

jean-christoph — Wed, 02 Mar 2022 20:27:33 +0000

My key takeaways "Malware of the Day" is about simulating one malware or exploit that was found "in the wild" why? to share with the public so that we can test our security detection abilities in place sharing (safe) PCAPs with identified C2 methods and network traffic patterns smoke detectors are not build to prevent […]

The post Webinar takeaway – Malware of the Day appeared first on Jean-Christoph von Oertzen.

Webinar takeaway – BPF – Picking Packets

jean-christoph — Wed, 05 Jan 2022 20:07:43 +0000

My key takeaways one lib to capture all pakets for all OS BPF is to filter packages better SNR for packet filtering BPF filter effect only the programm you call it with no change to the package itself Process: human creats filter single quotes at the end of the line invoking the prg like tcpdump […]

The post Webinar takeaway – BPF – Picking Packets appeared first on Jean-Christoph von Oertzen.

Webinar takeaway – Getting Hired as a Threat Hunter

jean-christoph — Wed, 01 Dec 2021 20:13:23 +0000

My key takeaways Catch 22: I can’t get hired until I have experience. I can’t get experience until I get hired. Threat hunting is only < 5 years old Put out data and research to help others, if you want to lead Check social media to learn about dress codes Figure out the tools they […]

The post Webinar takeaway – Getting Hired as a Threat Hunter appeared first on Jean-Christoph von Oertzen.

Webinar Takeaway: Cyber Threat Hunting Level 1

jean-christoph — Tue, 13 Apr 2021 22:00:57 +0000

My key takeaways the juicy stuff is the traffic leaving the network: is there a business need for it? Bro / Zeek : Bro old, Zeek new, almost same Figuring out beacons best over long period of times, eg 24h almost all c2 beacons are encrypted, use meta information to detect them today heartbeats without […]

The post Webinar Takeaway: Cyber Threat Hunting Level 1 appeared first on Jean-Christoph von Oertzen.

Webinar Takeaway: How to Get Started in Cyber Threat Hunting

jean-christoph — Wed, 07 Apr 2021 19:15:14 +0000

My key takeaways responding to alerts, writing sig’s, checking dashboards is reactionary; threat hunting is proactive @TayandYou <- nice example of an AI being out of control how can AI solve infosec problems, unless we have our processes right? ThreatH process start with the network and look for anomalies suspect system? pivot to host logs […]

The post Webinar Takeaway: How to Get Started in Cyber Threat Hunting appeared first on Jean-Christoph von Oertzen.

Webinar takeaway: How to Analyze Encrypted Traffic on Your Network

jean-christoph — Wed, 03 Feb 2021 22:00:15 +0000

My key takeaways Encrypted traffic on the wire: can see headers, can’t see payload More and more traffic gets encrpyted like HTTPS and even DNS Most Threat Hunt techniques still work: beacons/strobes, long connections and connections to Threat Intel hosts Env Provided by Active Countermeasures Presenter: Alex Kirk from Corelight additional links https://corelight.blog/2020/11/19/corelight-at-home/ https://zeek.org/ Blog: […]

The post Webinar takeaway: How to Analyze Encrypted Traffic on Your Network appeared first on Jean-Christoph von Oertzen.

Webinar takeaway: Discussing Implications of the SolarWinds Breach(es)

jean-christoph — Wed, 23 Dec 2020 19:26:05 +0000

My key takeaways stop panicking, the Solarwind hack is over. C2 channels are dead. Party is over. don’t poke at the IOC’s * focus on the fundamentals and how to avoid it happen again Fundamentals: DNS most valuable hunting artefacts Know what you have where Know all your software Where are the blind spots? <- […]

The post Webinar takeaway: Discussing Implications of the SolarWinds Breach(es) appeared first on Jean-Christoph von Oertzen.