Director of Algorithmic Threat Detection Uptycs, United States
Supply chain compromise is a black swan event in threat hunting and detection. While the impact can be practically unlimited, prevalence and frequency have, until recent years, been low enough that the threat model has often been considered unlikely or even theoretical. Hunting supply chain compromise is like cloud API threat hunting in that the difference between innocent and suspicious activity is a matter of nuance that cannot be expressed in simple query and/or search-based rules. It can be compared to insider threat hunting in that supply chain mechanisms and associated users may be inherently trusted, and any alerts may be dismissed. Anomaly detection and machine learning are becoming increasingly good tools for these kinds of hunts.
Learning Objectives:
Define patterns of credentialed access threat activity in cloud API logs.
Implement anomaly detection-based threat hunting techniques using cloud API logs.
Point out aspects of cloud supply chain risk that may be going unnoticed.
