Blue Team | Unveiling Insider Threats Beyond the Logs

Описание: Blue Team | High-Fidelity Threat Hunting: Unveiling Insider Threats Beyond the Logs...The Dual-Identity Evasion Technique

🎙️ Oscar Cárcamo, Senior Consultant
📍 Presented at SANS Hack & Defend Summit 2025

Traditionally, security monitoring assumes that SIEM technologies will be accurate and provide a comprehensive picture of network activity, but what happens when we find that the events recorded by these technologies are insufficient, and we don't have the proper telemetry?

What happens when visibility gaps became critical in the worst moment? What if an insider threat exploits authentication loopholes to maintain undetected persistence? How can we approach an effective solution to an incident in a large organization has never faced this kind of scenarios before and for which it was unprepared?

In this session, we will unveil ""Dual-Identity Evasion Technique"", an advanced insider tactic where an attacker leverages both virtual and physical authentication tokens to establish parallel sessions, bypassing SIEM correlation and standard detection mechanisms.

We will dissect a real-world case escenario that faced in the past directly in a company which we cannot say the name, where an employee maintained simultaneous access across multiple remote connections, rendering traditional log analysis was ineffective.

Through High-Fidelity Adaptive Threat Hunting, we will demonstrate how to:
Identify shadow persistence techniques beyond conventional SIEM visibility.
Leverage anomaly detection models to uncover multi-session exploits.
Correlate multiple technologies and language like YARA, KQL, and SPL, for proactive detection and alerting and for ongoing incidents.
Develop a framework for log correlation that enhances high-fidelity events at large-scale companies.

By the end of this talk, attendees will be able to take away a new approach and methodology that they can implement within their organizations immediately, without generating significant costs to their processes, and that can be highly effective and they will gain a blueprint for detecting and neutralizing sophisticated insider threats that evade traditional detection methods. If your logs aren't telling the whole story, it's time to adapt.

Join to this talk and hunt smarter!