BSides SATX 2020 - Threat Hunting CTF with Elastic

United States and Canada Virtual

Jul 11, 2020, 6:00 – 9:00 PM


About this event


Devon Kerr, Intelligence & Analytics Team Lead, @_devonkerr_

Daniel Stepanic, Senior Security Research Engineer, @DanielStepanic

David French, Senior Security Research Engineer, @threatpunter

Justin Ibarra, Senior Security Research Engineer, @br0k3ns0und

Registration required

Registration through the BSides SATX Eventbrite page. Click here to register.

When: Saturday 11 July 2020 13:00 CDT

Duration: 3 hours

Maximum no of attendees: 25

The wisdom of “assume breach” has never been more relevant than when we consider the role of threat hunters in proactively identifying threats. Once an attacker has obtained initial access to their target environment, they attempt to evade detection as they work towards their objectives.

Threat hunting combines the knowledge and experience of your team with technologies in your environment to create an active capability - one that assumes passive and reactive approaches alone are flawed, and that perpetually seeks evidence of malicious activity. By practicing the skills and critical thinking of threat hunters, attendees will be better equipped to detect intrusions earlier and more comprehensively - preventing damage to critical systems or loss of data.

During this capture the flag (CTF) session, you will learn how to use open source and free software such as the Elastic Stack, Beats, and Sysmon to hunt for adversary tradecraft.

You will be presented with a realistic scenario for the CTF: Your organization is breached. You will receive a threat intelligence report that provides details of how a partner company was recently compromised. Your goal is to hunt for and identify evidence of the threat group’s malicious behavior.

The CTF range will be open for 24 hours and we will open a Slack channel for attendees to communicate with members of Elastic Security during the event. Students will be provided with additional reading to learn more about threat hunting methodology.

Who Should Attend: This event is meant for Security and IT professionals who want to develop or renew threat hunting skills and experiences that are applicable to both open source and commercial technology solutions.

Prerequisites: An understanding of endpoint and network fundamentals. Experience working in an IT or security operations role such as a SOC or incident response analyst is a bonus. Experience using a SIEM, knowledge of adversary tradecraft, and Kibana Query Language (KQL) is a nice-to-have, but not required.

Technical requirements: To participate in the CTF exercise, use a laptop running an up-to-date version of Windows 10 or MacOS and at least one of the following Internet browsers: IE11+, Firefox, or Chrome. Prepare any peripherals necessary for Internet connectivity and accessibility.


  • Olivia Petrie


Contact Us