Room: DMS 1120
This talk will discuss simple in-base tools that a regular sysadmin can use to help respond to malware and intrusions on a freebsd host or jail. This will mostly revolve around building dtrace programs to alert on system behaviours that could be suspicious.
The talk will summarize basic defense methodology, ie firewalling, hardening and patching, and discuss how behavior monitoring can be an extra useful step with certain caveats. It will include a brief overview of the MITRE framework, why it helps, and a quick lament over the total lack of BSD related support.
Finally the majority of the talk will discuss the methodology of building attack scenarios and corresponding alerts using dtrace.
This grew out of dissatisfaction with large scale distributed monitoring systems, I wanted something that worked at home just on the laptop.
The following slides have been made available for this session: