Mind the Gap, Bro: Using Network Monitoring to Overcome Lack of Host Visibility

Defenders often find themselves in a position where visibility is either not ideal, or even nonexistent – especially for host artifacts. Using the example of ICS environments, this talk will provide a case study of how network visibility via Bro can be leveraged to gain proxy visibility on the host, with a special emphasis on YARA for file analysis. The same example can be applied to other environments where defenders may have little say in host setup, but effectively control the network.