Threat hunting in the browser

In the previous decade we saw a huge pivot to endpoint based attacks, which the security industry was initially ill prepared for. In particular, common intrusion detection approaches of the past had been largely network sensor focused and were not well suited to dealing with endpoint focused attacks. This led to the explosion of endpoint-orientated approaches which eventually led to the creation of the entire EDR market.

Fast-forward to the current decade and we are in the midst of a rapid shift towards identity-based attacks and SaaS attack techniques due partly to the increasing difficulty of endpoint attacks and partly to the ever increasing attack surface posed by SaaS usage and spiraling numbers of cloud identities. These attacks rarely touch the endpoint and so security teams are facing a loss of visibility once again.

This talk will cover why the browser is becoming the new frontline battleground in the increasingly identity attack-based world. We’ll then consider how browser extensions provide defenders with a unique opportunity to gain unparalleled visibility into attacks targeting both users themselves and the cloud identities that they have access to via their own browsers. We’ll also consider why hunting in the browser can be a more advantageous approach with modern web technologies and working practices than network based tools like the web proxies of yesterday.