Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Threat Hunting in Windows – Are You Hunting or Being Hunted?

2,129 views

Published on

Catch the full webinar recording here: https://www.beyondtrust.com/resources/webinar/threat-hunting-windows-hunting-hunted/?access_code=367cc8d9187529f374fde004f70061ff

Cyber security expert and author Dr. Eric Cole walks you through in this presentation (and the associated webinar) how to control and reduce the scope of damage caused by attackers, by focusing on improving your threat hunting.

Dr. Cole explores how to:
1) Understand and identify how adversaries compromise a Windows system
2) Reduce the dwell time of a compromise
3) Apply the right metrics to track the effectiveness of your security controls

Published in: Software
  • Be the first to comment

  • Be the first to like this

Threat Hunting in Windows – Are You Hunting or Being Hunted?

  1. 1. Threat Hunting in Windows – Are You Hunting or Being Hunted? by Dr. Eric Cole © 2017 Secure Anchor Consulting. All rights reserved.
  2. 2. © 2015 The SANS™ Institute – www.sans.org Threat Landscape Today, three absolute facts are relevant when it comes to security: 1) an organization cannot prevent all attacks; 2) an organization’s network is going to be compromised; 3) 100% security does not exist. 2 Threat hunting is the act of aggressively tracking and eliminating cyber adversaries from your network as early as possible.
  3. 3. © 2015 The SANS™ Institute – www.sans.org Introduction If attackers compromised your Windows systems, how would you know? 3 Threat hunting focuses on: • Gaining better visibility into the organization’s weaknesses • Providing early and accurate detection • Controlling damage • Tracking activity and looking for anomalies • Obtaining better visibility in key activities
  4. 4. © 2016 The SANS™ Institute – www.sans.org 4 Goals of Threat Hunting • To provide early and accurate detection • To control and reduce impact and damage with faster response • To improve defenses to make successful attacks increasingly difficult • To gain better visibility into the organization’s weaknesses by monitoring Windows activity
  5. 5. © 2015 The SANS™ Institute – www.sans.org Why We Need to Hunt Traditional security methods (such as antivirus, network IDSes and firewalls) can’t catch today’s advanced targeted threats because such threats work around security controls 5 Threat hunting includes the following activities: • Understanding the threats • Identifying critical data and business processes utilizing that data • Distinguishing good from bad behavior • Leveraging threat intelligence for discovery, detection and analysis • Analyzing all this data, along with vulnerability data and other sources of network/endpoint behaviors, for anomalies that are both “known bad” and never before seen • Looking for anomalies, learning abnormal behavior and understanding the network
  6. 6. © 2015 The SANS™ Institute – www.sans.org Search and Detect How Well Do You Know Your Windows System Understanding activity and profiles is critical to pursuing your adversary via the hunt cycle. There are two approaches: • Searching for known threats by gathering existing IoCs or other tactical details, such as the signature of an attack. Implement techniques to harvest data from your critical assets (e.g., search for a specific malicious binary hash or for a command and control URL in a network flow database). • Detecting unknown threats. This type of advanced hunting is challenging due to a lack of intelligence to spark the investigation. Confirm baselines of normal activity over time so you know what deviations from the norm look like. If you do not have a set of baselines, look for deviations from known or historic behavior. 6
  7. 7. © 2015 The SANS™ Institute – www.sans.org Metrics of the Hunt Organizations need to report in clear metrics a measurable reduction in risk that ties to their preparation, response and follow-up in the threat hunt cycle. 7 • Fewer actual breaches • Reduced attack surface/system hardening improvements • Shorter dwell time (the time between when an attacker first gains unauthorized access and when the bad actor is removed from the network) • Minimization and reduction of unauthorized lateral movement between internal systems • Reduction of exposure by finding and stopping threats before they gain a foothold • Fewer actual breaches
  8. 8. © 2015 The SANS™ Institute – www.sans.org Keys to a Successful Hunt In many large organizations, hunting for breaches is like looking for a needle in a haystack. 8 The basic methodology of a successful hunting program includes the following: • Augmenting humans with tools and automation across all areas of the hunt chain • Segmenting and de-scoping the area of analysis • Having focused goals • Limiting the search (deeper is better than narrow) • Recording metrics that demonstrate business-relevant gains, such as reduced time to contain and mitigate
  9. 9. © 2015 The SANS™ Institute – www.sans.org Evolving the Hunt 9 Because adversaries continue to change their patterns, the hunting process must do the following: • Adapt to changes in behaviors and learn how the adversary works. • Watch all behaviors of the adversary, including known good, known bad and unknown or unclassified behaviors. Looking for anomalies that deviate from normal behavior can help detect unknown or previously unseen hostile activity. • Identify adverse activity, track it, and alert administrators to the suspicious activity. • Contain and control the damage by identifying attackers’ lateral movements and removing infected systems from the network.
  10. 10. © 2015 The SANS™ Institute – www.sans.org Conclusion Properly automated threat hunting could have kept many of the organizations that suffered widely publicized breaches out of the news by minimizing their exposure time. 10 A typical checklist that organizations can use to start an ongoing hunt includes the following: • Identifying the data or information most critical to your organization • Determining which business processes utilize or access this information • Identifying all of the systems and networks that support key business processes • Acquiring tools that can help with the correlation and analysis required for proper hunting • Gathering information about the traffic flowing to the key systems and networks • Gathering information about the operations of servers • Utilizing threat intelligence to understand the threats and exposures to the organization • Utilizing tools to perform automated analysis of normal behavior and attack behavior • Filtering the output of the tools • Responding appropriately to high-risk alerts
  11. 11. Thank You for Your Time! DR. Eric Cole Twitter: drericcole ecole@secureanchor.com eric@sans.org www.securityhaven.com
  12. 12. PowerBroker for Windows Least Privilege and Application Control for Windows Servers and Desktops
  13. 13. Summary: Why PowerBroker for Windows? • Asset discovery, application control, risk compliance, Windows event log monitoring included • Optional: Session monitoring, file integrity monitoring Deep capability • U.S. Patent (No. 8,850,549) for the methods and systems employed for controlling access to resources and privileges per process Mature, patented leader • Tightly integrated with vulnerability management • Deep reporting and analytics insights for compliance and operations Centralized reporting, analytics and management • Privilege and session management on Unix, Linux and Windows • Privileged password and session management • Integrate Linux, Unix, and Mac OS X with Microsoft AD • Real-time auditing of AD, File System, Exchange & SQL Part of a broad solution family Validatedbycustomersandanalystsalike
  14. 14. Your solution should: • Elevate privileges to applications, not users, on an as-needed basis without exposing passwords • Enforce least-privilege access based on an application’s known vulnerabilities • Track and control applications with known vulnerabilities or malware to further protect endpoints • Monitor event logs and file integrity for unauthorized changes to key files and directories • Capture keystrokes and screens when rules are triggered with searchable playback
  15. 15. Product Demonstration
  16. 16. Poll
  17. 17. Thank you for attending today’s webinar!

×