Successfully reported this slideshow.

Threat Hunting: From Platitudes to Practical Application



1 of 28
1 of 28

More Related Content

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Threat Hunting: From Platitudes to Practical Application

  1. 1. THREAT HUNTING: FROM PLATITUDES TO PRACTICAL APPLICATION Neil “Grifter” Wyler DefCamp 2018 @grifter801
  2. 2. NEW PRESENTATION, WHO DIS? DefCamp 2018 @grifter801
  3. 3. HUNTING What is it?  Proactively searching through data in order to detect threats which have evaded traditional security measures. Is it effective?  It’s often more effective than working incidents out of a queue. While traditional security programs are still important, hunting takes you to the next level. DefCamp 2018 @grifter801
  4. 4. HUNTING Why hunt?  Again, because it’s proactive. – Aren’t you tired of being purely reactive?  It’s much harder to hide when someone is actively looking for you.  It’s much harder to hide when someone knows their environment.  By the way, you’ll know your environment better than you ever have before.  It increases value to your organization. DefCamp 2018 @grifter801
  5. 5. WHERE DO WE BEGIN? Log All the Things  Collect logs from key areas – OS Event Logs – Application Logs – Know who is authenticating where, and at what level  Don’t forget your network – Web Server logs – Proxy logs – Full … Packet … Capture This can be an incredible amount of data  Big Data is a part of your life now – Start small and grow your collection as you grow your program DefCamp 2018 @grifter801
  6. 6. WHERE DO WE BEGIN? Situational Awareness  Understand what normal looks like on your hosts and network. – Create a baseline that you can diff against  Become intimately aware of what the norms are so that when an anomaly occurs, it sticks out like a sore thumb. Leave preconceived notions at the door  Don’t always start with an IOC. Start with a question. – If data was leaving my environment, where’s the most likely place it would leave? DefCamp 2018 @grifter801
  7. 7. Persistence  Look beyond Run keys  What Scheduled Tasks are configured on the system?  Are there services that you didn’t create?  Typos or blank descriptions  Binary Path is not normal HUNTING Hosts  Know which processes are running on your systems. – Process Names – Path to Executables – Parent Processes  Look for process injection, hooking, and artifacts in shimcache. DefCamp 2018 @grifter801
  8. 8. HUNTING Network  What are your ingress and egress points? – Have they changed?  Direct to IP Communication  Communication to services using Dynamic DNS  Tor traffic  IRC traffic  Look at HTTP traffic – POST activity with no referrer – User-Agent strings can be a red flag  Traffic over non-standard ports DefCamp 2018 @grifter801
  9. 9. HUNTING MINDSET Have a plan but be ready to adapt  Know what you’re looking for and go try to find it. – But don’t be discouraged if/when you don’t  Remain flexible – Sometimes what you started searching for will take you down a completely different path.  Prepare for pivots, there will be many  Find tools that help you make sense of the data you’ve collected  Document everything you’re doing and what you’ve learned – Share it! DefCamp 2018 @grifter801
  10. 10. SO, WHAT NOW? DefCamp 2018 @grifter801
  11. 11. EXECUTING A HUNT The Plan  Provide Hunters /w Network Architecture / Diagrams  Identify Potential Targets  Tie IP Addresses to Assets  Business Criticality  Focus on Directionality  Inbound  Outbound  Lateral Movement  Determine Hunting Timeframe  24 hours on Average  Expand timeframe for subjects/events of interest DefCamp 2018 @grifter801
  12. 12. EXECUTING A HUNT  Service Analysis  Begin with the Smallest (IRC, VNC, BITTORRENT, RPC, RDP)  Allows for Quick Elimination  Continue to Work Backwards  Document Area that Each Analyst Covered ( Analyst 1 – Outbound/RDP, Outbound/IRC, etc)  Drill Down on Each Selected Service  Indicators of Compromise  Behaviors of Compromise  Enablers of Compromise  Rinse and Repeat DefCamp 2018 @grifter801
  13. 13. EXECUTING A HUNT Care and Feeding  Investigate, Investigate, Eliminate  Find the Signal in the Noise  Determine what traffic is causing false positives, and manage it.  As you tune and dial in your environment, actionable data will become increasingly apparent.  Build reports and automate the pain away DefCamp 2018 @grifter801
  14. 14. THE LABYRINTH DefCamp 2018 @grifter801
  15. 15. SO, WHAT DO WE FIND? DefCamp 2018 @grifter801
  16. 16. WHAT YEAR IS THIS!?! DefCamp 2018 @grifter801 BEWARE THE SUPPLY CHAIN
  17. 17. ಠ_ಠ DefCamp 2018 @grifter801
  18. 18.  Strong Passwords over unencrypted transports? 57R0NG_P@55W0RD5! DefCamp 2018 @grifter801
  19. 19. YOU’VE GOT SOMETHING IN YOUR API DefCamp 2018 @grifter801 SOAP call with cleartext Base64 includes password
  20. 20. I CAM SEE YOU DefCamp 2018 @grifter801
  21. 21. ALWAYS USE A VPN! DefCamp 2018 @grifter801
  22. 22. THE RSAC DATING POOL DefCamp 2018 @grifter801
  23. 23. ALL THINGS ARE NOT CONFIGURED EQUALLY DefCamp 2018 @grifter801
  24. 24. PATCH MANAGEMENT DefCamp 2018 @grifter801
  25. 25. ZERO DAY, O-DAY OR SAME DAY? DefCamp 2018 @grifter801
  26. 26. LUXORF DefCamp 2018 @grifter801
  27. 27. “DEVICES” DefCamp 2018 @grifter801
  28. 28. Thanks Neil“Grifter”Wyler @grifter801

Editor's Notes

  • Share stats on CIRT Hunting

  • Share stats on CIRT Hunting

  • Again, because it's proactive.

    Hiding from people who are actively looking for threat actors, versus reacting to alerts, is much harder to do.

    When you're comparing known good against the current state of a system, you will be able to recognize changes, regardless of how skilled the attacker is.

    You will become intimately aware of the nuances of your environment. This will help you make improvements where necessary, and find problems before attackers do.

    Documenting your environment, processes, and lessons learned is incredibly valuable for your organization.
  • Moving from a reactive state, to a proactive state. Knowing that attackers could be there, and looking for them.

    I don't have a specific indicator that I'm looking for. This is counter to what traditional IR teams do. Normally we get threat intel. We turn that into a parser. An alert is kicked off, which generates an Incident ticket. We respond to the ticket and close it out.

    Come to the table with an idea, or a question. Is sensitive data leaving my environment? Are users accessing data they shouldn't be?

  • Define what is "normal" inside your organization and how that differs from department to department, or machine to machine.

    Know which processes are running on your systems and what they're doing.
    Process Names - Not Great
    Path to Executable - Running from
    Parent Process - If you run sysinternals and see cmd.exe being spawned from flash, not good

    task manager or pslist - sysinternals - procmon -

    Are processes running with the right privileges? local admin?
    Look beyond Run keys.

    What scheduled tasks are configured on the system?
    Duqu 2 used TaskScheduler for Lateral Movement

    Are there services that you didn't create?
    - Typos or Blank Description Fields
    - Binary Path is not the normal location – Coming from a non-standard directory
    - Look for Events 106/129/200/201
    Task Registered,Created Task Process, And Actions Started or Completed
  • Which applications are communicating on the network? Should they be listening for connections?
    Netstat Data is great

    What are your ingress and egress points? Have they changed?

    Direct to IP Communication

    Look at HTTP traffic. Anomalous User-Agent strings can be a red flag. -- Unique or non-existent versions

    POST activity with no refferer.

  • So when I say, “ensure availability and security,” what do I mean by “ensure?”
    -the Black Hat Conference teaches the latest offensive and defensive skills
    -these are paid training sessions
    -and while the tools and techniques are meant for educational purposes only, the NOC monitors the network so that these classes are self-contained. We need to ensure that while the Trainings attendees can participate in their own course, we watch to make sure they aren’t leveraging that new knowledge to go attack other classes.
    -the NOC also monitors the wireless network to ensure the same

  • ×