Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Risk Advisors - BSides Philadelphia 2017 - Threat Hunting: Defining the Process While Circumventing Corporate Obstacles

651 views

Published on

Threat hunting is a hot topic spurred on by the thought that it’s not a matter of IF, but WHEN, your organization will be breached. Mature security organizations are shifting in their approach from solely relying on reactive response and black box security tools to proactive hunting. This shift in approach requires large amounts of network and endpoint data to tie together attacker tools, tactics, and procedures. Security teams often have their hands tied due to limited budgets, politics and their ability to affect change with what information gets logged (just try getting a DNS admin to check a box that says “Debug” in prod). Hypothesis driven data acquisition can be used to overcome environmental challenges, provide a specific goal, and reduce analysis paralysis. This presentation will discuss hypothesis driven threat hunting using free and commercial tools for organizations which face common corporate roadblocks.

Published in: Technology
  • Be the first to comment

Security Risk Advisors - BSides Philadelphia 2017 - Threat Hunting: Defining the Process While Circumventing Corporate Obstacles

  1. 1. Threat Hunting Defining the Process While Circumventing Corporate Obstacles December 2017
  2. 2. Introductions Our success together is driven by the trusted relationships we build. We work closely with our clients to improve their strategy and programs, assess controls and threats, and implement and operate the best solutions based on their unique needs and business environments. Matt Schneck Threat Management Senior Consultant Focus: Endpoint Engineer & Data Analysis GIAC Certified Forensic Examiner (GCFE) Ryan Andress Threat Management Consultant Focus: Incident Response & Data Analysis GIAC Certified Forensic Analyst (GCFA) Kevin Foster Threat Management Senior Consultant Focus: Incident Response & Data Acquisition GIAC Certified Forensic Analyst (GCFA) GIAC Certified Reverse Engineering Malware (GREM)
  3. 3. What is Threat Hunting? Preparation & Communication Threat Hunting Framework Post Hunt Agenda
  4. 4. Objectives  Identify compromised systems and accounts  Improve security monitoring detection rules  Perform forensics at scale Hunt Strategies  Threat Intelligence – Sweep for known bad  Anomaly – Configurations with the least frequency of occurrence  Behavioral – Attacker tools, tactics, and techniques Risks Mitigated  “Pre-existing conditions” – historic compromises  Blind spots – limited security monitoring visibility  Secondary compromises – attackers move off patient 0 Threat Hunting Defined Develop a Hypothesis Gather Data Analyze Data 1.Make Observations Measure Progress
  5. 5. Threat Hunting Overview Identify Team Members Socialize with Stakeholders Hypothesis & Scope Data Acquisition Data Analysis Observation Documentation Ruleset Improvement Preparation Execution Post
  6. 6. Preparation & Communication
  7. 7. Hunt Team Selection Developer • Integrates threat hunting toolsets and processes • Ability to develop custom scripts Incident Responder • Identify system configuration anomalies • Develop new or modify rulesets based on findings Team Lead • Provides oversight and direction for hunters • Communicates with internal & external stakeholders Identify Team Members Socialize with Stakeholders Hypothesis & Scope Data Acquisition Data Analysis Observation Documentation Ruleset Improvement
  8. 8. Tracking  Who did what when?  What systems?  What user accounts?  When did activities occur?  What data is being accessed? Organization  IR platform toolset  Visibility into team member activity  Project status tracking at every stage  Quantify metrics Activity Tracking & Organization You need to be able to prove: “We weren’t acquiring data at that time, we didn’t take down the power grid.” Identify Team Members Socialize with Stakeholders Hypothesis & Scope Data Acquisition Data Analysis Observation Documentation Ruleset Improvement
  9. 9. Measurements of Success Success! Hypothesis Topic and System Scoping Establish and Define a Repeatable Threat Hunting Methodology Identify and Reduce Environment Attack Surface Develop Environment Baselines Automation & Rule Generation Identify Team Members Socialize with Stakeholders Hypothesis & Scope Data Acquisition Data Analysis Observation Documentation Ruleset Improvement
  10. 10. Speak the language of each stakeholder group:  Execs Improving the organizations security posture without capital expenditure  Sys-Admins We won’t break your stuff Threat hunting does not necessarily require:  Deploying an agent  Change management approvals  Angering sys-admins Getting Approval Identify Team Members Socialize with Stakeholders Hypothesis & Scope Data Acquisition Data Analysis Observation Documentation Ruleset Improvement
  11. 11. MITRE ATT&CK Hypothesis Selecting a Hypothesis via ATT&CK: The MITRE ATT&CK Matrix is mapped to attacker tactics and techniques. Identify Team Members Socialize with Stakeholders Hypothesis & Scope Data Acquisition Data Analysis Observation Documentation Ruleset Improvement
  12. 12. Hypothesis Driven Methodology Four Steps of Hypothesis Testing: 1. Identify a MITRE ATT&CK tactic technique to test  IE: A malicious modification to a path environment variable has been made on an in-scope system 2. Formulate an action plan for to identify in-scope systems and outline data acquisition 3. Execute the action plan and obtain data from in- scope systems 4. Perform automated data analytics and manual analysis to accept or reject the hypothesis Develop a Hypothesis Identify Scope Data Acquisition & Analysis 1.Make Observations Identify Team Members Socialize with Stakeholders Hypothesis & Scope Data Acquisition Data Analysis Observation Documentation Ruleset Improvement
  13. 13. Threat Hunting Framework
  14. 14. Possible Data Sources Endpoint Logs:  CimSweep  PowerShell Remoting  Windows Event Forwarding  SIEM Collectors  EDR Tools Network Logs:  DNS  Firewall  Bro  Netflow Account Logs:  Active Directory  VPN’s If you’re capturing any of these logs, you can start hunting for malicious activity – you’ve already got the data! Identify Team Members Socialize with Stakeholders Hypothesis & Scope Data Acquisition Data Analysis Observation Documentation Ruleset Improvement
  15. 15. Network Hunting Network Driven Use Cases DNS Logs Firewall Logs VPN Logs Bro/NTA Logs Suspicious Geolocation Login Port Scanning/Recon C2 Channels or Beaconing Data Exfiltration Detection DNS Tunneling Suspicious Download Tracking Most organizations have the network equipment in place currently to perform basic threat hunting. The table below outlines common hunting use cases based off of network device. Identify Team Members Socialize with Stakeholders Hypothesis & Scope Data Acquisition Data Analysis Observation Documentation Ruleset Improvement
  16. 16. Crawling with CimSweep Pros  Backwards compatible through Windows NT 4.0  Allows for scripted mass collection Cons  Limited in the data that can be collected  Internal firewalls can limit connectivity if using RPC Ports  One-to-one data collection Pre-Req’s  Collection system requires PowerShell 3.0 or greater  Privileged account – Local Admin rights on remote systems Author: Matt Graeber - https://github.com/PowerShellMafia/CimSweep Identify Team Members Socialize with Stakeholders Hypothesis & Scope Data Acquisition Data Analysis Observation Documentation Ruleset Improvement
  17. 17. Walking with PowerShell Remoting Pros  Provides lots more data than CimSweep  One-to-Many data collection  Lots of interesting work by the community  Able to make full use of Win32 API’s Cons  Requires PowerShell scripting capabilities Pre-Req’s  Requires PS Remoting be enabled Author: Jared Atkinson – https://github.com/Invoke-IR/ACE Identify Team Members Socialize with Stakeholders Hypothesis & Scope Data Acquisition Data Analysis Observation Documentation Ruleset Improvement
  18. 18. Running with Windows Event Forwarding Pros  Increase visibility to all of your systems  Many-to-One event data collection  Extremely well documented by MS Cons  Requires heavy GPO modifications Pre-Req’s  PowerShell Remoting  A spare server for log collection Source: Jessica Payne – “Monitoring What Matters” Blog Post on technet Identify Team Members Socialize with Stakeholders Hypothesis & Scope Data Acquisition Data Analysis Observation Documentation Ruleset Improvement
  19. 19. Endpoint Threat Hunting Maturity CimSweep •Runs pretty much everywhere! •Gives you something when you’ve otherwise got nothing •Great way to start demonstrating value PowerShell Remoting • Gives you much more data • Scales for fast collection • Will win you friends with other admins Windows Event Forwarding • Allows for hunting through historic data • By nature – provides continuous data collection • Better enables automated alerting Identify Team Members Socialize with Stakeholders Hypothesis & Scope Data Acquisition Data Analysis Observation Documentation Ruleset Improvement
  20. 20. Data Analysis & Project Tracking
  21. 21. MISP – Malware Information Sharing Platform What is it?  Threat Intel Aggregator  Hosted IOC Database/Repository App Enrichment  TheHive  Cortex  Threat Intel Providers via API Key VT, Shodan, etc. What is the value / why do it?  Bulk IOC Queries  Threat Actor Tracking  SIEM Agnostic - Various Export Formats Supported Organization Segregation https://blog.thehive-project.org/2017/06/19/thehive-cortex-and-misp-how-they-all-fit-together/ Identify Team Members Socialize with Stakeholders Hypothesis & Scope Data Acquisition Data Analysis Observation Documentation Ruleset Improvement
  22. 22. ELK – Elasticsearch, Logstash & Kibana Data Manipulation via Visualization  Custom views via visualizations  Advanced filtering in visualizations White List / Blacklist File Paths  Least Frequency of Occurrence (LFO) Process Stacking Rapid Query Results  Flexible Query Options String Queries  FilePath: (“appdata” OR “temp”) Levenshtein/Fuzzy Queries Logstash Plugin Filters  Unify your data fields across different tools & scripts ImagePath, path, Path = ExecutablePath Parse out file extension Identify Team Members Socialize with Stakeholders Hypothesis & Scope Data Acquisition Data Analysis Observation Documentation Ruleset Improvement
  23. 23. Data Enrichment on Ingestion Logstash can make rest queries on event ingestion  SANS FTW Domain Stats  Is it in the Alexa top 1 million?  When was it created “Freq” Server  Test the “Englishness” of a domain  Virus Total Queries Identify Team Members Socialize with Stakeholders Hypothesis & Scope Data Acquisition Data Analysis Observation Documentation Ruleset Improvement
  24. 24. Data Enrichment Example Identify Team Members Socialize with Stakeholders Hypothesis & Scope Data Acquisition Data Analysis Observation Documentation Ruleset Improvement
  25. 25. Data Enrichment Example Identify Team Members Socialize with Stakeholders Hypothesis & Scope Data Acquisition Data Analysis Observation Documentation Ruleset Improvement
  26. 26. TheHive & Cortex Threat Hunt Process Tracking  Live stream of team member activity  Project tasks assigned for visibility & accountability Observation Tracking  Custom tracking of observables Statistics based on Type, IOC, & Tags!  Filter observables data Data Analysis & Automation  Cortex Analyzers Data Reduction via threat intel correlation  Delegate your work to the machines! Identify Team Members Socialize with Stakeholders Hypothesis & Scope Data Acquisition Data Analysis Observation Documentation Ruleset Improvement
  27. 27. TheHive & Cortex Threat Hunt Process Tracking  Live stream of team member activity  Project tasks assigned for visibility & accountability Observation Tracking  Custom tracking of observables Statistics based on Type, IOC, & Tags!  Filter observables data Data Analysis & Automation  Cortex Analyzers Data Reduction via threat intel correlation  Delegate your work to the machines! Identify Team Members Socialize with Stakeholders Hypothesis & Scope Data Acquisition Data Analysis Observation Documentation Ruleset Improvement
  28. 28. TheHive & Cortex Threat Hunt Process Tracking  Live stream of team member activity  Project tasks assigned for visibility & accountability Observation Tracking  Custom tracking of observables Statistics based on Type, IOC, & Tags!  Filter observables data Data Analysis & Automation  Cortex Analyzers Data Reduction via threat intel correlation  Delegate your work to the machines! Identify Team Members Socialize with Stakeholders Hypothesis & Scope Data Acquisition Data Analysis Observation Documentation Ruleset Improvement
  29. 29. TheHive & Cortex Threat Hunt Process Tracking  Live stream of team member activity  Project tasks assigned for visibility & accountability Observation Tracking  Custom tracking of observables Statistics based on Type, IOC, & Tags!  Filter observables data Data Analysis & Automation  Cortex Analyzers Data Reduction via threat intel correlation  Delegate your work to the machines! Identify Team Members Socialize with Stakeholders Hypothesis & Scope Data Acquisition Data Analysis Observation Documentation Ruleset Improvement
  30. 30. TheHive & Cortex Threat Hunt Process Tracking  Live stream of team member activity  Project tasks assigned for visibility & accountability Observation Tracking  Custom tracking of observables Statistics based on Type, IOC, & Tags!  Filter observables data Data Analysis & Automation  Cortex Analyzers Data Reduction via threat intel correlation  Delegate your work to the machines! Identify Team Members Socialize with Stakeholders Hypothesis & Scope Data Acquisition Data Analysis Observation Documentation Ruleset Improvement
  31. 31. TheHive & Cortex Threat Hunt Process Tracking  Live stream of team member activity  Project tasks assigned for visibility & accountability Observation Tracking  Custom tracking of observables Statistics based on Type, IOC, & Tags!  Filter observables data Data Analysis & Automation  Cortex Analyzers Data Reduction via threat intel correlation  Delegate your work to the machines! Identify Team Members Socialize with Stakeholders Hypothesis & Scope Data Acquisition Data Analysis Observation Documentation Ruleset Improvement
  32. 32. Threat Hunt Process Tracking  Live stream of team member activity  Project tasks assigned for visibility & accountability Observation Tracking  Custom tracking of observables Statistics based on Type, IOC, & Tags!  Filter observables data Data Analysis & Automation  Cortex Analyzers Data Reduction via threat intel correlation  Delegate your work to the machines! TheHive & Cortex Identify Team Members Socialize with Stakeholders Hypothesis & Scope Data Acquisition Data Analysis Observation Documentation Ruleset Improvement
  33. 33. Data Analysis / Analytics Data Reduction  Targeted Threat Hunt Topics Persistence  Registry Keys Least Frequency Of Occurrence (LFO)  Stack all the things! Uniform environment should be homogenous  Know Normal…Find Evil! Suspiciously name files One character .exe, Pseudorandom Letters/Numbers  Legit filenames operating in illegitimate file paths  Thanks SANS! https://www.s ans. o rg/s ecurity - res ources /pos te rs /df ir -f ind-e vil/35/do wnlo ad Threat Intel Correlation https://www.sans.org/security-resources/posters/dfir/windows-forensics-evidence-of-75 Identify Team Members Socialize with Stakeholders Hypothesis & Scope Data Acquisition Data Analysis Observation Documentation Ruleset Improvement
  34. 34. Data Analysis / Analytics Data Reduction  Targeted Threat Hunt Topics Persistence  Registry Keys Least Frequency Of Occurrence (LFO)  Stack all the things! Uniform environment should be homogenous  Know Normal…Find Evil! Suspiciously name files One character .exe, Pseudorandom Letters/Numbers  Legit filenames operating in illegitimate file paths  Thanks SANS! https://www.s ans. o rg/s ecurity - res ources /pos te rs /df ir -f ind-e vil/35/do wnlo ad Threat Intel Correlation Identify Team Members Socialize with Stakeholders Hypothesis & Scope Data Acquisition Data Analysis Observation Documentation Ruleset Improvement
  35. 35. Data Analysis / Analytics Identify Team Members Socialize with Stakeholders Hypothesis & Scope Data Acquisition Data Analysis Observation Documentation Ruleset Improvement
  36. 36. Observation / Result Tracking Metrics and Tasks and Observables Oh My!  Hosted & concurrent users! See ya later Excel!!  Tagging: Hash, ip, domain, etc. Allows metric tracking for reporting  Accountability! Team member status updates / live streams Identify Team Members Socialize with Stakeholders Hypothesis & Scope Data Acquisition Data Analysis Observation Documentation Ruleset Improvement
  37. 37. Observation / Result Tracking Metrics and Tasks and Observables Oh My!  Hosted & concurrent users! See ya later Excel!!  Tagging: Hash, ip, domain, etc. Allows metric tracking for reporting  Accountability! Team member status updates / live streams Identify Team Members Socialize with Stakeholders Hypothesis & Scope Data Acquisition Data Analysis Observation Documentation Ruleset Improvement
  38. 38. Observation / Result Tracking Metrics and Tasks and Observables Oh My!  Hosted & concurrent users! See ya later Excel!!  Tagging: Hash, ip, domain, etc. Allows metric tracking for reporting  Accountability! Team member status updates / live streams Identify Team Members Socialize with Stakeholders Hypothesis & Scope Data Acquisition Data Analysis Observation Documentation Ruleset Improvement
  39. 39. Measurements of Success Success! Hypothesis Topic and System Scoping Establish and Define a Repeatable Threat Hunting Methodology Identify and Reduce Environment Attack Surface Develop Environment Baselines Automation & Rule Generation Identify Team Members Socialize with Stakeholders Hypothesis & Scope Data Acquisition Data Analysis Observation Documentation Ruleset Improvement
  40. 40. Citations 1. Threat Hunting Definition: https://sqrrl.com/solutions/cyber-threat-hunting/ 2. MISP 1. http://www.misp-project.org/ 3. TheHive 1. http://thehive-project.org/ 4. TheHive How it fits together images: https://blog.thehive- project.org/2017/06/19/thehive-cortex-and-misp-how-they-all-fit-together/ 5. SANS Graphics 1. https://www.sans.org/security-resources/posters/dfir-find- evil/35/download 2. https://www.sans.org/security-resources/posters/dfir/windows- forensics-evidence-of-75

×