Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cyber Threat Hunting with Phirelight


Published on

"Cyberhunting" actively looks for signs of compromise within an organization and seeks to control and minimize the overall damage. These rare, but essential, breed of enterprise cyber defenders give proactive security a whole new meaning.

Check out the accompanying webinar:

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Cyber Threat Hunting with Phirelight

  1. 1. Cyber Threat Hunting A Fundamental Change in Mindset Chris Dodunski, CTO Phirelight Security Solutions, Inc.
  2. 2. Cyber Security Evolution Reactive Security Proactive Cyber Threat Hunting Must evolve!
  3. 3. Threat Hunting Terminology Adversary Customer Capability or Capacity Victim Infrastructure Sergio Caltagirone, Andrew Pendergast and Christopher Betz, “The Diamond Model of Intrusion Analysis,” Active Response, July 2013 (The end beneficiary of the hack, breach, intrusion, etc.) (The hacker or operator) (The theoretical tools, techniques, methods, exposures or vulnerabilities to be exploited) (The physical or logical communication platform used to achieve the goal ) (The company, server, person, account, etc. that is the )
  4. 4. Threat Hunting Styles Victim-Centered: The most common approach in Enterprise security. Focused on monitoring the hosts and the networks to identify malicious infrastructure and capabilities. Capability-Centered: Focused on identifying features of a capability in order to find other elements related to the adversary’s operation. Common in AV vendor reports. Infrastructure-Centered: Focused the malicious infrastructure used in the attacks with the goal of mapping owned infrastructure, pivoting to identifying other victims and uncovering additional capabilities used in the attacks. Other Styles: There are other styles of threat hunting, but they are either outside of the cyber realm (socio-economic-centered), in the realm of LEAs (adversary-centered), or focused on technologies and services which can be more in the theoretical research camp (e.g. fuzzing, 0-day exploit hunting, etc.).
  5. 5. So, What is Cyber Threat Hunting? It is the human-driven search for one or more phases of a cyber attack conducted by an adversary, using tools, information and investigative techniques. It is NOT waiting for an alert to be fired from a piece of technology. • Threat intelligence (data about known threats) • Behavioral analytics (data about suspicious activity) • Complete Situational Awareness (data about the environment) • Intuition, hunches and hypotheses (human judgment) • Security tools that produce consumable data (contextual answers)
  6. 6. Five Levels of Capability** Level 1: Initial - Relies primarily on automated alerting - Little or no routine data collection Level 2: Minimal - Incorporates threat intelligence indicator searches - Moderate or high level of routine data collection Level 3: Procedural - Follows data analysis procedures created by others - High or very high level of routine data collection Level 4: Innovative - Creates new data analysis procedures - High or very high level of routine data collection Level 5: Leading - Automates the majority of successful data analysis procedures - High or very high level of routine data collection**David Bianco, “A Simple Hunting Maturity Model, ” Enterprise Detection & Response blog, Oct. 15, 2015
  7. 7. Example Threat Hunt: Victim-Centered Hypothesis: System is potentially compromised. Trigger: SSH traffic visualization indicates low volatility communications during data browse. Tools: rapidPHIRE Cyber Intelligence Platform. Inspects network traffic using a combination of threat intelligence, behavioral analytics and vulnerability data, combined with full-stack network operational data collection (i.e. security and operational observations).
  8. 8. Sufficient Data and Tools? Threat Intelligence? Yes. rapidPHIRE uses over 40 global threat intelligence feeds as well as private threat intelligence specific to the network being monitored. Behavioral Analytics? Yes. The rapidPHIRE Cyber Intelligence Platform uses a combination of Bro policies for IP session-based analysis, as well as machine learning and anomaly detection of network communications at a higher altitude (i.e. network communications level). Situational Awareness? Yes. rapidPHIRE collects all operational data communications on every active device on the monitored network, identifying the MAC, IP, hostname, active user credentials on the system, and tracks all application communications in and out, thus learning function. Additionally, rapidPHIRE is aware of theoretical vulnerabilities of each system discovered. Consumable Data? Yes. The rapidPHIRE solution tells a rich visual story and provides quick answers, allowing for threat hunters to pivot through the data very quickly.
  9. 9. Windows Vista Laptop (no extended support from Microsoft on system) Swiss C&C Platform CVE-2015-0016: Score 9.3 Total compromise of system integrity and protection. Entire system may be compromised. Pivot from Victim (contextual indicators)
  10. 10. rapidPHIRE Live Demo: Situational Awareness