Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Billions & Billions of Logs;
Oh My
Jack Crook
whoami
 Jack Crook (@jackcr)
 Principal Incident Responder, GE-CIRT
 Husband of 23 or 24 years?
 Father of 4
 Grandfa...
What this talk is
Thoughts based on my experiences
What this talk is not
How I think about threat hunting
 Hypothesis driven approach for identifying malicious
behavior within my environment.
 ...
The three most important ?’s
 What am I looking for?
 Why am I looking for it?
 How do I find it?
What we want hunting to be
Often times the reality
Reasons
Why do we seem to flounder in that “sea of data”?
 Scope of hunt is not properly defined
 Scope of hunt is too b...
Hunting opportunities
Recon
Exploitation
Delivery
Installation
C2
Actions
Consider the following
The question is
How?
High level hypotheses
 Comprised of multiple actions
 Actions typically happen over short time spans
 Will often use le...
What can I define from these hypotheses
Needs
5 basic attacker needs
 Execution
 Credentials
 Enumeration
 Authentication
 Data Movement
Attacker Needs
Execution
Processes
Scripts
Services
Scheduled
Tasks
Execution
 cmd.exe
 powershell.exe
 wmic.exe
 Cust...
Attacker Needs
Credentials
Domain
Administrative
Accounts
Local Services
Accounts
Accounts
pertaining to
group
membership
...
Attacker Needs
Enumeration
User / Group
Enumeration
Device
Enumeration
Filesystem
Enumeration
Enumeration
 “net” commands...
Attacker Needs
Autehntication
4624Type
3
4624Type
10
4648
Authentication
 Domain admins
 Enterprise admins
 Local admin...
Attacker Needs
Data
Movement
Tools
Recon
Data
Exfil
Data
Data Movement
 copy
 xcopy
 rdpclip
 PsExec
 RemCom
Now what?
We can look at these needs based actions individually and likely
swim in our sea of reality, or…
Is there possib...
Behavior Chains
The thought
Can we take interesting data, that doesn’t always point to
malicious activity, and cluster it in a way that wi...
How do we get there
 Develop queries for specific actions based on attacker needs
 Accuracy of query is key
 Volume of ...
Link chains by
Time
Source
Host
Destination
Host
User Action
Consider the following commands
copy bad.exe 192.168.56.10c$tempbad.exe
dir 192.168.56.10c$temp
wmic /node:192.168.56.10 /...
Time
How long would it take
you to type those
commands?
Source Host
Does the source host
show up in multiple
clusters?
Destination Host
What is the role of the
destination machine?
User
What is the number of
users and role per cluster?
Action
Does the cluster
represent multiple needs?
Data Movement Source to Dest
 Windows Security Event ID = 5145
 ObjectType = File
 Share Name = *$
 Access Mask = 0x10...
Enumeration Remote Dir $ Share
 Windows Security Event ID = 5145
 Share Name = *C$
 Share Name = *ADMIN$
 Access Mask ...
ExecutionWMIC Remote Host
 Windows Security Event ID = 4688
 Windows Security Event ID = 4624
 LogonType = 3
 Source N...
Authentication Suspicious 4648 Logon
 Windows Security Event ID = 4648
 Process Name = wmic.exe
 Target Server Name != ...
How our chain would look
Feed the Beast
 Windows Events
 Sysmon
 Powershell
 AV
 Whitelisting
 Flow
 NIDS/HIDS
Considerations
 Normalization of fields across data sources
 Standardization of time zones across logs
 Build queries t...
Benefits
 Huge reduction in high volume events
 Generates dynamic clusters of “interesting”
 Surface patterns of behavi...
I believe this will get me closer
ThankYou!
Twitter: @jackcr
Blog: findingbad.blogspot.com
Upcoming SlideShare
Loading in …5
×

Billions & Billions of Logs

6,380 views

Published on

This talk was intended for the 2017 Sans ThreatHunting Summit and 2017 x33fcon. Unfortunately I was unable to attend either.

Published in: Technology
  • Hello! Get Your Professional Job-Winning Resume Here - Check our website! https://vk.cc/818RFv
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Billions & Billions of Logs

  1. 1. Billions & Billions of Logs; Oh My Jack Crook
  2. 2. whoami  Jack Crook (@jackcr)  Principal Incident Responder, GE-CIRT  Husband of 23 or 24 years?  Father of 4  Grandfather of 1  Finder of Bad Guys
  3. 3. What this talk is Thoughts based on my experiences
  4. 4. What this talk is not
  5. 5. How I think about threat hunting  Hypothesis driven approach for identifying malicious behavior within my environment.  These hypotheses are derived from:  First hand knowledge  Internally developed intel  Trusted partner sharing  Public reporting  Utilize kill chain to focus efforts
  6. 6. The three most important ?’s  What am I looking for?  Why am I looking for it?  How do I find it?
  7. 7. What we want hunting to be
  8. 8. Often times the reality
  9. 9. Reasons Why do we seem to flounder in that “sea of data”?  Scope of hunt is not properly defined  Scope of hunt is too broad  We try and catch all instances of bad for a particular query  We focus on a single method of finding the indicator  We focus on singular events to attempt to draw conclusions  We look for actions instead of behaviors
  10. 10. Hunting opportunities Recon Exploitation Delivery Installation C2 Actions
  11. 11. Consider the following
  12. 12. The question is How?
  13. 13. High level hypotheses  Comprised of multiple actions  Actions typically happen over short time spans  Will often use legitimate windows utilities  Will often use tools brought in with them  Will often need to elevate permissions  Will need to access various machines  Will need to access files on filesystems
  14. 14. What can I define from these hypotheses Needs
  15. 15. 5 basic attacker needs  Execution  Credentials  Enumeration  Authentication  Data Movement
  16. 16. Attacker Needs Execution Processes Scripts Services Scheduled Tasks Execution  cmd.exe  powershell.exe  wmic.exe  Custom tools
  17. 17. Attacker Needs Credentials Domain Administrative Accounts Local Services Accounts Accounts pertaining to group membership Credentials  Registry hives  Extract from lsass process  Network sniffing  Keylogging  ntds.dit  Clear text on filesystem
  18. 18. Attacker Needs Enumeration User / Group Enumeration Device Enumeration Filesystem Enumeration Enumeration  “net” commands  dir  find  whoami  ping  Custom tools
  19. 19. Attacker Needs Autehntication 4624Type 3 4624Type 10 4648 Authentication  Domain admins  Enterprise admins  Local admins  Service accounts  Users /w GID
  20. 20. Attacker Needs Data Movement Tools Recon Data Exfil Data Data Movement  copy  xcopy  rdpclip  PsExec  RemCom
  21. 21. Now what? We can look at these needs based actions individually and likely swim in our sea of reality, or… Is there possibly another way?
  22. 22. Behavior Chains
  23. 23. The thought Can we take interesting data, that doesn’t always point to malicious activity, and cluster it in a way that will surface actions often used by attackers?
  24. 24. How do we get there  Develop queries for specific actions based on attacker needs  Accuracy of query is key  Volume of output is not  Enhance data with queries from detection technologies  Store output of queries in central location  Each query makes a link  The sum of links make up a chain
  25. 25. Link chains by Time Source Host Destination Host User Action
  26. 26. Consider the following commands copy bad.exe 192.168.56.10c$tempbad.exe dir 192.168.56.10c$temp wmic /node:192.168.56.10 /user:administrator /password:pass process call create “bad.exe”
  27. 27. Time How long would it take you to type those commands?
  28. 28. Source Host Does the source host show up in multiple clusters?
  29. 29. Destination Host What is the role of the destination machine?
  30. 30. User What is the number of users and role per cluster?
  31. 31. Action Does the cluster represent multiple needs?
  32. 32. Data Movement Source to Dest  Windows Security Event ID = 5145  ObjectType = File  Share Name = *$  Access Mask = 0x1000180  Access Mask = 0x80  Access Mask = 0x130197  Bucket 3 events within 1 sec by ComputerName
  33. 33. Enumeration Remote Dir $ Share  Windows Security Event ID = 5145  Share Name = *C$  Share Name = *ADMIN$  Access Mask = 0x100080  Source Address != 127.0.0.1
  34. 34. ExecutionWMIC Remote Host  Windows Security Event ID = 4688  Windows Security Event ID = 4624  LogonType = 3  Source Network Address != “”  Search Process = wmiprvse.exe  List Additional processes spawning within same second
  35. 35. Authentication Suspicious 4648 Logon  Windows Security Event ID = 4648  Process Name = wmic.exe  Target Server Name != localhost  Target Server Name != *$
  36. 36. How our chain would look
  37. 37. Feed the Beast  Windows Events  Sysmon  Powershell  AV  Whitelisting  Flow  NIDS/HIDS
  38. 38. Considerations  Normalization of fields across data sources  Standardization of time zones across logs  Build queries to surface behaviors on both source and dest  Identify areas across needs for additional opportunities  Experiment with different methods of clustering
  39. 39. Benefits  Huge reduction in high volume events  Generates dynamic clusters of “interesting”  Surface patterns of behavior that may otherwise be missed  Can be used for all phases of the Kill Chain  Can cluster behaviors across multiple data sources
  40. 40. I believe this will get me closer
  41. 41. ThankYou! Twitter: @jackcr Blog: findingbad.blogspot.com

×