SlideShare a Scribd company logo

Cyber threat-hunting---part-2-25062021-095909pm

Download as PPTX, PDF
M
MuhammadJalalShah1

threat hunting framework

Technology
1 of 29
CyberThreat Hunting & Intelligence
Types ofThreat Hunting 2 1. IOC Based Threat Hunting 2. Hypotheses Based Threat Hunting 3. Baseline Based Threat Hunting 4. Anomaly Based Threat Hunting
IOC BasedThreat Hunting 3 • Hunting based on Indicators of Compromise (IOC) collected from Threat Intelligence • More like into Compromise Assessment • Checking whether the IOC is present in the environment • Checking on Specific ThreatActor or Specific Threat Intel Report
Hypotheses BasedThreat Hunting 4 • Creating a hypotheses for certain TTPs • e.g : Hypotheses for hunting on endpoint, hypotheses for hunting on network, • Leverage Framework such as MITRE ATT&CK Framework for creating hypotheses on TTPs of Threat Actor • Defining specific asset for hunting (such as Crown Jewel Asset)
Baseline BasedThreat Hunting 5 • Detect something haven’t seen before based on baseline data in the environment • Needs larger set of data available about your infra for creating the baseline • Sometimes triggers lot of False Positives • Quite effective to spot changes in your infra
Anomaly BasedThreat Hunting 6 • Siting through the log data available for the threat hunters to spot irregularities that might be malicious • Additionally applying patterns on your infra • Quite useful in Fraud detection
Threat Hunting UseCase 7
Use Case 1 : Process Spawn cmd.exe 8 MITRE Reference : CAR-2013-02-003 https://car.mitre.org/analytics/CAR-2013-02-003/ : Processes Spawning cmd.exe • Hypothesis : The Windows Command Prompt (cmd.exe) is a utility that provides command line interface to Windows operating systems. It provides the ability to run additional programs and also has several built-in commands such as dir, copy, mkdir, and type, as well as batch scripts (.bat). • Typically, when a user runs a command prompt, the parent process is explorer.exe or another instance of the prompt. There may be automated programs, logon scripts, or administrative tools that launch instances of the command prompt in order to run scripts or other built-in commands. Spawning the process cmd.exe from certain parents may be more indicative of malice. • Example Use Case Hunting : if Adobe Reader or Outlook launches a command shell, this may suggest that a malicious document has been loaded and should be investigated. Thus, by looking for abnormal parent processes of cmd.exe, it may be possible to detect adversaries.
UseCase 2 : RDPActivities 9 MITRE Reference: CAR-2016-04-005: https://car.mitre.org/wiki/CAR-2016-04-005 • Hypothesis:A remote desktop logon, through RDP, may be typical of a system administrator or IT support, but only from select workstations. • Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary. • Example Use Case Hunting : Looking for Successful RDP Login not from your Country GeoIP login and after office hour
Use Case 3 : StoppingWindows Defensive Services 10 MITRE Reference: CAR-2016-04-003: https://car.mitre.org/wiki/CAR-2016-04-003 • Hypothesis: Spyware and malware remain a serious problem and Microsoft developed security services, Windows Defender and Windows Firewall, to combat this threat. In the event Windows Defender or Windows Firewall is turned off, administrators should correct the issue immediately to prevent the possibility of infection or further infection and investigate to determine if caused by crash or user manipulation. • Example Use Case Hunting : Antivirus services stopped not long after there is a successful logon from internal network via network services
UseCase 4 :Task Scheduler 11 MITRE Reference: CAR-2020-09-001 : Scheduled Task – FileAccess: https://car.mitre.org/analytics/CAR-2020-09-001/ • Hypothesis: In order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows Task Scheduler to schedule a command to be run at a specified time, date, and even host. Task Scheduler stores tasks as files in two locations - C:WindowsTasks (legacy) or C:WindowsSystem32Tasks. Accordingly, this analytic looks for the creation of task files in these two locations. • Example Use Case Hunting : a. Task Scheduler running from a suspicious folder location (e.g : C:Users.. ; C:Windowstemp) b. T ask Scheduler running using suspicious Scripting Utilities (LOLBAS) : cscript.exe, rundll32.exe, mshta.exe, powershell.exe, regsvr32.exe
Use Case 5 : Credential Dumping via WindowsTask Manager 12 MITRE Reference: CAR-2020-09-001 : Credential Dumping via Windows Task Manager : https://car.mitre.org/analytics/CAR-2019-08-001/ • Hypothesis : The Windows Task Manager may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching Task Manager as a privileged user, selecting lsass.exe, and clicking “Create dump file”. This saves a dump file to disk with a deterministic name that includes the name of the process being dumped. • Example Use Case Hunting : Hunting for File Creation (thinking about Sysmon Event ID 11 for example), with the process image is taskmgr.exe
Case Study End to EndThreat Hunting Process 13 Threat Hunters defined the Hypotheses and Start Hunting 1. Hypotheses 1 : User visiting malicious website from Phishing Email 2. Hypotheses 2 : User downloading malicious file after visiting the Malicious Website (Drive by Download maybe? 3. Hypotheses 3 : Malware Run on the User System after being downloaded 4. Hypotheses 4 : Malware doing persistence mechanism on Infected / Exploited Machine 5. Hypotheses 5 : Malware contacting Command and Control Server 6. Hypotheses 6 : ThreatActor exfiltrate Sensitive document to Command and Control Server 7. Hypotheses 7 : Sensitive Data Leaked on the Internet
Hypotheses 1 : User visiting malicious website from Phishing Email 14 • Data Source for Hunting – Passive DNS Log, DNS Server Log, Proxy Log, NGFW Log, Sysmon Log, Email Log, Mail Security Gateway Log • Platform for Hunting – SIEM, Security Analytics Platform • Analysis and Enrichment Data – DNSTwist, Phishing Domain List, Threat Intelligence Feeds, VirusTotal, HybridAnalysis, URL / Domain Sandbox Analysis
Hypotheses 2 : User downloading malicious file after visiting the MaliciousWebsite (Drive by Download maybe?) 15 • Data Source for Hunting – Passive DNS Log, DNS Server Log, Proxy Log, NGFW Log, Sysmon Log, • Platform for Hunting – SIEM, Security Analytics Platform, • Analysis and Enrichment Data – Threat Intelligence Feeds, Alexa top 1M Domain, VirusTotal, HybridAnalysis, URL / Domain Sandbox Analysis, Blacklisted Domain Checker
Hypotheses 3 : Malware Run on the User System after being downloaded 16 • Data Source for Hunting – Prefetch, Shimcache, Amcache, Process Running, Volatile Data (Memory), Sysmon,Auditd, • Platform for Hunting – SIEM, Security Analytics Platform, EDR • Analysis and Enrichment Data – File Hash of Process Executed, Parent-Child Process Analysis(SANS Find Evil Poster as Reference), Folder Location of Executables, Signed of Binary Files, VirusTotal, HybridAnalysis,
Hypotheses 4 : Malware doing persistence mechanism on Infected / Exploited Machine 17 • Data Source for Hunting – ASEP (Auto Start Extensibility Points), Registry, Startup Services and Folder, Task Scheduler, Cron Job, • Platform for Hunting – SIEM, Security Analytics Platform, EDR • Analysis and Enrichment Data – Signature Check, Autoruns Sysinternals, File Hash Check, Date of Creation,
Hypotheses 5 : Malware contacting Command and Control Server 18 • Data Source for Hunting – Netflow, Firewall Log, NGFW Log, IDS, Proxy Logs, Full Packet Capture, DNS Log • Platform for Hunting – SIEM, Security Analytics Platform, NDR, XDR, • Analysis and Enrichment Data – Date of Creation Domain, SSL Cert Attribute Checks, JA3 SSL Fingerprint, GeoIP Location Data, Threat Intelligence Feeds
Hypotheses 6 :ThreatActor exfiltrate Sensitive document toCommand and Control Server 19 • Data Source for Hunting – Netflow, Firewall Log, NGFW Log, IDS, Proxy Logs, Full Packet Capture, DNS Log • Platform for Hunting – SIEM, Security Analytics Platform, NDR, XDR, • Analysis and Enrichment Data – Date of Creation Domain, SSL Cert Attribute Checks, JA3 SSL Fingerprint, GeoIP Location Data, Threat Intelligence Feeds
Hypotheses 7 : Sensitive Data Leaked on the Internet 20 • Data Source for Hunting – OSINT, Dark Web Search, Underground Forum, Threat Intelligence Feeds • Platform for Hunting – Threat Intelligence Platform • Analysis and Enrichment Data – Pastebin, Github, Honeypot
Threat Intelligence 21
Threat Intelligence • Threat intelligence, or cyber threat intelligence, is information an organization uses to understand the threats that have, will, or are currently targeting the organization. • By identifying the threat actors the organization may be targeted by, defenses and monitoring solutions can be created to better protect from attacks. • Threat Hunting is also closely associated withThreat Intelligence, as hunting is the process of using intelligence to search for evidence of sophisticated threat actors, who are already in the network 22
Benefit ofThreat Intelligence • By identifying relevant threat actors, and consuming intelligence from a number of sources, aThreat Intelligence function can help the business better understand risks from cyber-attacks. In short, it helps security teams focus on attackers that are likely to target the organization, and work to develop defences and other measures to prevent or limit the impact of attacks. • ThreatActors have the skills, knowledge, and resources to evade most of security perimeter and tools owned by the organizations.That is why it is quite important to keep up to date with their tactics, and develop unique solutions to detect, response and prevent them to get into our network. 23
Indicator of Compromise 24 IOCs are artifacts that have been identified as acting maliciously or attributed to threat actors. Some of the most common ones include • IP Addresses : An IP that has been observed doing a scanning or exploitation to our network • Domains : A domain that hosts a credential harvesting site or hosting malicious payload • Email Addresses :An email address that has been sending phishing emails with a malicious attachment • File Names : Malicious file names dropped by the attacker during the compromised • File Hashes : The unique hash of a piece of malware / malicious tools used by threat actors
Threat Intelligence Remember IOC != Threat Intelligence 25
Threat Intelligence andThreat Hunting 26 • Threat intelligence and threat hunting are two distinct security area that can be complimentary for each other. For example, threat intelligence can make up a small portion of the threat hunting process. However, subscribing to a threat intelligence feed does not automatically satisfy the need to threat hunt your network. A proper threat hunt can identify threats even when they have not yet been seen in the wild.
Threat Intelligence andThreat Hunting 27 EC Council CTIA Threat Intelligence
28
Thank you 29

Recommended

PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Danny Akacki
 
Reconnaissance not always about resources
Reconnaissance not always about resourcesReconnaissance not always about resources
Reconnaissance not always about resourcesidsecconf
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Hacking - penetration tools
Hacking - penetration toolsHacking - penetration tools
Hacking - penetration toolsJenishChauhan4
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheapAnjum Ahuja
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckNorth Texas Chapter of the ISSA
 

Recommended

PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Danny Akacki
 
Reconnaissance not always about resources
Reconnaissance not always about resourcesReconnaissance not always about resources
Reconnaissance not always about resourcesidsecconf
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Hacking - penetration tools
Hacking - penetration toolsHacking - penetration tools
Hacking - penetration toolsJenishChauhan4
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheapAnjum Ahuja
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckNorth Texas Chapter of the ISSA
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicJulia Yu-Chin Cheng
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the CheapEndgameInc
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0Q Fadlan
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualizationamiable_indian
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012Rian Yulian
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...Chi En (Ashley) Shen
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
Burning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in ActionBurning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in ActionJosh Sokol
 
Hunt down the evil of your infrastructure
Hunt down the evil of your infrastructureHunt down the evil of your infrastructure
Hunt down the evil of your infrastructureBangladesh Network Operators Group
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Spyglass Security
 
Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Tony Cook
 
Ceh v8 labs module 02 footprinting and reconnaissance
Ceh v8 labs module 02 footprinting and reconnaissanceCeh v8 labs module 02 footprinting and reconnaissance
Ceh v8 labs module 02 footprinting and reconnaissanceAsep Sopyan
 
David Bianco - Enterprise Security Monitoring
David Bianco - Enterprise Security MonitoringDavid Bianco - Enterprise Security Monitoring
David Bianco - Enterprise Security Monitoringbsidesaugusta
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting WorkshopSplunk
 
Threat Hunting with Data Science
Threat Hunting with Data ScienceThreat Hunting with Data Science
Threat Hunting with Data ScienceAustin Taylor
 
Billions & Billions of Logs
Billions & Billions of LogsBillions & Billions of Logs
Billions & Billions of LogsJack Crook
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturityDNIF
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsSpyglass Security
 

More Related Content

What's hot

Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicJulia Yu-Chin Cheng
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the CheapEndgameInc
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0Q Fadlan
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualizationamiable_indian
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012Rian Yulian
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...Chi En (Ashley) Shen
 
Burning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in ActionBurning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in ActionJosh Sokol
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Spyglass Security
 
Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Tony Cook
 
Ceh v8 labs module 02 footprinting and reconnaissance
Ceh v8 labs module 02 footprinting and reconnaissanceCeh v8 labs module 02 footprinting and reconnaissance
Ceh v8 labs module 02 footprinting and reconnaissanceAsep Sopyan
 
David Bianco - Enterprise Security Monitoring
David Bianco - Enterprise Security MonitoringDavid Bianco - Enterprise Security Monitoring
David Bianco - Enterprise Security Monitoringbsidesaugusta
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting WorkshopSplunk
 
Threat Hunting with Data Science
Threat Hunting with Data ScienceThreat Hunting with Data Science
Threat Hunting with Data ScienceAustin Taylor
 
Billions & Billions of Logs
Billions & Billions of LogsBillions & Billions of Logs
Billions & Billions of LogsJack Crook
 

What's hot (20)

Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for public
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Burning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in ActionBurning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in Action
 
Hunt down the evil of your infrastructure
Hunt down the evil of your infrastructureHunt down the evil of your infrastructure
Hunt down the evil of your infrastructure
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2
 
Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016
 
Ceh v8 labs module 02 footprinting and reconnaissance
Ceh v8 labs module 02 footprinting and reconnaissanceCeh v8 labs module 02 footprinting and reconnaissance
Ceh v8 labs module 02 footprinting and reconnaissance
 
David Bianco - Enterprise Security Monitoring
David Bianco - Enterprise Security MonitoringDavid Bianco - Enterprise Security Monitoring
David Bianco - Enterprise Security Monitoring
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
 
Threat Hunting with Data Science
Threat Hunting with Data ScienceThreat Hunting with Data Science
Threat Hunting with Data Science
 
Billions & Billions of Logs
Billions & Billions of LogsBillions & Billions of Logs
Billions & Billions of Logs
 

Similar to Cyber threat-hunting---part-2-25062021-095909pm

Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturityDNIF
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsSpyglass Security
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion DetectionAPNIC
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedFalgun Rathod
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 
Hunting the Evil of your Infrastructure
Hunting the Evil of your InfrastructureHunting the Evil of your Infrastructure
Hunting the Evil of your InfrastructureA. S. M. Shamim Reza
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesAmy Gerrie
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksAPNIC
 
Threat Hunting Professional Online Training Course
Threat Hunting Professional Online Training CourseThreat Hunting Professional Online Training Course
Threat Hunting Professional Online Training CourseShivamSharma909
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityAPNIC
 
The New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentThe New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentInfocyte
 
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentBlackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentChristopher Gerritz
 
Running Head Security Assessment Repot (SAR) .docx
Running Head Security Assessment Repot (SAR) .docxRunning Head Security Assessment Repot (SAR) .docx
Running Head Security Assessment Repot (SAR) .docxSUBHI7
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and AnalysisPrashant Chopra
 

Similar to Cyber threat-hunting---part-2-25062021-095909pm (20)

Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturity
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark Arts
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
 
Hunting the Evil of your Infrastructure
Hunting the Evil of your InfrastructureHunting the Evil of your Infrastructure
Hunting the Evil of your Infrastructure
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacks
 
Threat Hunting Professional Online Training Course
Threat Hunting Professional Online Training CourseThreat Hunting Professional Online Training Course
Threat Hunting Professional Online Training Course
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
 
Computer security
Computer securityComputer security
Computer security
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
 
The New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentThe New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise Assessment
 
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentBlackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
 
Running Head Security Assessment Repot (SAR) .docx
Running Head Security Assessment Repot (SAR) .docxRunning Head Security Assessment Repot (SAR) .docx
Running Head Security Assessment Repot (SAR) .docx
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and Analysis
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 

Recently uploaded

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 

Recently uploaded (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 

Cyber threat-hunting---part-2-25062021-095909pm

  • 1. CyberThreat Hunting & Intelligence
  • 2. Types ofThreat Hunting 2 1. IOC Based Threat Hunting 2. Hypotheses Based Threat Hunting 3. Baseline Based Threat Hunting 4. Anomaly Based Threat Hunting
  • 3. IOC BasedThreat Hunting 3 • Hunting based on Indicators of Compromise (IOC) collected from Threat Intelligence • More like into Compromise Assessment • Checking whether the IOC is present in the environment • Checking on Specific ThreatActor or Specific Threat Intel Report
  • 4. Hypotheses BasedThreat Hunting 4 • Creating a hypotheses for certain TTPs • e.g : Hypotheses for hunting on endpoint, hypotheses for hunting on network, • Leverage Framework such as MITRE ATT&CK Framework for creating hypotheses on TTPs of Threat Actor • Defining specific asset for hunting (such as Crown Jewel Asset)
  • 5. Baseline BasedThreat Hunting 5 • Detect something haven’t seen before based on baseline data in the environment • Needs larger set of data available about your infra for creating the baseline • Sometimes triggers lot of False Positives • Quite effective to spot changes in your infra
  • 6. Anomaly BasedThreat Hunting 6 • Siting through the log data available for the threat hunters to spot irregularities that might be malicious • Additionally applying patterns on your infra • Quite useful in Fraud detection
  • 8. Use Case 1 : Process Spawn cmd.exe 8 MITRE Reference : CAR-2013-02-003 https://car.mitre.org/analytics/CAR-2013-02-003/ : Processes Spawning cmd.exe • Hypothesis : The Windows Command Prompt (cmd.exe) is a utility that provides command line interface to Windows operating systems. It provides the ability to run additional programs and also has several built-in commands such as dir, copy, mkdir, and type, as well as batch scripts (.bat). • Typically, when a user runs a command prompt, the parent process is explorer.exe or another instance of the prompt. There may be automated programs, logon scripts, or administrative tools that launch instances of the command prompt in order to run scripts or other built-in commands. Spawning the process cmd.exe from certain parents may be more indicative of malice. • Example Use Case Hunting : if Adobe Reader or Outlook launches a command shell, this may suggest that a malicious document has been loaded and should be investigated. Thus, by looking for abnormal parent processes of cmd.exe, it may be possible to detect adversaries.
  • 9. UseCase 2 : RDPActivities 9 MITRE Reference: CAR-2016-04-005: https://car.mitre.org/wiki/CAR-2016-04-005 • Hypothesis:A remote desktop logon, through RDP, may be typical of a system administrator or IT support, but only from select workstations. • Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary. • Example Use Case Hunting : Looking for Successful RDP Login not from your Country GeoIP login and after office hour
  • 10. Use Case 3 : StoppingWindows Defensive Services 10 MITRE Reference: CAR-2016-04-003: https://car.mitre.org/wiki/CAR-2016-04-003 • Hypothesis: Spyware and malware remain a serious problem and Microsoft developed security services, Windows Defender and Windows Firewall, to combat this threat. In the event Windows Defender or Windows Firewall is turned off, administrators should correct the issue immediately to prevent the possibility of infection or further infection and investigate to determine if caused by crash or user manipulation. • Example Use Case Hunting : Antivirus services stopped not long after there is a successful logon from internal network via network services
  • 11. UseCase 4 :Task Scheduler 11 MITRE Reference: CAR-2020-09-001 : Scheduled Task – FileAccess: https://car.mitre.org/analytics/CAR-2020-09-001/ • Hypothesis: In order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows Task Scheduler to schedule a command to be run at a specified time, date, and even host. Task Scheduler stores tasks as files in two locations - C:WindowsTasks (legacy) or C:WindowsSystem32Tasks. Accordingly, this analytic looks for the creation of task files in these two locations. • Example Use Case Hunting : a. Task Scheduler running from a suspicious folder location (e.g : C:Users.. ; C:Windowstemp) b. T ask Scheduler running using suspicious Scripting Utilities (LOLBAS) : cscript.exe, rundll32.exe, mshta.exe, powershell.exe, regsvr32.exe
  • 12. Use Case 5 : Credential Dumping via WindowsTask Manager 12 MITRE Reference: CAR-2020-09-001 : Credential Dumping via Windows Task Manager : https://car.mitre.org/analytics/CAR-2019-08-001/ • Hypothesis : The Windows Task Manager may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching Task Manager as a privileged user, selecting lsass.exe, and clicking “Create dump file”. This saves a dump file to disk with a deterministic name that includes the name of the process being dumped. • Example Use Case Hunting : Hunting for File Creation (thinking about Sysmon Event ID 11 for example), with the process image is taskmgr.exe
  • 13. Case Study End to EndThreat Hunting Process 13 Threat Hunters defined the Hypotheses and Start Hunting 1. Hypotheses 1 : User visiting malicious website from Phishing Email 2. Hypotheses 2 : User downloading malicious file after visiting the Malicious Website (Drive by Download maybe? 3. Hypotheses 3 : Malware Run on the User System after being downloaded 4. Hypotheses 4 : Malware doing persistence mechanism on Infected / Exploited Machine 5. Hypotheses 5 : Malware contacting Command and Control Server 6. Hypotheses 6 : ThreatActor exfiltrate Sensitive document to Command and Control Server 7. Hypotheses 7 : Sensitive Data Leaked on the Internet
  • 14. Hypotheses 1 : User visiting malicious website from Phishing Email 14 • Data Source for Hunting – Passive DNS Log, DNS Server Log, Proxy Log, NGFW Log, Sysmon Log, Email Log, Mail Security Gateway Log • Platform for Hunting – SIEM, Security Analytics Platform • Analysis and Enrichment Data – DNSTwist, Phishing Domain List, Threat Intelligence Feeds, VirusTotal, HybridAnalysis, URL / Domain Sandbox Analysis
  • 15. Hypotheses 2 : User downloading malicious file after visiting the MaliciousWebsite (Drive by Download maybe?) 15 • Data Source for Hunting – Passive DNS Log, DNS Server Log, Proxy Log, NGFW Log, Sysmon Log, • Platform for Hunting – SIEM, Security Analytics Platform, • Analysis and Enrichment Data – Threat Intelligence Feeds, Alexa top 1M Domain, VirusTotal, HybridAnalysis, URL / Domain Sandbox Analysis, Blacklisted Domain Checker
  • 16. Hypotheses 3 : Malware Run on the User System after being downloaded 16 • Data Source for Hunting – Prefetch, Shimcache, Amcache, Process Running, Volatile Data (Memory), Sysmon,Auditd, • Platform for Hunting – SIEM, Security Analytics Platform, EDR • Analysis and Enrichment Data – File Hash of Process Executed, Parent-Child Process Analysis(SANS Find Evil Poster as Reference), Folder Location of Executables, Signed of Binary Files, VirusTotal, HybridAnalysis,
  • 17. Hypotheses 4 : Malware doing persistence mechanism on Infected / Exploited Machine 17 • Data Source for Hunting – ASEP (Auto Start Extensibility Points), Registry, Startup Services and Folder, Task Scheduler, Cron Job, • Platform for Hunting – SIEM, Security Analytics Platform, EDR • Analysis and Enrichment Data – Signature Check, Autoruns Sysinternals, File Hash Check, Date of Creation,
  • 18. Hypotheses 5 : Malware contacting Command and Control Server 18 • Data Source for Hunting – Netflow, Firewall Log, NGFW Log, IDS, Proxy Logs, Full Packet Capture, DNS Log • Platform for Hunting – SIEM, Security Analytics Platform, NDR, XDR, • Analysis and Enrichment Data – Date of Creation Domain, SSL Cert Attribute Checks, JA3 SSL Fingerprint, GeoIP Location Data, Threat Intelligence Feeds
  • 19. Hypotheses 6 :ThreatActor exfiltrate Sensitive document toCommand and Control Server 19 • Data Source for Hunting – Netflow, Firewall Log, NGFW Log, IDS, Proxy Logs, Full Packet Capture, DNS Log • Platform for Hunting – SIEM, Security Analytics Platform, NDR, XDR, • Analysis and Enrichment Data – Date of Creation Domain, SSL Cert Attribute Checks, JA3 SSL Fingerprint, GeoIP Location Data, Threat Intelligence Feeds
  • 20. Hypotheses 7 : Sensitive Data Leaked on the Internet 20 • Data Source for Hunting – OSINT, Dark Web Search, Underground Forum, Threat Intelligence Feeds • Platform for Hunting – Threat Intelligence Platform • Analysis and Enrichment Data – Pastebin, Github, Honeypot
  • 22. Threat Intelligence • Threat intelligence, or cyber threat intelligence, is information an organization uses to understand the threats that have, will, or are currently targeting the organization. • By identifying the threat actors the organization may be targeted by, defenses and monitoring solutions can be created to better protect from attacks. • Threat Hunting is also closely associated withThreat Intelligence, as hunting is the process of using intelligence to search for evidence of sophisticated threat actors, who are already in the network 22
  • 23. Benefit ofThreat Intelligence • By identifying relevant threat actors, and consuming intelligence from a number of sources, aThreat Intelligence function can help the business better understand risks from cyber-attacks. In short, it helps security teams focus on attackers that are likely to target the organization, and work to develop defences and other measures to prevent or limit the impact of attacks. • ThreatActors have the skills, knowledge, and resources to evade most of security perimeter and tools owned by the organizations.That is why it is quite important to keep up to date with their tactics, and develop unique solutions to detect, response and prevent them to get into our network. 23
  • 24. Indicator of Compromise 24 IOCs are artifacts that have been identified as acting maliciously or attributed to threat actors. Some of the most common ones include • IP Addresses : An IP that has been observed doing a scanning or exploitation to our network • Domains : A domain that hosts a credential harvesting site or hosting malicious payload • Email Addresses :An email address that has been sending phishing emails with a malicious attachment • File Names : Malicious file names dropped by the attacker during the compromised • File Hashes : The unique hash of a piece of malware / malicious tools used by threat actors
  • 25. Threat Intelligence Remember IOC != Threat Intelligence 25
  • 26. Threat Intelligence andThreat Hunting 26 • Threat intelligence and threat hunting are two distinct security area that can be complimentary for each other. For example, threat intelligence can make up a small portion of the threat hunting process. However, subscribing to a threat intelligence feed does not automatically satisfy the need to threat hunt your network. A proper threat hunt can identify threats even when they have not yet been seen in the wild.
  • 27. Threat Intelligence andThreat Hunting 27 EC Council CTIA Threat Intelligence
  • 28. 28