Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hunting in the Dark - UNC Cybersecurity Symposium 2016

649 views

Published on

"Hunting" is a key phase of the incident response lifecycle that aims to identify, on a proactive basis, unknown threats lurking in an environment. In practice, many hunting teams focus on searching for public or purchased IOCs­ often representing intelligence that has already been burned. Hunting without specific leads is difficult, and every environment (and incident) has its own unique characteristics. This presentation will provide analytic techniques that can identify generic evidence of post­-compromise activity, with focus on the contemporary approaches that targeted attackers employ for credential harvesting, persistence, and lateral movement in Windows environments. It will illustrate sources of evidence that are ideal for large­-scale anomaly analysis, and provide examples of how to effectively collect data, reduce noise, and minimize dependencies on external threat feeds.

Published in: Technology
  • Be the first to comment

Hunting in the Dark - UNC Cybersecurity Symposium 2016

  1. 1. Hunting in the Dark Ryan Kazanciyan, Chief Security Architect October 5, 2016
  2. 2. whoami Copyright 2016 Tanium Inc. All rights reserved.2
  3. 3. Examining an environment, on a proactive or reactive basis, for evidence of malicious activity – without specific investigative leads
  4. 4. Goals and success criteria Copyright 2016 Tanium Inc. All rights reserved.4 • Functional at enterprise-scale • Complementary to IOC & threat feed detection • Repeatable over time
  5. 5. My focus for this presentation Copyright 2016 Tanium Inc. All rights reserved.5 • Endpoint-centric • Widely-available data • Techniques, not specific tools
  6. 6. Common Pitfalls
  7. 7. Distinguishing normal, interesting, and bad
  8. 8. Analysts often radically underestimate the noise level of an enterprise environment
  9. 9. Your applications are noisy Copyright 2016 Tanium Inc. All rights reserved.9 • Different OS versions and add-ons • User-installed applications • Random / GUID file names & paths • Temporary artifacts of software installers • Updates & patches “How many unique PE files (EXEs, DLLs, drivers) have been loaded across all my systems?”
  10. 10. Your users are noisy Copyright 2016 Tanium Inc. All rights reserved.10 • Maintenance and administration scripts • Ad-hoc troubleshooting • Service and application accounts • Misunderstood native OS behavior “How often do my privileged accounts authenticate across the environment?
  11. 11. Overwhelming yourself with data, “just in case”…
  12. 12. You cannot capture everything, constantly Copyright 2016 Tanium Inc. All rights reserved.12 • OS-level telemetry • Application-level telemetry • Data at-rest • Volatile memory
  13. 13. We’ve been through this already… Copyright 2016 Tanium Inc. All rights reserved.13 Expectation Reality
  14. 14. Falling victim to tunnel vision on “important assets”
  15. 15. Defender bias Copyright 2016 Tanium Inc. All rights reserved.15 “…what may be critical to you…may not be the ‘crown jewels’ from the perspective of the adversary...” “You'll find yourself hunkered down in your Maginot Line bunkers, awaiting that final assault, only to be mystified when it never seems to come.” – Harlan Carvey Source: http://windowsir.blogspot.com)
  16. 16. Hacking is graph traversal Copyright 2016 Tanium Inc. All rights reserved.16
  17. 17. Practical example: BloodHound Copyright 2016 Tanium Inc. All rights reserved.17 • Graph analysis of AD relationships • Identify pathways to privilege escalation https://github.com/adaptivethreat/BloodHound
  18. 18. Developing a sustainable hunting strategy
  19. 19. Structuring the process Copyright 2016 Tanium Inc. All rights reserved.19 External IOCs & reputation data Homegrown IOCs & ad- hoc searches Targeted hunting workflows Continuous & automated analysis
  20. 20. Success criteria Copyright 2016 Tanium Inc. All rights reserved.20 • Establish useful baselines • Implement repeatable & scalable tasks • Track “hit rate” vs. level of effort • Drive towards automation
  21. 21. Focusing on High-Value Data
  22. 22. Prioritizing your efforts Copyright 2016 Tanium Inc. All rights reserved.22 • What are the “lowest common denominators” across intrusions? • What evidence do they leave behind? • What easily-observable outlier conditions do they create?
  23. 23. MITRE’s “ATT^CK” framework Copyright 2016 Tanium Inc. All rights reserved.23 https://attack.mitre.org/wiki/Technique_Matrix
  24. 24. Collecting and Managing the Data
  25. 25. Assess your visibility Copyright 2016 Tanium Inc. All rights reserved.25 • What’s available? • At what scale? • How much post- processing? • What’s available ad- hoc? • What may require “data lakes”?
  26. 26. Mitigating the “Long Tail”
  27. 27. Group your systems, group your data Copyright 2016 Tanium Inc. All rights reserved.27
  28. 28. Practical Examples
  29. 29. Hunting for Lateral Command Execution
  30. 30. Lateral command execution Copyright 2016 Tanium Inc. All rights reserved.30
  31. 31. Example: Duqu 2.0 and Scheduled Tasks Copyright 2016 Tanium Inc. All rights reserved.31 “In addition to creating services to infect other computers in the LAN, attackers can also use the Task Scheduler to start ‘msiexec.exe’ remotely. The usage of Task Scheduler during Duqu infections for lateral movement was also observed with the 2011 version...” Source: https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyber espionage_actor_returns.pdf
  32. 32. What was the shared IOC? 32
  33. 33. How could we do better?
  34. 34. Hunting tasks with event logs Copyright 2016 Tanium Inc. All rights reserved.34 • 106 (Task Registered) • 129 (Created Task Process) • 200 (Action Started) • 201 (Action Completed) Event IDs to harvest • TaskName (What’s the task called?) • UserContext (Who registered it?) • ActionName (What did it run?) Fields to filter & stack Microsoft-Windows-TaskScheduler/Operational.evtx
  35. 35. Stack and search workflow Copyright 2016 Tanium Inc. All rights reserved.35
  36. 36. Stack and search workflow Copyright 2016 Tanium Inc. All rights reserved.36
  37. 37. Copyright 2016 Tanium Inc. All rights reserved.37
  38. 38. Copyright 2016 Tanium Inc. All rights reserved.38
  39. 39. Revisiting our example: Duqu 2.0 Copyright 2016 Tanium Inc. All rights reserved.39 • How common are remotely registered tasks with ActionName=“msiexec.exe” • By user? By time? By endpoints? • Could you have found this proactively, without any leads? Source: Kaspersky
  40. 40. Interesting blind spot: COM handler tasks Copyright 2016 Tanium Inc. All rights reserved.40 • Cannot examine or edit in Task Viewer UI • ActionName is a descriptive string • How do you know what this loads?
  41. 41. Mapping COM handler to associated DLL Copyright 2016 Tanium Inc. All rights reserved.41
  42. 42. Attacker limitations Copyright 2016 Tanium Inc. All rights reserved.42 • Must import task configuration XML file if using COM schtasks /Create /XML c:EvilTask.xml /TN MicrosoftWindowsCertificateServicesClientEvilTask • Cannot modify existing tasks without breaking hash – Stored in the registry – Stuxnet exploited weak task hash algorithm in older versions of Windows
  43. 43. Other approaches to scheduled task analysis Copyright 2016 Tanium Inc. All rights reserved.43 • Examine configurations for “at-rest” tasks • Detect anomalous tasks as they are created
  44. 44. Stacking “current” tasks: Command lines Copyright 2016 Tanium Inc. All rights reserved.44
  45. 45. Stacking “current” tasks: Full metadata Copyright 2016 Tanium Inc. All rights reserved.45
  46. 46. “In-motion” remote task creation Copyright 2016 Tanium Inc. All rights reserved.46
  47. 47. Hunting for Services
  48. 48. Windows Services Copyright 2016 Tanium Inc. All rights reserved.48 • Common persistence mechanism for long-running malware • Loading mechanism for short-lived tools • Installation and usage leaves behind evidence – Registry – Service control manager – Event logs
  49. 49. Examples from the wild Copyright 2016 Tanium Inc. All rights reserved.49 Duqu 2.0 (Kaspersky) BlackEnergy installing WinPCAP (Arbor Networks) CosmicDuke(F-Secure)
  50. 50. Service activity in event logs Copyright 2016 Tanium Inc. All rights reserved.50
  51. 51. Stacking service creation events Copyright 2016 Tanium Inc. All rights reserved.51 • “Who created which services?” • “When and where?” • ServiceName + ImagePath + User from EID 7045 • Use time and hostname to further sub-filter Example / Case Study: Harvesting PsExec service events
  52. 52. Blind spots and noise Copyright 2016 Tanium Inc. All rights reserved.52 • Attackers can install services without calling CreateService – Avoids generating event log entry – Still may leave evidence in registry • Many 3rd party applications install services • Noise over time
  53. 53. Stack analysis of current services Copyright 2016 Tanium Inc. All rights reserved.53
  54. 54. Further persistence analysis Copyright 2016 Tanium Inc. All rights reserved.54
  55. 55. Stack Analysis of Process Trees
  56. 56. What are process trees? Copyright 2016 Tanium Inc. All rights reserved.56
  57. 57. Another example Copyright 2016 Tanium Inc. All rights reserved.57
  58. 58. Finding interesting trees in forests Copyright 2016 Tanium Inc. All rights reserved.58 • Attackers often use native OS commands • Attackers often exploit or leverage native OS services • Both should result in outlier process lineages
  59. 59. Sources of data Copyright 2016 Tanium Inc. All rights reserved.59 • For each running process, record: – ImageName (or ImagePath) – Parent name (or path) • Options in Windows – Process auditing (native, optional setting) – Sysmon (free Microsoft SysInternals driver) • Post-processing to “flatten” and stack
  60. 60. Example: cmd.exe as child Copyright 2016 Tanium Inc. All rights reserved.60
  61. 61. Example: svchost.exe as parent Copyright 2016 Tanium Inc. All rights reserved.61
  62. 62. Interesting targets Copyright 2016 Tanium Inc. All rights reserved.62 • Shells & interpreters – cmd.exe – powershell.exe – cscript.exe – wscript.exe – mshta.exe – rundll32.exe • Tools for lateral movement – net.exe – at.exe – schtasks.exe / taskeng.exe – wmic.exe / wmiprvse.exe • Commonly “hijacked” processes – svchost.exe – w3wp.exe – iexplore.exe – winword.exe – excel.exe
  63. 63. Conclusion
  64. 64. Next steps Copyright 2016 Tanium Inc. All rights reserved.64 • Pick one of these techniques and practice! • Learn the “noise” of your own environment • Incorporate into red-vs-blue team exercises • Ensure endpoint tools enable rapid search and harvesting – Volatile activity – Data “at-rest” – Historical telemetry
  65. 65. Thank you! ryan.kazanciyan [at] tanium.com @ryankaz42

×