SlideShare a Scribd company logo
1 of 23
Download to read offline
Hunt Down the Evil
of your Infrastructure
A. S. M. Shamim Reza
Deputy Manager
Network Operation Center
Link3 Technologies Ltd.
Overview
What is Threat Hunting ?
Why it is Important ?
Myths of Threat Hunting ?
The Process
The Practical Guide
Important Things to Remember
What is Threat Hunting?
 It is a proactive way of finding attacks
 Its a Human driven process
 It is not a technology
 Its a Journey not a destiny
Why Threat Hunt is so important ?
 Helps discover breaches / anomalous activity
 Catch adversaries/evil early in the attack life-cycle
 Can save the targeted organization with financial damage
Myths about Threat Hunting
Hunting can be fully automated
It requires vast amount of data and
advanced set of tools
Hunting is only for elite analytics
The Process
Where do we start ?
What to hunt for ?
How often ?
The Matrix
Questions to ask before start
 What data to collect ?
 Why collect all those data ?
 Which tools to be used ?
 Where to stored the data ?
What data sources ?
End point data Network Data Security Data
Process execution
metadata
Network session data Threat Intelligence
Registry access data Bro logs Alerts
File data Proxy logs Friendly Intelligence
Network data DNS Logs
File prevalence Firewall Logs
Network Device Logs
Useful Tools to Start
NetFlow Analyzer
- nfsen
Network based IDS
– Bro
Central Log System
– Graylog
Security
Information & Event
Management
– OSSIM
The hunting loop
Hypothesis - The Core of Hunting
The Hunter -
Who will do the hypothesis ?
What would he/she like to be ?
What does he/she has to know ?
Do you have your network diagram ?
Do you have a central place to store all the log & Analysis ?
Does the hunter knows about the data ?
Does the hunter knows how the infrastructure works ?
Hypothesis Generation
1
Intelligence-
Driven
Hypotheses
2
Situational
Awareness
3
Domain
Expertise
Intelligence-Driven Hypotheses
Example –
“I know that HUE JAGUAR tends to send its phishing
messages from infrastructure hosted in Maxico. Therefore, if it
is phishing any my users, I should be able to examine my
incoming email logs to find messages where the geolocation
of the sender’s IP is in Maxico.”
Situational Awareness
Example –
An analyst decides to look past the tactical level of intelligence by considering strategic
challenges in the organization. To do this he first looks at non-technical influences on the
organization. The analyst receives information that the company is going to acquire a new
company. The new company is located in a different part of the world, and its infrastructure will
become connected to the new parent company’s networks. The analyst knows that the parent
company will also inherit the acquired company’s assets, data and vulnerabilities.
The hunter generates the hypothesis that the connection points between these two companies’
networks will be abused by threat actors that have, potentially, already compromised the
acquired company. In an effort to test this hypothesis, the analyst sets up additional monitoring
to treat the data flowing in and out of the new network connections as suspect.
Domain Expertise
Example –
“A threat hunter knows how BGP are intended to work and has
previously seen threat actors manipulate these Internet backbone
protocols. This leads the analyst to generate the hypothesis that national-
level adversaries/evil may be manipulating Internet routing to steal
proprietary information from his organization without having to compromise
the organization’s network.”
The Practical Guide
How the Adversaries Work Around
Tactics, Techniques and
Procedures (TTPs)
Internal Reconnaissance - How attackers determine where they’re
going
 Network enumeration
 Host enumeration
Persistence - How attackers survive a reboot and simple remediation's
 Scheduled Task Execution
Command & Control - How attackers utilize their tools
 Common Protocol, Common Port
 Uncommon Protocol, Uncommon port
Lateral Movement - How attackers move around in your network
 Pass the Hash (PtH)
 Remote Desktop Protocol
 Shared Webroot
 Path Interception
Lateral Movement - How attackers move around in your network
 Pass the Hash (PtH)
 Remote Desktop Protocol
 Shared Webroot
 Path Interception
Exfiltration - How attackers steal your data
 DNS Tunneling
 SFTP/SCP Exfiltration
Need to Keep in MIND
 Use formal methods of threat hunting
 Integrate people, processes and technology
 Balance automated and manual methods of threat hunting
 Look for known and never-before-seen malicious activity to drive
the threat hunting program
Hunt down the evil of your infrastructure
Hunt down the evil of your infrastructure

More Related Content

What's hot

How the CC Harmonizes with Secure Software Development Lifecycle
How the CC Harmonizes with Secure Software Development LifecycleHow the CC Harmonizes with Secure Software Development Lifecycle
How the CC Harmonizes with Secure Software Development LifecycleSeungjoo Kim
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheapAnjum Ahuja
 
Honeypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat CommunityHoneypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat Communityamiable_indian
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityAPNIC
 
Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Tony Cook
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Danny Akacki
 
Deep Learning Based Real-Time DNS DDoS Detection System
Deep Learning Based Real-Time DNS DDoS Detection SystemDeep Learning Based Real-Time DNS DDoS Detection System
Deep Learning Based Real-Time DNS DDoS Detection SystemSeungjoo Kim
 
David Bianco - Enterprise Security Monitoring
David Bianco - Enterprise Security MonitoringDavid Bianco - Enterprise Security Monitoring
David Bianco - Enterprise Security Monitoringbsidesaugusta
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...CODE BLUE
 
The New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentThe New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentInfocyte
 
Honeypots for Active Defense
Honeypots for Active DefenseHoneypots for Active Defense
Honeypots for Active DefenseGreg Foss
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the CheapEndgameInc
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Spyglass Security
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentBlackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentChristopher Gerritz
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsAPNIC
 

What's hot (20)

How the CC Harmonizes with Secure Software Development Lifecycle
How the CC Harmonizes with Secure Software Development LifecycleHow the CC Harmonizes with Secure Software Development Lifecycle
How the CC Harmonizes with Secure Software Development Lifecycle
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheap
 
Honeypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat CommunityHoneypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat Community
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
 
Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
 
Deep Learning Based Real-Time DNS DDoS Detection System
Deep Learning Based Real-Time DNS DDoS Detection SystemDeep Learning Based Real-Time DNS DDoS Detection System
Deep Learning Based Real-Time DNS DDoS Detection System
 
David Bianco - Enterprise Security Monitoring
David Bianco - Enterprise Security MonitoringDavid Bianco - Enterprise Security Monitoring
David Bianco - Enterprise Security Monitoring
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
 
The New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentThe New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise Assessment
 
Honeypots for Active Defense
Honeypots for Active DefenseHoneypots for Active Defense
Honeypots for Active Defense
 
G3t R00t at IUT
G3t R00t at IUTG3t R00t at IUT
G3t R00t at IUT
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2
 
Hacker bootcamp
Hacker bootcampHacker bootcamp
Hacker bootcamp
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentBlackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my Honeypots
 

Similar to Hunt down the evil of your infrastructure

Hunting the Evil of your Infrastructure
Hunting the Evil of your InfrastructureHunting the Evil of your Infrastructure
Hunting the Evil of your InfrastructureA. S. M. Shamim Reza
 
Introduction to ethical hacking
Introduction to ethical hackingIntroduction to ethical hacking
Introduction to ethical hackingHassanAhmedShaikh1
 
Personam Solution - How it Works Brief
Personam Solution - How it Works BriefPersonam Solution - How it Works Brief
Personam Solution - How it Works BriefSunny Geo
 
Personam Solution - How it Works Brief
Personam Solution - How it Works BriefPersonam Solution - How it Works Brief
Personam Solution - How it Works BriefSunny Geo
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Dan Morrill
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introductionjagadeesh katla
 
Running Head Security Assessment Repot (SAR) .docx
Running Head  Security Assessment Repot (SAR)                    .docxRunning Head  Security Assessment Repot (SAR)                    .docx
Running Head Security Assessment Repot (SAR) .docxSUBHI7
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Detecting Unknown Attacks Using Big Data Analysis
Detecting Unknown Attacks Using Big Data AnalysisDetecting Unknown Attacks Using Big Data Analysis
Detecting Unknown Attacks Using Big Data AnalysisEditor IJMTER
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingANURAG CHAKRABORTY
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemAffine Analytics
 
Introduction ethical hacking
Introduction ethical hackingIntroduction ethical hacking
Introduction ethical hackingVishal Kumar
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0Q Fadlan
 
Ehtical hacking
Ehtical hackingEhtical hacking
Ehtical hackingUday Verma
 
Enhancing Cyber threat hunting for your team | 2021
Enhancing Cyber threat hunting for your team | 2021Enhancing Cyber threat hunting for your team | 2021
Enhancing Cyber threat hunting for your team | 2021KharimMchatta
 
Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Tiffany Sandoval
 
Intruders
IntrudersIntruders
Intruderstechn
 
Intruders
IntrudersIntruders
Intruderstechn
 
Whitepaper: Network Penetration Testing - Happiest Minds
Whitepaper: Network Penetration Testing - Happiest MindsWhitepaper: Network Penetration Testing - Happiest Minds
Whitepaper: Network Penetration Testing - Happiest MindsHappiest Minds Technologies
 

Similar to Hunt down the evil of your infrastructure (20)

Hunting the Evil of your Infrastructure
Hunting the Evil of your InfrastructureHunting the Evil of your Infrastructure
Hunting the Evil of your Infrastructure
 
Introduction to ethical hacking
Introduction to ethical hackingIntroduction to ethical hacking
Introduction to ethical hacking
 
Personam Solution - How it Works Brief
Personam Solution - How it Works BriefPersonam Solution - How it Works Brief
Personam Solution - How it Works Brief
 
Personam Solution - How it Works Brief
Personam Solution - How it Works BriefPersonam Solution - How it Works Brief
Personam Solution - How it Works Brief
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introduction
 
Running Head Security Assessment Repot (SAR) .docx
Running Head  Security Assessment Repot (SAR)                    .docxRunning Head  Security Assessment Repot (SAR)                    .docx
Running Head Security Assessment Repot (SAR) .docx
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
 
Detecting Unknown Attacks Using Big Data Analysis
Detecting Unknown Attacks Using Big Data AnalysisDetecting Unknown Attacks Using Big Data Analysis
Detecting Unknown Attacks Using Big Data Analysis
 
IS-honeypot.pptx
IS-honeypot.pptxIS-honeypot.pptx
IS-honeypot.pptx
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration Testing
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection system
 
Introduction ethical hacking
Introduction ethical hackingIntroduction ethical hacking
Introduction ethical hacking
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0
 
Ehtical hacking
Ehtical hackingEhtical hacking
Ehtical hacking
 
Enhancing Cyber threat hunting for your team | 2021
Enhancing Cyber threat hunting for your team | 2021Enhancing Cyber threat hunting for your team | 2021
Enhancing Cyber threat hunting for your team | 2021
 
Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...
 
Intruders
IntrudersIntruders
Intruders
 
Intruders
IntrudersIntruders
Intruders
 
Whitepaper: Network Penetration Testing - Happiest Minds
Whitepaper: Network Penetration Testing - Happiest MindsWhitepaper: Network Penetration Testing - Happiest Minds
Whitepaper: Network Penetration Testing - Happiest Minds
 

More from Bangladesh Network Operators Group

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephBangladesh Network Operators Group
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceBangladesh Network Operators Group
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaBangladesh Network Operators Group
 

More from Bangladesh Network Operators Group (20)

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
 
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJRecent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
 
Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in Bangladesh
 
AI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the PyramidAI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the Pyramid
 
IPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCTIPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCT
 
Network eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life ProductNetwork eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life Product
 
A plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s DeploymentA plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s Deployment
 
IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia  2022IPv6 Deployment in South Asia  2022
IPv6 Deployment in South Asia 2022
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
An Overview about open UDP Services
An Overview about open UDP ServicesAn Overview about open UDP Services
An Overview about open UDP Services
 
12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User Experience
 
BdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptxBdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptx
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP Community
 
Tale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXTale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIX
 
MANRS for Network Operators
MANRS for Network OperatorsMANRS for Network Operators
MANRS for Network Operators
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with Grafana
 
RPKI ROA updates
RPKI ROA updatesRPKI ROA updates
RPKI ROA updates
 
Blockchain Demystified
Blockchain DemystifiedBlockchain Demystified
Blockchain Demystified
 

Recently uploaded

一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样AS
 
一比一原版英国创意艺术大学毕业证如何办理
一比一原版英国创意艺术大学毕业证如何办理一比一原版英国创意艺术大学毕业证如何办理
一比一原版英国创意艺术大学毕业证如何办理AS
 
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书B
 
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...Varun Mithran
 
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理Fir
 
一比一定制美国罗格斯大学毕业证学位证书
一比一定制美国罗格斯大学毕业证学位证书一比一定制美国罗格斯大学毕业证学位证书
一比一定制美国罗格斯大学毕业证学位证书A
 
原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样
原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样
原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样asdafd
 
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样AS
 
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样AS
 
Free scottie t shirts Free scottie t shirts
Free scottie t shirts Free scottie t shirtsFree scottie t shirts Free scottie t shirts
Free scottie t shirts Free scottie t shirtsrahman018755
 
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样AS
 
原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样AS
 
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.Tortogel
 
一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书A
 
Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303Dewi Agency
 
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证hfkmxufye
 
Free on Wednesdays T Shirts Free on Wednesdays Sweatshirts
Free on Wednesdays T Shirts Free on Wednesdays SweatshirtsFree on Wednesdays T Shirts Free on Wednesdays Sweatshirts
Free on Wednesdays T Shirts Free on Wednesdays Sweatshirtsrahman018755
 
iThome_CYBERSEC2024_Drive_Into_the_DarkWeb
iThome_CYBERSEC2024_Drive_Into_the_DarkWebiThome_CYBERSEC2024_Drive_Into_the_DarkWeb
iThome_CYBERSEC2024_Drive_Into_the_DarkWebJie Liau
 
The Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdfThe Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdfe-Market Hub
 
Washington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers ShirtWashington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers Shirtrahman018755
 

Recently uploaded (20)

一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
 
一比一原版英国创意艺术大学毕业证如何办理
一比一原版英国创意艺术大学毕业证如何办理一比一原版英国创意艺术大学毕业证如何办理
一比一原版英国创意艺术大学毕业证如何办理
 
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
 
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
 
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
 
一比一定制美国罗格斯大学毕业证学位证书
一比一定制美国罗格斯大学毕业证学位证书一比一定制美国罗格斯大学毕业证学位证书
一比一定制美国罗格斯大学毕业证学位证书
 
原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样
原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样
原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样
 
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
 
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样
 
Free scottie t shirts Free scottie t shirts
Free scottie t shirts Free scottie t shirtsFree scottie t shirts Free scottie t shirts
Free scottie t shirts Free scottie t shirts
 
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
 
原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样
 
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.
 
一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书
 
Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303
 
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
 
Free on Wednesdays T Shirts Free on Wednesdays Sweatshirts
Free on Wednesdays T Shirts Free on Wednesdays SweatshirtsFree on Wednesdays T Shirts Free on Wednesdays Sweatshirts
Free on Wednesdays T Shirts Free on Wednesdays Sweatshirts
 
iThome_CYBERSEC2024_Drive_Into_the_DarkWeb
iThome_CYBERSEC2024_Drive_Into_the_DarkWebiThome_CYBERSEC2024_Drive_Into_the_DarkWeb
iThome_CYBERSEC2024_Drive_Into_the_DarkWeb
 
The Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdfThe Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdf
 
Washington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers ShirtWashington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers Shirt
 

Hunt down the evil of your infrastructure

  • 1. Hunt Down the Evil of your Infrastructure A. S. M. Shamim Reza Deputy Manager Network Operation Center Link3 Technologies Ltd.
  • 2. Overview What is Threat Hunting ? Why it is Important ? Myths of Threat Hunting ? The Process The Practical Guide Important Things to Remember
  • 3. What is Threat Hunting?  It is a proactive way of finding attacks  Its a Human driven process  It is not a technology  Its a Journey not a destiny
  • 4. Why Threat Hunt is so important ?  Helps discover breaches / anomalous activity  Catch adversaries/evil early in the attack life-cycle  Can save the targeted organization with financial damage
  • 5. Myths about Threat Hunting Hunting can be fully automated It requires vast amount of data and advanced set of tools Hunting is only for elite analytics
  • 6. The Process Where do we start ? What to hunt for ? How often ?
  • 8. Questions to ask before start  What data to collect ?  Why collect all those data ?  Which tools to be used ?  Where to stored the data ?
  • 9. What data sources ? End point data Network Data Security Data Process execution metadata Network session data Threat Intelligence Registry access data Bro logs Alerts File data Proxy logs Friendly Intelligence Network data DNS Logs File prevalence Firewall Logs Network Device Logs
  • 10. Useful Tools to Start NetFlow Analyzer - nfsen Network based IDS – Bro Central Log System – Graylog Security Information & Event Management – OSSIM
  • 12. Hypothesis - The Core of Hunting The Hunter - Who will do the hypothesis ? What would he/she like to be ? What does he/she has to know ? Do you have your network diagram ? Do you have a central place to store all the log & Analysis ? Does the hunter knows about the data ? Does the hunter knows how the infrastructure works ?
  • 14. Intelligence-Driven Hypotheses Example – “I know that HUE JAGUAR tends to send its phishing messages from infrastructure hosted in Maxico. Therefore, if it is phishing any my users, I should be able to examine my incoming email logs to find messages where the geolocation of the sender’s IP is in Maxico.”
  • 15. Situational Awareness Example – An analyst decides to look past the tactical level of intelligence by considering strategic challenges in the organization. To do this he first looks at non-technical influences on the organization. The analyst receives information that the company is going to acquire a new company. The new company is located in a different part of the world, and its infrastructure will become connected to the new parent company’s networks. The analyst knows that the parent company will also inherit the acquired company’s assets, data and vulnerabilities. The hunter generates the hypothesis that the connection points between these two companies’ networks will be abused by threat actors that have, potentially, already compromised the acquired company. In an effort to test this hypothesis, the analyst sets up additional monitoring to treat the data flowing in and out of the new network connections as suspect.
  • 16. Domain Expertise Example – “A threat hunter knows how BGP are intended to work and has previously seen threat actors manipulate these Internet backbone protocols. This leads the analyst to generate the hypothesis that national- level adversaries/evil may be manipulating Internet routing to steal proprietary information from his organization without having to compromise the organization’s network.”
  • 17. The Practical Guide How the Adversaries Work Around
  • 18. Tactics, Techniques and Procedures (TTPs) Internal Reconnaissance - How attackers determine where they’re going  Network enumeration  Host enumeration Persistence - How attackers survive a reboot and simple remediation's  Scheduled Task Execution
  • 19. Command & Control - How attackers utilize their tools  Common Protocol, Common Port  Uncommon Protocol, Uncommon port Lateral Movement - How attackers move around in your network  Pass the Hash (PtH)  Remote Desktop Protocol  Shared Webroot  Path Interception
  • 20. Lateral Movement - How attackers move around in your network  Pass the Hash (PtH)  Remote Desktop Protocol  Shared Webroot  Path Interception Exfiltration - How attackers steal your data  DNS Tunneling  SFTP/SCP Exfiltration
  • 21. Need to Keep in MIND  Use formal methods of threat hunting  Integrate people, processes and technology  Balance automated and manual methods of threat hunting  Look for known and never-before-seen malicious activity to drive the threat hunting program