Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hunt down the evil of your infrastructure


Published on

Hunt down the evil of your infrastructure
Presented by
A. S. M. ShamimReza
Deputy Manager
Network Operation Center
Link3 Technologies Ltd.

Published in: Internet
  • Login to see the comments

  • Be the first to like this

Hunt down the evil of your infrastructure

  1. 1. Hunt Down the Evil of your Infrastructure A. S. M. Shamim Reza Deputy Manager Network Operation Center Link3 Technologies Ltd.
  2. 2. Overview What is Threat Hunting ? Why it is Important ? Myths of Threat Hunting ? The Process The Practical Guide Important Things to Remember
  3. 3. What is Threat Hunting?  It is a proactive way of finding attacks  Its a Human driven process  It is not a technology  Its a Journey not a destiny
  4. 4. Why Threat Hunt is so important ?  Helps discover breaches / anomalous activity  Catch adversaries/evil early in the attack life-cycle  Can save the targeted organization with financial damage
  5. 5. Myths about Threat Hunting Hunting can be fully automated It requires vast amount of data and advanced set of tools Hunting is only for elite analytics
  6. 6. The Process Where do we start ? What to hunt for ? How often ?
  7. 7. The Matrix
  8. 8. Questions to ask before start  What data to collect ?  Why collect all those data ?  Which tools to be used ?  Where to stored the data ?
  9. 9. What data sources ? End point data Network Data Security Data Process execution metadata Network session data Threat Intelligence Registry access data Bro logs Alerts File data Proxy logs Friendly Intelligence Network data DNS Logs File prevalence Firewall Logs Network Device Logs
  10. 10. Useful Tools to Start NetFlow Analyzer - nfsen Network based IDS – Bro Central Log System – Graylog Security Information & Event Management – OSSIM
  11. 11. The hunting loop
  12. 12. Hypothesis - The Core of Hunting The Hunter - Who will do the hypothesis ? What would he/she like to be ? What does he/she has to know ? Do you have your network diagram ? Do you have a central place to store all the log & Analysis ? Does the hunter knows about the data ? Does the hunter knows how the infrastructure works ?
  13. 13. Hypothesis Generation 1 Intelligence- Driven Hypotheses 2 Situational Awareness 3 Domain Expertise
  14. 14. Intelligence-Driven Hypotheses Example – “I know that HUE JAGUAR tends to send its phishing messages from infrastructure hosted in Maxico. Therefore, if it is phishing any my users, I should be able to examine my incoming email logs to find messages where the geolocation of the sender’s IP is in Maxico.”
  15. 15. Situational Awareness Example – An analyst decides to look past the tactical level of intelligence by considering strategic challenges in the organization. To do this he first looks at non-technical influences on the organization. The analyst receives information that the company is going to acquire a new company. The new company is located in a different part of the world, and its infrastructure will become connected to the new parent company’s networks. The analyst knows that the parent company will also inherit the acquired company’s assets, data and vulnerabilities. The hunter generates the hypothesis that the connection points between these two companies’ networks will be abused by threat actors that have, potentially, already compromised the acquired company. In an effort to test this hypothesis, the analyst sets up additional monitoring to treat the data flowing in and out of the new network connections as suspect.
  16. 16. Domain Expertise Example – “A threat hunter knows how BGP are intended to work and has previously seen threat actors manipulate these Internet backbone protocols. This leads the analyst to generate the hypothesis that national- level adversaries/evil may be manipulating Internet routing to steal proprietary information from his organization without having to compromise the organization’s network.”
  17. 17. The Practical Guide How the Adversaries Work Around
  18. 18. Tactics, Techniques and Procedures (TTPs) Internal Reconnaissance - How attackers determine where they’re going  Network enumeration  Host enumeration Persistence - How attackers survive a reboot and simple remediation's  Scheduled Task Execution
  19. 19. Command & Control - How attackers utilize their tools  Common Protocol, Common Port  Uncommon Protocol, Uncommon port Lateral Movement - How attackers move around in your network  Pass the Hash (PtH)  Remote Desktop Protocol  Shared Webroot  Path Interception
  20. 20. Lateral Movement - How attackers move around in your network  Pass the Hash (PtH)  Remote Desktop Protocol  Shared Webroot  Path Interception Exfiltration - How attackers steal your data  DNS Tunneling  SFTP/SCP Exfiltration
  21. 21. Need to Keep in MIND  Use formal methods of threat hunting  Integrate people, processes and technology  Balance automated and manual methods of threat hunting  Look for known and never-before-seen malicious activity to drive the threat hunting program