Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Abstract Tools for Effective Threat Hunting

1,169 views

Published on

In this presentation I discuss mental tools and skills that can make help make you a more effective threat hunter and investigator.

Published in: Technology
  • Be the first to comment

Abstract Tools for Effective Threat Hunting

  1. 1. Chris Sanders Chattanooga ISSA
  2. 2. Chris Sanders  Find Evil @ FireEye  Founder @ Rural Tech Fund  PhD Researcher  GSE # 64  BBQ Pit Master  Author:  Practical Packet Analysis  Applied NSM
  3. 3. Rural Technology Fund  Accessible Tech Education  Measureable Impact  $20,000 in Scholarships  1500 Repurposed Tech Books  $50,000 in Equipment Donations Adopted Classroom 40 Students Impacted
  4. 4. FRAMIN G
  5. 5. Hunting and Expertise  Most practitioners believe that hunting is the pinnacle of security investigation experience. Only the brightest and the best are good hunters. Tier 1 – Event Analysts Tier 2 – Incident Responders Tier 3 - Hunters
  6. 6. The Investigation Process Question Hypothesi s Answer Observatio n Conclusion Network Security Monitoring Hunting Incident Response Host Forensics Malware Analysis
  7. 7. CURIOSI TY
  8. 8. Curiosity and Experience • Low C • High E • Low C • Low E • High C • High E • High C • Low E Jumpy Excels ApatheticIneffective
  9. 9. Curiosity and Experience
  10. 10. Curiosity and Experience
  11. 11. PIVOTS
  12. 12. Basic Pivoting Copyright © 2016 Applied Network Defense Flow Data Src/Dst IP PCAP Data Sources Pivot Fields Alert Src/Dst IP PCAP PCAP Domain OSINT HTTP Proxy Username Windows Log
  13. 13. Realistic Pivoting Copyright © 2016 Applied Network Defense Sysmon Process Logs MD5 Hash Bro Files Conn ID Bro HTTP Logs Domain DNS Logs OSINT Resp IP PCAP Domain DNS Logs OSINT Flow OSINT Scenario: While hunting, you’ve discovered a process whose name leads you to believe it might be malicious.  Questions:  Is this file malicious?  Where did this file come from? Data Sources Pivot Fields
  14. 14. AGGREGATIO NS
  15. 15. Aggregations  Query flow records for all communication on a network segment  Aggregate bytes per host to produce top talkers list  Query windows service execution logs on a network segment  Aggregate unique process field sorted by least frequent occurrence Copyright © 2016 Applied Network Defense Most Occurrences Least Occurrences
  16. 16. OBSERVATION STRATEGY
  17. 17. Observation Strategy Hunting Observations Data Driven TTP Driven  Going from 0 to 100 in hunting revolves around making an observation that is worth digging into.  An observation strategy provides a construct to base your hunting on. Copyright © 2016 Applied Network Defense
  18. 18. Data Driven Observations  Can I find anything in my data that looks like it doesn’t belong?  HTTP Data  User Agent Field  Aggregation  Least Frequent Occurence Choose Data Type Choose a Specific Field Ask – What would be weird here? Apply a Data Transformation Repeat Copyright © 2016 Applied Network Defense
  19. 19. TTP Driven Observations  Can I find any evidence of a known TTP on my network?  Suitable for things that aren’t suitable for alerting. Research an Attack Type Isolate Artifacts that aren’t suitable for IDS Use an Analysis Technique Repeat Copyright © 2016 Applied Network Defense
  20. 20. MISE EN PLACE
  21. 21. Everything in Place - Basic Tenants 1. Minimize Movement 2. Waste Nothing 3. Clean as you Go 4. Be Flexible
  22. 22. FRIENDLY INTEL
  23. 23. Friendly Intel H&P Copyright © 2016 Applied Network Defense  A history and physical is designed to collect baseline information that will help make decisions later  For analysts, the H&P is based on systems and users  The H&P is based on persistent obsevations
  24. 24. Creating a Knowledgebase
  25. 25. INVESTIGATION THEORY THE ANALYST MINDSET 10 Week Course On-Demand Video Lectures Hands on Investigation Labs 1:1 Instructor Feedback Spring Sessions: January 9th March 20th http://chrissanders.org/training
  26. 26. Thank You! Mail: chris@chrissanders.org Twitter: @chrissanders88 Blog: chrissanders.org

×