Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SACON - Threat hunting (Chandra Prakash)

3,309 views

Published on

SACON - Threat hunting (Chandra Prakash)

Published in: Technology
  • My brother found Custom Writing Service ⇒ www.HelpWriting.net ⇐ and ordered a couple of works. Their customer service is outstanding, never left a query unanswered.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • I think you need a perfect and 100% unique academic essays papers have a look once this site i hope you will get valuable papers, ⇒ www.HelpWriting.net ⇐
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • You can hardly find a student who enjoys writing a college papers. Among all the other tasks they get assigned in college, writing essays is one of the most difficult assignments. Fortunately for students, there are many offers nowadays which help to make this process easier. The best service which can help you is ⇒ www.WritePaper.info ⇐
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Thanks for using my picture of my tool box lol
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

SACON - Threat hunting (Chandra Prakash)

  1. 1. SACON SACON International 2017 Chandra Prakash Suryawanshi Aujas Network Pvt Ltd SVP chander80 India | Bangalore | November 10 – 11 | Hotel Lalit Ashok Threat Hunting
  2. 2. SACON 2017 Adversaries leave trails everywhere Email logs Endpoint process accounting HTTP proxy logs Authentication records Filesystem metadata Network session data Database query logs
  3. 3. SACON 2017 Alerting only gets you so far Automated systems are great, but some have flaws Good For Easy to create new rules. Automation decreases dwell time. Bad At Can’t find things you don’t already know how to find!
  4. 4. SACON 2017 What is “hunting”? The collective name for any manual or machine-assisted techniques used to detect security incidents that your automated solutions missed.
  5. 5. SACON 2017 Threat Hunting Platform Drivers A unified environment for: Collecting and managing big security data Detecting and analyzing advanced threats Visually investigating attack TTPs and patterns Automating hunt techniques Collaborating amongst security analyst teams
  6. 6. SACON 2017 Hunting Styles Complexity Value Indicators Artifact Analysis Tactic & Technique Analysis Anomaly Detection
  7. 7. SACON 2017 The Hunting Maturity Model (HMM)
  8. 8. SACON 2017 HUNTING STRATEGY
  9. 9. SACON 2017 Strategy enables results Where do I start? What should I look for? What’s my path to improve? Your strategy determines the quality of your results. Choose a strategy that supports your detection goals. Don’t underestimate the importance of good planning!
  10. 10. SACON 2017 Strategy #1 Make the most of what you already collect Advantages You probably already collect at least some data. Someone is already familiar with its contents. You may already have some idea of the key questions you want answered. Disadvantages Your ability to ask questions is limited by the available data. External forces have more influence over your results. May confuse “easy” with “effective”.
  11. 11. SACON 2017 The three data domains Keep as much as you can comfortably store Network • Authentication • Session data • Proxy Logs • File transfers • DNS resolution Host • Authentication • Audit logs • Process creation Application • Authentication • DB queries • Audit & transaction logs • Security alerts • Threat intel
  12. 12. SACON 2017 Aim for data diversity Leverage different types of data to… Reveal Relationships Clarify the Situation Highlight Inconsistencies Tell a Complete Story
  13. 13. SACON 2017 Also look for toolset diversity Different techniques, different perspectives
  14. 14. SACON 2017 Strategy #2 Follow the Kill Chain Source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Hutchins, Cloppert, Amin, http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf (Last checked April 29th, 2015) Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives
  15. 15. SACON 2017 Strategy #2 Follow the Kill Chain Source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Hutchins, Cloppert, Amin, http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf (Last checked April 29th, 2015) Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives Find incidents already occurring
  16. 16. SACON 2017 Strategy #2 Follow the Kill Chain Source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Hutchins, Cloppert, Amin, http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf (Last checked April 29th, 2015) Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives Find incidents already occurring Expand the stories you are able to tell
  17. 17. SACON 2017 Strategy #2 Follow the Kill Chain Source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Hutchins, Cloppert, Amin, http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf (Last checked April 29th, 2015) Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives Find incidents already occurring Expand the stories you are able to tellPredict incidents before they happen
  18. 18. SACON 2017 THE HUNTING PROCESS
  19. 19. SACON 2017 The Hunting Process Successful hunting requires many iterations through this cycle. The faster your analysts get through this loop, the better.
  20. 20. SACON 2017 Most hunts start with questions What data do I have and what does it “look like”? Is there any lateral movement going on? Is there any data exfiltration going on in my network? Are there any unauthorized users on my VPN? Is anyone misusing their database credentials? Have my users been spearphished?
  21. 21. SACON 2017 Questions become hypotheses “If this activity is going on, it might look like…” That’s your hypothesis! If at first you don’t succeed, recraft it.
  22. 22. SACON 2017 Hypotheses Can Be Driven By… Threat Intelligence • Both IOC searches and TTP analysis • "d8e8fc[…]ba249 is a known-bad file hash. Let's see if it's on any of our critical systems." Situational Awareness • Based on friendly intel, knowledge of business processes, Crown Jewels Analysis or other knowledge of your own environment • "Engineering users should never access the Finance file server. Let's see if they're doing that." Domain Expertise • A combination of intel- and awareness-based • "I know (China|Russia|Iran) threat actors TTPs. Are they in our network?"
  23. 23. SACON 2017 Data Type and Location Data types for your hunt are usually dictated by your hypothesis. • Command & Control: Network session records, HTTP proxy logs • Lateral Movement: Windows authentication logs (or whatever your OS is) Location from which the data is collected can also be a major factor: • Command & Control: Internet connection points • Lateral Movement: Internet-facing services, critical assets, endpoints, servers Document a collection plan for each hunt, including type & location, as well as other relevant filters (turn Big Data into Smaller Data if you can).
  24. 24. SACON 2017 Analytic Technique Image credit: fatmonk8, https://www.reddit.com/r/pics/comments/2gi309/coworker_said_i_had_the_most_organized_toolbox_in/
  25. 25. SACON 2017 A wise owl once said…
  26. 26. SACON 2017 HUNTING IN SQRRL
  27. 27. SACON 2017 Create hypotheses Start with guided hunts using the Sqrrl Detections
  28. 28. SACON 2017 Create hypotheses Get more advanced using the hunt reports
  29. 29. SACON 2017 Investigate via Tools and Techniques This is very similar to Incident Investigation – again, you will want to ask the same six questions: 1. Was the activity actually an incident? 2. Was the adversary successful? 3. What other resources were involved? 4. What activities did the adversary conduct? 5. What resources were compromised? 6. What should the next steps be?
  30. 30. SACON 2017 Additional hypotheses Think about what your data will show
  31. 31. SACON 2017 Was the beacon an incident? How long did it occur for? (Is it still occurring?) Look at the endpoints (click on them in the detection profile to bring up their profiles), starting with the destination What do you know about it? Is it a known service? What domain is it associated with? May need to explore and expand to DNSDomains What URIs is it associated with? May need to explore and expand to URIs Could also use the activity log with web proxy logs to find this Are the endpoints associated with other malicious activity? May need to explore and expand to Alert May need to drill down into the activity
  32. 32. SACON 2017 Was the LatMov an incident? Look at the patterns: Is this consistent with an adversary exploring a network? Are the failure patterns consistent? Look at the Hostname entities: Are any of them known jump servers? Look at the Accounts: Are any of them admins who are expected to use this type of activity? Are any of the accounts linked to the same User, especially a regular and an admin account for the same person? Look at the Relationships: Is the timing consistent with this type of activity? Is there other activity occurring before or after to indicate it is normal?
  33. 33. SACON 2017 Was the staging an incident? Look at the volume: Is this really data being staged or just a statistical outlier? Look at the Hostnames: Were they involved in Lateral Movements or other risky behaviors? Look at the Accounts: Explore from the IPAddresses and expand to Accounts Is this activity being conducted by the same person? Look at the Relationships: Is the timing consistent with this type of activity? Is there other activity occurring before or after to indicate it is normal?
  34. 34. SACON 2017 Was the exfil an incident? Look at the volume: Is this really data being exfilled or just a statistical outlier? Look at the IPAddresses: Were the internal ones involved in staging or other risky behaviors? Were the external ones associated with suspicious domains or URIs? May need to explore and expand to find this Look at the Accounts: Explore from the internal IPAddress and expand to Accounts Who appears to be conducting the activity and should they be? Look at the Relationships: Is the timing consistent with this type of activity? Is there other activity occurring before or after to indicate it is normal?
  35. 35. SACON 2017 At this point, you are investigating an incident The steps you follow for the following are the same as for Incident Investigation: 3. What other resources were involved? 4. What activities did the adversary conduct? 5. What resources were compromised? 6. What should the next steps be? Keep the rest of the Hunting Process Cycle in mind as you answer these questions, they will be used for the following steps
  36. 36. SACON 2017 Piece together the incident Answering the questions requires a complete picture
  37. 37. SACON 2017 THANK YOU

×