Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing and Running a Successful Threat Hunting Program

533 views

Published on

The workshop is intended to demonstrate how to develop and run a threat-hunting program in an organization. It starts with understand the concepts of threat-hunting and how it fits into an organization’s BlueTeam. The workshop will cover hands-on sessions on running a structure and unstructured hunt using different log sources commonly available in an IT environment.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing and Running a Successful Threat Hunting Program

  1. 1. SACON SACON International 2020 India | Bangalore | February 21 - 22 | Taj Yeshwantpur PRACTICAL THREAT HUNTING: DEVELOPING AND RUNNING A SUCCESSFUL THREAT HUNTING PROGRAM #SACON #THREATHUNTING WASIM HALANI Network Intelligence (NII) HEAD R&D @washalsec ARPAN RAVAL Optiv Inc Senior Threat Analyst @arpanrvl
  2. 2. WHOAMI ❖Wasim Halani ❖Head R&D @Network Intelligence (NII) ❖Offensive Security ~8Years, Elastic, DFIR ❖Speaker at SACON, OWASP, BSides, Malcon, SecurityBytes ❖Twitter @washalsec
  3. 3. WHOAMI ❖Arpan Raval ❖Senior Threat Analyst @Optiv Inc ❖DFIR and Threat Hunting ❖Twitter @arpanrvl
  4. 4. DEFINE THREAT HUNTING WHAT & WHY?
  5. 5. What is Threat Hunting? 6 “Threat Hunting is human driven proactive approach to discover malicious activities that have evaded existing security control.” ❖ Hypothesis based scientific approach. ❖ Using aggregations and statistics to find out outliers. ❖ Intelligence guided detections. ❖ Attack behavior-based Tactics, Techniques and Procedures (TTPs)
  6. 6. What is Threat Hunting? 7 Detecting the Undetected
  7. 7. PROBLEM OF “DWELL TIME” 8 ❖In 2011 Verizon Data Breach Report, average dwell time mentioned was 416 days! ❖In 2018 Fire Eye M Trends report average dwell time mentioned is 101 days!
  8. 8. IoC vs TTP 9 IoC TTP
  9. 9. PYRAMID OF PAIN C o u r t e s y D a v i d J B i a n c o HASH VALUES IP ADDRESS DOMAIN NAMES NW/HOST ARTIFACTS TOOLS TTP Trivial Easy Simple Annoying Challenging Tough!
  10. 10. PURPOSE OF THREAT HUNTING 11 ❖Reduce the Dwell Time ❖Identify Gaps in Visibility ❖Identify Gaps in Detection ❖Design New Detection Mechanism and Analytics techniques ❖Uncover New Threat and TTPs (Producing Threat Intelligence).
  11. 11. What is NOT Threat Hunting? 12 ▪Alert triage ▪Only searching for IoCs in the environment (IoC Sweeps) ▪Running a Query into tool. ▪Process with guaranteed result. ▪A form of penetration testing or red teaming.
  12. 12. What is NOT Threat Hunting? 13 “If a tool can do it autonomously then it is not Threat Hunting”
  13. 13. Characteristics of Threat Hunting 14 ▪Human Driven ▪Human Centric ▪Proactive ▪Assume Breach ▪Detect Unknown ▪Iterative ▪Data dependent ▪Hypothesis Driven
  14. 14. Threat Hunting in Security Operations 16 SOC Threat Hunting Incident Response Search Queries, CTI Guided Detections, Retrohunts Incident Detection Event Analysis Creation
  15. 15. MITRE ATT&CK FRAMEWORK
  16. 16. MITRE ATT&CK MATRICES Techniques PRE-ATT&CK 174 Enterprise Windows macOS Linux Cloud AWS GCP Azure Office 365 Azure AD SaaS 266 Mobile Android iOS 79 ICS 81 Enterprise Techniques Enterprise Techniques 266 Enterprise Tactics 12 APT Groups 94 Software 414
  17. 17. MITRE Explained: Tactic 19 ▪Answers Why? for adversary’s actions. ▪Adversary’s objective behind an action ▪Represented by Columns in MITRE ATT&CK Matrix Enterprise Mobile ICS Initial Access Initial Access Collection Execution Persistence Command and Control Persistence Privilege Escalation Discovery Privilege Escalation Defense Evasion Evasion Defense Evasion Credential Access Execution Credential Access Discovery Impact Discovery Lateral Movement Impair Process Control Lateral Movement Impact Inhibit Response Function Collection Collection Initial Access Command and Control Exfiltration Lateral Movement Exfiltration Command and Control Persistence Impact Network Effects Remote Service Effects Matrix Tactic Enterprise 12 Mobile 13 ICS 11 Example An adversary want to achieve credential access.
  18. 18. MITRE Explained: Tactic 20 ATT&CK TACTIC EXPLAINATION OBJECTIVE Initial Access Get into your environment Gain access Credential Access Steal logins and passwords Gain access Privilege Escalation Gain higher level permissions Gain (more) access Persistence Maintain foothold Keep access Defense Evasion Avoid detection Keep access Discovery Figure out your environment Explore Lateral Movement Move through your environment Explore Execution Run malicious code Follow through Collection Gather data Follow through Exfiltration Steal data Follow through Command and Control Contact controlled systems Contact controlled systems Impact Break things Follow through
  19. 19. MITRE Explained: Technique 21 ▪Answers how? for adversary’s objective achievement. ▪Adversary used a technique to achieve an objective ▪Represented by individual cell in MITRE ATT&CK Matrix Matrix Tactic PRE-ATT&CK 174 Enterprise 266 Mobile 79 ICS 81 Example Example: an adversary may dump credentials to achieve credential access.
  20. 20. MITRE Explained: Technique-Metainfo 22 ❖Tactic: Related MITRE Tactic ❖Platform: Required platform for a technique to work in. ❖Permissions Required: Lowest permission for an adversary to implement the technique ❖Effective Permissions: Permission an adversary achieves after successful implementation of the technique ❖Data Sources: Recommended data to be collection for detection of the technique
  21. 21. MITRE Explained: Enumeration 23 Tactic Example Technique Obtaining Persistence via Windows Service Creation Privilege Escalation via Legitimate Credentials Reuse Defense Evasion via Office-Based Malware Credential Access via Memory Credential Dumping Discovery via Built-In Windows Tools Lateral Movement via Share Service Accounts Execution via PowerShell Execution Collection via Network Share Identification Exfiltration via Plaintext Exfiltration Impact via
  22. 22. MITRE Explained: Procedure 24 ▪Answers what? for adversary’s technique usage. ▪Actual implementation of each technique. ▪Individual technique has a page for description, examples, sources, references. Example A procedure could be an adversary using PowerShell to inject into lsass.exe to dump credentials by scraping LSASS memory on a victim.
  23. 23. MITRE Explained: Atomic MITRE? 25 ❖ Threat Intelligence ❖ Whitepapers ❖ Data Sources
  24. 24. MITRE ATTACK MAPPING HANDS ON 1
  25. 25. 31 1. Attackers are compromising user credentials using mimikatz in your environment. 2. User got compromised after clicking on a link from a phishing email. 3. Attackers installed autorun in startup.
  26. 26. THREAT HUNTING METHODOLOGY TYPES, PROCESS AND ENABLERS
  27. 27. Threat Hunting Approaches 33 ▪Long Term ▪Ad-hoc ▪Short Term
  28. 28. Threat Hunting Cycle 34 ▪Hypothesis Creation ▪Hunt Execution ▪Pattern Identification ▪Incident Detection ▪Detector Creation
  29. 29. Threat Hunting Types 36 ▪Structured Hunting ▪Unstructured Hunting ▪Intel Guided Hunting ------------------------------------- ▪Host Based ▪Network Based ▪Business Use Case Based
  30. 30. Hunting Type: Intel Guided Hunting 37 ▪Hypothesis Based ▪Scoped ▪TTP driven or Entity Driven
  31. 31. Hunting Type: Structured Hunting 38 ▪Hypothesis Based ▪Scoped ▪TTP driven or Entity Driven
  32. 32. DATA TRANSFORMATION METHODS
  33. 33. HANDS ON LAB 2 STRUCTURED HYPOTHESIS - BITS
  34. 34. BITS Jobs Defense Evasion, Persistence 41 MITRE ID T1197 MITRE Tactic Defense Evasion, Persistence MITRE Technique BITS Jobs Platform Windows Required Privilege User, Administrator, SYSTEM Data Sources API monitoring, Packet capture,Windows event logs
  35. 35. BITS Jobs Defense Evasion, Persistence 42 Description Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. Implementation Bitsadmin.exe Powershell.exe Start-BitsTransfer
  36. 36. BITS Jobs Defense Evasion, Persistence 43 Source Event ID Event Field Details Windows Security Event Logs 4688 New Process Name *bitsadmin.exe Windows Security Event Logs 4688 Process Command Line *create* Proxy-Logs userAgent Microsoft BITS/*
  37. 37. Hunting Type: Unstructured Hunting 44 ▪Data Driven ▪Anomaly/Outlier based
  38. 38. HANDS ON LAB 3 PROCESS ANOMALY
  39. 39. HYPOTHESIS GENERATION PROCESS 46
  40. 40. Accessibility Feature Abuse 47 Title Adversaries are trying to achieve persistence through accessibility features by abusing debugger registry key. MITRE ID T1015 MITRE Tactic Persistence Privilege Escalation MITRE Technique Accessibility Features Cyber Kill Chain Persistence Platform Windows Required Privilege Administrator Data Sources Windows Registry, File monitoring, Process monitoring
  41. 41. HYPOTHESIS GENERATION PROCESS 48 Source Event ID Event Field Details Sysmon 12, 13 TargetObject 'HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options' AND 'Debugger' Windows Security Event Logs 4657 Object Name sethc.exe, utilman.exe, osk.exe, Magnify.exe, Narrator.exe, DisplaySwitch.exe,AtBroker.exe Windows Security Event Logs 4657 ObjectValue Name Debugger
  42. 42. Accessibility Features Persistence, Privilege Escalation 49 Description Windows contains accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. Implementation Binary Replacement OR Registry Value Change Limitations Depending on Windows versions The replaced binary needs to be digitally signed for x64 systems, The binary must reside in %systemdir% It must be protected by Windows File or Resource Protection (WFP/WRP)
  43. 43. Accessibility Features Persistence, Privilege Escalation 50 Source Event ID Event Field Details Sysmon 12, 13 TargetObject *SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options<AFU>Debugger AFU=sethc.exe, utilman.exe, osk.exe, Magnify.exe, Narrator.exe, DisplaySwitch.exe, AtBroker.exe Windows Security Event Logs 4657 Object Name sethc.exe, utilman.exe, osk.exe, Magnify.exe, Narrator.exe, DisplaySwitch.exe, AtBroker.exe Windows Security Event Logs 4657 Object Value Name Debugger
  44. 44. Windows Management Instrumentation Event Subscription Persistence 51 MITRE ID T1084 MITRE Tactic Persistence MITRE Technique Registry Run Keys / Startup Folder Platform Windows Required Privilege Administrator, SYSTEM Data Sources WMI Objects
  45. 45. Windows Management Instrumentation Event Subscription Persistence 52 Description WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. Implementation ❖ An Event Consumer: An action to perform upon triggering an event of interest ❖ An Event Filter: The event of interest ❖ A Filter to Consumer Binding: The registration mechanism that binds a filter to a consumer
  46. 46. THANK YOU

×