SlideShare a Scribd company logo

The Beginner's Guide to Threat Hunting

DomainTools
DomainTools

There is no question that organizations struggle to identify attacks; in fact the global median dwell time is 101 days. Many security units have built threat hunting programs in order to mitigate this issue. However, according to a 2018 survey conducted by Cybersecurity Insiders, although 75% of respondents believe threat hunting is of major importance, only 18% of respondents’ organizations have someone knowledgeable enough to perform threat hunting. What are the inhibitors to threat hunting programs? Many security organizations feel overwhelmed by the prospect of building these programs themselves. To this end, DomainTools partnered with EMA to outline strategies security professionals can apply to their own environments. Join Managing Director of Research at EMA, David Monahan and DomainTools Security Sales Engineer, Taylor Wilkes-Pierce to learn the building blocks necessary to building a threat hunting program from scratch including practical steps your organization can put into place right away. In this webinar, you will learn: The threat hunting process Common pitfalls and mistakes Valuable data sources and useful resources How you can hunt using DomainTools Iris

Technology
1 of 27
Download to read offline
IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING David Monahan Managing Research Director, Security and Risk Management Enterprise Management Associates @SecurityMonahan The Beginner’s Guide to Threat Hunting Taylor Wilkes-Pierce Security Sales Engineer DomainTools @tw_pierce
IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING2 © 2018 Enterprise Management Associates, Inc. The Threat Hunting Process Have a repeatable a process ü  Document processes, procedures, and workflows BEFORE an incident ü  Allow for flexibility in the process ü  Facilitates training ü  Supports legal action ü  Accelerates investigations ü  Enables scalability
IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING3 © 2018 Enterprise Management Associates, Inc. The Threat Hunting Process Maintain an activity log ü  Reduces analyst rework over time §  Improves evidentiary accuracy §  Accelerates investigations ü  Facilitates process improvements ü  Assists training improvements ü  Supports legal action ü  Required if investigation outcomes/results are challenged
IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING4 © 2018 Enterprise Management Associates, Inc. The Threat Hunting Process Maintain source data ü  Metadata is not enough ü  Supports legal action ü  Maintains evidence ü  Augments research for related cases/activities over time
IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING5 © 2018 Enterprise Management Associates, Inc. The Threat Hunting Process Maintain data integrity ü  Maintains evidence ü  Required for chain of custody for legal action ü  Required if findings are challenged ü  Required if analyst integrity is challenged ü  Augments research for related cases/activities over time
IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING6 © 2018 Enterprise Management Associates, Inc. Common Pitfalls and Mistakes Investigations are art and science ü  It’s good to think outside the box ü  Dead ends are okay, as long as you learn from them ü  As you develop your instincts, trust them ü  Build relationships with other hunters and related groups §  No one person knows everything ü  Not all data is “real” data ü  The absence of data can be data ü  Learn a scripting language
IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING7 © 2018 Enterprise Management Associates, Inc. Scope of Threat Hunting Internal ü System Configs ü Logs ü Processes ü Network Connections/Packets ü Users/Identity ü Files ü IP Addresses
IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING8 © 2018 Enterprise Management Associates, Inc. Scope of Threat Hunting External ü Domains ü Registrars ü DNS registrations ü Whois ü Hosting providers ü Passive DNS ü IP v4 address (to some degree) ü Web search (to some degree)
IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING9 © 2018 Enterprise Management Associates, Inc. Common Pitfalls and Mistakes Things to watch out for ü  Not all data is created equal §  Keep track of your sources ü  Domains that start bad tend to end bad §  Guilt by domain (or IP) association ü  Not all registrars are trustworthy ü  An adversary may have gotten there first ü  Do not add friction to users ü  Be sure not to interfere with operations
IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING10 © 2018 Enterprise Management Associates, Inc. Common Pitfalls and Mistakes Things to watch out for (cont’d) ü  Know your environment and your assets §  Identify your attack surfaces ü  Coordinate efforts ü  Isolation, takedown, and monitoring ü  Not all threats are malicious §  Accidental insiders §  Duped providers
IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING11 © 2018 Enterprise Management Associates, Inc. The Threat Hunting Process Acting on the “true” threat ü  Relationships, Relationships, Relationships §  Internal Executives: HR/Legal/Comms/Execs §  Law enforcement §  Domain registrars §  Hosting providers ü  Well-Documented Case ü  Diligence and Patience (especially for Out of Country)
IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING Threat Hunting Demo
Example
Hunting With Passive DNS Data
Hunting With Passive DNS Data
Potential Targets? Potential Vectors? www.syncrocorp.com www.newdlight.com www.enterels.com
Use Passive DNS Observations to Build an Activity Timeline
Use Historical Data to Add Context
Questions?

Recommended

Aujas_Gartner_Dubai_v1_Nov15
Aujas_Gartner_Dubai_v1_Nov15Aujas_Gartner_Dubai_v1_Nov15
Aujas_Gartner_Dubai_v1_Nov15Sameer Shelke
 
Cloud Storage and Security: Solving Compliance Challenges
Cloud Storage and Security: Solving Compliance ChallengesCloud Storage and Security: Solving Compliance Challenges
Cloud Storage and Security: Solving Compliance ChallengesEric Vanderburg
 
Common sense in security
Common sense in securityCommon sense in security
Common sense in securityPeter Bassill
 
The Prescription for Protection - Avoid Treatment Errors To The Malware Problem
The Prescription for Protection - Avoid Treatment Errors To The Malware ProblemThe Prescription for Protection - Avoid Treatment Errors To The Malware Problem
The Prescription for Protection - Avoid Treatment Errors To The Malware ProblemEric Vanderburg
 
Security from Compliance or Compliance from Security?--Metrics are the key
Security from Compliance or Compliance from Security?--Metrics are the keySecurity from Compliance or Compliance from Security?--Metrics are the key
Security from Compliance or Compliance from Security?--Metrics are the keyAlan Covell
 
Survival of the Fittest: How to Build a Cyber Resilient Organization
Survival of the Fittest: How to Build a Cyber Resilient OrganizationSurvival of the Fittest: How to Build a Cyber Resilient Organization
Survival of the Fittest: How to Build a Cyber Resilient OrganizationTripwire
 
GDPR, Data Privacy and Cybersecurity - MIT Symposium
GDPR, Data Privacy and Cybersecurity - MIT SymposiumGDPR, Data Privacy and Cybersecurity - MIT Symposium
GDPR, Data Privacy and Cybersecurity - MIT SymposiumEric Vanderburg
 
SplunkLive! London 2017 - Building an Analytics Driven Security Operation Cen...
SplunkLive! London 2017 - Building an Analytics Driven Security Operation Cen...SplunkLive! London 2017 - Building an Analytics Driven Security Operation Cen...
SplunkLive! London 2017 - Building an Analytics Driven Security Operation Cen...Splunk
 

Recommended

Aujas_Gartner_Dubai_v1_Nov15
Aujas_Gartner_Dubai_v1_Nov15Aujas_Gartner_Dubai_v1_Nov15
Aujas_Gartner_Dubai_v1_Nov15Sameer Shelke
 
Cloud Storage and Security: Solving Compliance Challenges
Cloud Storage and Security: Solving Compliance ChallengesCloud Storage and Security: Solving Compliance Challenges
Cloud Storage and Security: Solving Compliance ChallengesEric Vanderburg
 
Common sense in security
Common sense in securityCommon sense in security
Common sense in securityPeter Bassill
 
The Prescription for Protection - Avoid Treatment Errors To The Malware Problem
The Prescription for Protection - Avoid Treatment Errors To The Malware ProblemThe Prescription for Protection - Avoid Treatment Errors To The Malware Problem
The Prescription for Protection - Avoid Treatment Errors To The Malware ProblemEric Vanderburg
 
Security from Compliance or Compliance from Security?--Metrics are the key
Security from Compliance or Compliance from Security?--Metrics are the keySecurity from Compliance or Compliance from Security?--Metrics are the key
Security from Compliance or Compliance from Security?--Metrics are the keyAlan Covell
 
Survival of the Fittest: How to Build a Cyber Resilient Organization
Survival of the Fittest: How to Build a Cyber Resilient OrganizationSurvival of the Fittest: How to Build a Cyber Resilient Organization
Survival of the Fittest: How to Build a Cyber Resilient OrganizationTripwire
 
GDPR, Data Privacy and Cybersecurity - MIT Symposium
GDPR, Data Privacy and Cybersecurity - MIT SymposiumGDPR, Data Privacy and Cybersecurity - MIT Symposium
GDPR, Data Privacy and Cybersecurity - MIT SymposiumEric Vanderburg
 
SplunkLive! London 2017 - Building an Analytics Driven Security Operation Cen...
SplunkLive! London 2017 - Building an Analytics Driven Security Operation Cen...SplunkLive! London 2017 - Building an Analytics Driven Security Operation Cen...
SplunkLive! London 2017 - Building an Analytics Driven Security Operation Cen...Splunk
 
Meetup presenation 06192013
Meetup presenation 06192013 Meetup presenation 06192013
Meetup presenation 06192013 Sqrrl
 
Applied data analytics_v1_6.23
Applied data analytics_v1_6.23Applied data analytics_v1_6.23
Applied data analytics_v1_6.23John C. Havens
 
Poner en funcionamiento con alertas, dashboards customizados y líneas de tiempo
Poner en funcionamiento con alertas, dashboards customizados y líneas de tiempoPoner en funcionamiento con alertas, dashboards customizados y líneas de tiempo
Poner en funcionamiento con alertas, dashboards customizados y líneas de tiempoElasticsearch
 
How to emrace risk-based Security management in a compliance-driven culture
How to emrace risk-based Security management in a compliance-driven cultureHow to emrace risk-based Security management in a compliance-driven culture
How to emrace risk-based Security management in a compliance-driven cultureShahid Shah
 
DataPreserve- SEVRAR Jan 09
DataPreserve- SEVRAR Jan 09DataPreserve- SEVRAR Jan 09
DataPreserve- SEVRAR Jan 09Mike Garland
 
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with SplunkSplunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with SplunkSplunk
 
10 Practical Tips to Prepare for the New Privacy Shield Era
10 Practical Tips to Prepare for the New Privacy Shield Era10 Practical Tips to Prepare for the New Privacy Shield Era
10 Practical Tips to Prepare for the New Privacy Shield EraPaul Hastings
 
2011 SC Magazine Insider Threat Keynote
2011 SC Magazine Insider Threat Keynote2011 SC Magazine Insider Threat Keynote
2011 SC Magazine Insider Threat KeynoteJohn D. Johnson
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessJoel Cardella
 
Top 10 Tips for Selecting a Threat and Vulnerability Management Solution
Top 10 Tips for Selecting a Threat and Vulnerability Management SolutionTop 10 Tips for Selecting a Threat and Vulnerability Management Solution
Top 10 Tips for Selecting a Threat and Vulnerability Management SolutionEnterprise Management Associates
 
Dataguise hortonworks insurance_feb25
Dataguise hortonworks insurance_feb25Dataguise hortonworks insurance_feb25
Dataguise hortonworks insurance_feb25Hortonworks
 
General Data Protection Regulation, a developer's story
General Data Protection Regulation, a developer's storyGeneral Data Protection Regulation, a developer's story
General Data Protection Regulation, a developer's storyMichelangelo van Dam
 
Haystax carbon for Insider Threat Management & Continuous Evaluation
Haystax carbon for Insider Threat Management & Continuous EvaluationHaystax carbon for Insider Threat Management & Continuous Evaluation
Haystax carbon for Insider Threat Management & Continuous EvaluationHaystax Technology
 
Haystax Carbon for Insider Threat Management
Haystax Carbon for Insider Threat ManagementHaystax Carbon for Insider Threat Management
Haystax Carbon for Insider Threat ManagementHaystax Technology
 
Secure Software Design for Data Privacy
Secure Software Design for Data PrivacySecure Software Design for Data Privacy
Secure Software Design for Data PrivacyNarudom Roongsiriwong, CISSP
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss PreventionReza Kopaee
 
Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chainTarun Gupta,CRISC CISSP CISM CISA BCCE
 
DAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) DataDAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) DataDATAVERSITY
 
Where There Is Smoke, There is Fire: Extracting Actionable Intelligence from ...
Where There Is Smoke, There is Fire: Extracting Actionable Intelligence from ...Where There Is Smoke, There is Fire: Extracting Actionable Intelligence from ...
Where There Is Smoke, There is Fire: Extracting Actionable Intelligence from ...Enterprise Management Associates
 
You Will Be Breached
You Will Be BreachedYou Will Be Breached
You Will Be BreachedMike Saunders
 
YBB-NW-distribution
YBB-NW-distributionYBB-NW-distribution
YBB-NW-distributionMike Saunders
 
A Survey On Data Leakage Detection
A Survey On Data Leakage DetectionA Survey On Data Leakage Detection
A Survey On Data Leakage DetectionIJERA Editor
 

More Related Content

What's hot

Meetup presenation 06192013
Meetup presenation 06192013 Meetup presenation 06192013
Meetup presenation 06192013 Sqrrl
 
Applied data analytics_v1_6.23
Applied data analytics_v1_6.23Applied data analytics_v1_6.23
Applied data analytics_v1_6.23John C. Havens
 
Poner en funcionamiento con alertas, dashboards customizados y líneas de tiempo
Poner en funcionamiento con alertas, dashboards customizados y líneas de tiempoPoner en funcionamiento con alertas, dashboards customizados y líneas de tiempo
Poner en funcionamiento con alertas, dashboards customizados y líneas de tiempoElasticsearch
 
How to emrace risk-based Security management in a compliance-driven culture
How to emrace risk-based Security management in a compliance-driven cultureHow to emrace risk-based Security management in a compliance-driven culture
How to emrace risk-based Security management in a compliance-driven cultureShahid Shah
 
DataPreserve- SEVRAR Jan 09
DataPreserve- SEVRAR Jan 09DataPreserve- SEVRAR Jan 09
DataPreserve- SEVRAR Jan 09Mike Garland
 
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with SplunkSplunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with SplunkSplunk
 
10 Practical Tips to Prepare for the New Privacy Shield Era
10 Practical Tips to Prepare for the New Privacy Shield Era10 Practical Tips to Prepare for the New Privacy Shield Era
10 Practical Tips to Prepare for the New Privacy Shield EraPaul Hastings
 

What's hot (7)

Meetup presenation 06192013
Meetup presenation 06192013 Meetup presenation 06192013
Meetup presenation 06192013
 
Applied data analytics_v1_6.23
Applied data analytics_v1_6.23Applied data analytics_v1_6.23
Applied data analytics_v1_6.23
 
Poner en funcionamiento con alertas, dashboards customizados y líneas de tiempo
Poner en funcionamiento con alertas, dashboards customizados y líneas de tiempoPoner en funcionamiento con alertas, dashboards customizados y líneas de tiempo
Poner en funcionamiento con alertas, dashboards customizados y líneas de tiempo
 
How to emrace risk-based Security management in a compliance-driven culture
How to emrace risk-based Security management in a compliance-driven cultureHow to emrace risk-based Security management in a compliance-driven culture
How to emrace risk-based Security management in a compliance-driven culture
 
DataPreserve- SEVRAR Jan 09
DataPreserve- SEVRAR Jan 09DataPreserve- SEVRAR Jan 09
DataPreserve- SEVRAR Jan 09
 
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with SplunkSplunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
 
10 Practical Tips to Prepare for the New Privacy Shield Era
10 Practical Tips to Prepare for the New Privacy Shield Era10 Practical Tips to Prepare for the New Privacy Shield Era
10 Practical Tips to Prepare for the New Privacy Shield Era
 

Similar to The Beginner's Guide to Threat Hunting

2011 SC Magazine Insider Threat Keynote
2011 SC Magazine Insider Threat Keynote2011 SC Magazine Insider Threat Keynote
2011 SC Magazine Insider Threat KeynoteJohn D. Johnson
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessJoel Cardella
 
Top 10 Tips for Selecting a Threat and Vulnerability Management Solution
Top 10 Tips for Selecting a Threat and Vulnerability Management SolutionTop 10 Tips for Selecting a Threat and Vulnerability Management Solution
Top 10 Tips for Selecting a Threat and Vulnerability Management SolutionEnterprise Management Associates
 
Dataguise hortonworks insurance_feb25
Dataguise hortonworks insurance_feb25Dataguise hortonworks insurance_feb25
Dataguise hortonworks insurance_feb25Hortonworks
 
General Data Protection Regulation, a developer's story
General Data Protection Regulation, a developer's storyGeneral Data Protection Regulation, a developer's story
General Data Protection Regulation, a developer's storyMichelangelo van Dam
 
Haystax carbon for Insider Threat Management & Continuous Evaluation
Haystax carbon for Insider Threat Management & Continuous EvaluationHaystax carbon for Insider Threat Management & Continuous Evaluation
Haystax carbon for Insider Threat Management & Continuous EvaluationHaystax Technology
 
Haystax Carbon for Insider Threat Management
Haystax Carbon for Insider Threat ManagementHaystax Carbon for Insider Threat Management
Haystax Carbon for Insider Threat ManagementHaystax Technology
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss PreventionReza Kopaee
 
DAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) DataDAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) DataDATAVERSITY
 
Where There Is Smoke, There is Fire: Extracting Actionable Intelligence from ...
Where There Is Smoke, There is Fire: Extracting Actionable Intelligence from ...Where There Is Smoke, There is Fire: Extracting Actionable Intelligence from ...
Where There Is Smoke, There is Fire: Extracting Actionable Intelligence from ...Enterprise Management Associates
 
You Will Be Breached
You Will Be BreachedYou Will Be Breached
You Will Be BreachedMike Saunders
 
A Survey On Data Leakage Detection
A Survey On Data Leakage DetectionA Survey On Data Leakage Detection
A Survey On Data Leakage DetectionIJERA Editor
 
A Case For Information Protection Programs
A Case For Information Protection ProgramsA Case For Information Protection Programs
A Case For Information Protection ProgramsMichael Annis
 
Addressing Future Risks and Legal Challenges of Insider Threats
Addressing Future Risks and Legal Challenges of Insider ThreatsAddressing Future Risks and Legal Challenges of Insider Threats
Addressing Future Risks and Legal Challenges of Insider ThreatsForcepoint LLC
 
Catelas Legal - Intelligent Discoveryor Slideshare
Catelas Legal - Intelligent Discoveryor SlideshareCatelas Legal - Intelligent Discoveryor Slideshare
Catelas Legal - Intelligent Discoveryor SlideshareRob Levey
 
Catelas Security Webinar 12 14 10
Catelas Security Webinar 12 14 10Catelas Security Webinar 12 14 10
Catelas Security Webinar 12 14 10Rob Levey
 

Similar to The Beginner's Guide to Threat Hunting (20)

2011 SC Magazine Insider Threat Keynote
2011 SC Magazine Insider Threat Keynote2011 SC Magazine Insider Threat Keynote
2011 SC Magazine Insider Threat Keynote
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing business
 
Top 10 Tips for Selecting a Threat and Vulnerability Management Solution
Top 10 Tips for Selecting a Threat and Vulnerability Management SolutionTop 10 Tips for Selecting a Threat and Vulnerability Management Solution
Top 10 Tips for Selecting a Threat and Vulnerability Management Solution
 
Dataguise hortonworks insurance_feb25
Dataguise hortonworks insurance_feb25Dataguise hortonworks insurance_feb25
Dataguise hortonworks insurance_feb25
 
General Data Protection Regulation, a developer's story
General Data Protection Regulation, a developer's storyGeneral Data Protection Regulation, a developer's story
General Data Protection Regulation, a developer's story
 
Haystax carbon for Insider Threat Management & Continuous Evaluation
Haystax carbon for Insider Threat Management & Continuous EvaluationHaystax carbon for Insider Threat Management & Continuous Evaluation
Haystax carbon for Insider Threat Management & Continuous Evaluation
 
Haystax Carbon for Insider Threat Management
Haystax Carbon for Insider Threat ManagementHaystax Carbon for Insider Threat Management
Haystax Carbon for Insider Threat Management
 
Secure Software Design for Data Privacy
Secure Software Design for Data PrivacySecure Software Design for Data Privacy
Secure Software Design for Data Privacy
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Prevention
 
Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chain
 
DAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) DataDAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) Data
 
Where There Is Smoke, There is Fire: Extracting Actionable Intelligence from ...
Where There Is Smoke, There is Fire: Extracting Actionable Intelligence from ...Where There Is Smoke, There is Fire: Extracting Actionable Intelligence from ...
Where There Is Smoke, There is Fire: Extracting Actionable Intelligence from ...
 
You Will Be Breached
You Will Be BreachedYou Will Be Breached
You Will Be Breached
 
YBB-NW-distribution
YBB-NW-distributionYBB-NW-distribution
YBB-NW-distribution
 
A Survey On Data Leakage Detection
A Survey On Data Leakage DetectionA Survey On Data Leakage Detection
A Survey On Data Leakage Detection
 
A Case For Information Protection Programs
A Case For Information Protection ProgramsA Case For Information Protection Programs
A Case For Information Protection Programs
 
Addressing Future Risks and Legal Challenges of Insider Threats
Addressing Future Risks and Legal Challenges of Insider ThreatsAddressing Future Risks and Legal Challenges of Insider Threats
Addressing Future Risks and Legal Challenges of Insider Threats
 
Spo2 t17
Spo2 t17Spo2 t17
Spo2 t17
 
Catelas Legal - Intelligent Discoveryor Slideshare
Catelas Legal - Intelligent Discoveryor SlideshareCatelas Legal - Intelligent Discoveryor Slideshare
Catelas Legal - Intelligent Discoveryor Slideshare
 
Catelas Security Webinar 12 14 10
Catelas Security Webinar 12 14 10Catelas Security Webinar 12 14 10
Catelas Security Webinar 12 14 10
 

Recently uploaded

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 

Recently uploaded (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

The Beginner's Guide to Threat Hunting

  • 1. IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING David Monahan Managing Research Director, Security and Risk Management Enterprise Management Associates @SecurityMonahan The Beginner’s Guide to Threat Hunting Taylor Wilkes-Pierce Security Sales Engineer DomainTools @tw_pierce
  • 2. IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING2 © 2018 Enterprise Management Associates, Inc. The Threat Hunting Process Have a repeatable a process ü  Document processes, procedures, and workflows BEFORE an incident ü  Allow for flexibility in the process ü  Facilitates training ü  Supports legal action ü  Accelerates investigations ü  Enables scalability
  • 3. IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING3 © 2018 Enterprise Management Associates, Inc. The Threat Hunting Process Maintain an activity log ü  Reduces analyst rework over time §  Improves evidentiary accuracy §  Accelerates investigations ü  Facilitates process improvements ü  Assists training improvements ü  Supports legal action ü  Required if investigation outcomes/results are challenged
  • 4. IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING4 © 2018 Enterprise Management Associates, Inc. The Threat Hunting Process Maintain source data ü  Metadata is not enough ü  Supports legal action ü  Maintains evidence ü  Augments research for related cases/activities over time
  • 5. IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING5 © 2018 Enterprise Management Associates, Inc. The Threat Hunting Process Maintain data integrity ü  Maintains evidence ü  Required for chain of custody for legal action ü  Required if findings are challenged ü  Required if analyst integrity is challenged ü  Augments research for related cases/activities over time
  • 6. IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING6 © 2018 Enterprise Management Associates, Inc. Common Pitfalls and Mistakes Investigations are art and science ü  It’s good to think outside the box ü  Dead ends are okay, as long as you learn from them ü  As you develop your instincts, trust them ü  Build relationships with other hunters and related groups §  No one person knows everything ü  Not all data is “real” data ü  The absence of data can be data ü  Learn a scripting language
  • 7. IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING7 © 2018 Enterprise Management Associates, Inc. Scope of Threat Hunting Internal ü System Configs ü Logs ü Processes ü Network Connections/Packets ü Users/Identity ü Files ü IP Addresses
  • 8. IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING8 © 2018 Enterprise Management Associates, Inc. Scope of Threat Hunting External ü Domains ü Registrars ü DNS registrations ü Whois ü Hosting providers ü Passive DNS ü IP v4 address (to some degree) ü Web search (to some degree)
  • 9. IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING9 © 2018 Enterprise Management Associates, Inc. Common Pitfalls and Mistakes Things to watch out for ü  Not all data is created equal §  Keep track of your sources ü  Domains that start bad tend to end bad §  Guilt by domain (or IP) association ü  Not all registrars are trustworthy ü  An adversary may have gotten there first ü  Do not add friction to users ü  Be sure not to interfere with operations
  • 10. IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING10 © 2018 Enterprise Management Associates, Inc. Common Pitfalls and Mistakes Things to watch out for (cont’d) ü  Know your environment and your assets §  Identify your attack surfaces ü  Coordinate efforts ü  Isolation, takedown, and monitoring ü  Not all threats are malicious §  Accidental insiders §  Duped providers
  • 11. IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING11 © 2018 Enterprise Management Associates, Inc. The Threat Hunting Process Acting on the “true” threat ü  Relationships, Relationships, Relationships §  Internal Executives: HR/Legal/Comms/Execs §  Law enforcement §  Domain registrars §  Hosting providers ü  Well-Documented Case ü  Diligence and Patience (especially for Out of Country)
  • 12. IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING Threat Hunting Demo
  • 13.
  • 14.
  • 15.
  • 16.
  • 18.
  • 21. Potential Targets? Potential Vectors? www.syncrocorp.com www.newdlight.com www.enterels.com
  • 22. Use Passive DNS Observations to Build an Activity Timeline
  • 23.
  • 24.
  • 25. Use Historical Data to Add Context
  • 26.