Recommended
More Related Content
What's hot
What's hot (20)
Similar to Become a Threat Hunter by Hamza Beghal
Similar to Become a Threat Hunter by Hamza Beghal (20)
Recently uploaded
Recently uploaded (20)
Become a Threat Hunter by Hamza Beghal
- 1. THREAT HUNTING 101: BECOME THE HUNTER24th Aug 2017
- 3. WHOAMI • Hamza – THREAT HUNTER for Countercept since 2015 • Threat Hunting on a wide variety of client estates • Offensive Security Certified Professional (OSCP) • Crest Registered Intrusion Analyst (CRIA) • Degree in Computer Security 2
- 4. THREAT HUNTING INDUSTRY TRENDS • 2016 - The rise of THREAT HUNTING • 2017 - Defining the THREAT HUNTER role 3 https://countercept.com/our-thinking/a-journey-from-mssp-soc-analyst-to-countercept-threat-hunter/
- 5. THREAT HUNTING What is it and why does it exist? THREAT HUNTERS Where do they fit in and what skills do they have? INTO THE ACTION Threat Hunting in action, following an scenario 4 BRIDGIN G THE GAP BRIDGIN G THE GAP
- 7. WHAT IS THREAT HUNTING? “The process of PROACTIVELY and iteratively searching through networks to DETECT AND ISOLATE advanced threats that EVADE EXISTING SECURITY SOLUTIONS” SQRRL 6
- 8. WHAT IS THREAT HUNTING? Callum Roxan Threat Hunter 7 “With TRADITIONAL detection you START with technology, and THEN USE people to get the most out of that technology. With THREAT HUNTING, you START with people, and THEN USE technology to get the most out of those people”
- 9. AUTOMATED VS MANUAL 8 Human-drivenSemi-automatedFully Automated Alerts from “products” (AV/SIEM/NGAV) Vuln Scanners (Nessus) Human-driven Threat Hunting Human-driven Pentesting Assisted Hunts (EDR/Bro/Scripts) Tools (NMAP, Metasploit) Traditional security teams Advanced Threat Hunting OFFEN CE DEFEN CE
- 12. THREA T HUNTE R SECURITY ROLES 11 • Penetration Tester • Security Researcher • Security Consultant • Exploit Developer • Reversing Engineer • Targeted Attack Simulator OFFENSIVE • SOC Analyst • Incident Handler • Forensic Analyst • Malware Analyst • Systems Admin • Threat Intel Analyst DEFENSIVE
- 13. Process Injection ? ✗ ? ✓ Malware ? ? ✓ ✓ Persistence Mechanisms ✓ ✗ ? ✗ C2 Communication ? ✓ ? ✗ Lateral Movement ✓ ✓ ✗ ✗ Host analysis Network analysis Malware analysis Memory analysis THREAT HUNTER SKILLS 12 ✓ Primary source ? Potential source ✗ N/A
- 14. ATTACK SCENARIO
- 15. WINDOW OF OPPORTUNITY ATTACK SCENARIO KILLCHAIN 14 ContainInvestigateTriageIdentifyAnalyseAggregateGather Objective Lateral Movement Privilege Escalation C2ExploitDeliveryRecon Matt Swan – Microsoft - https://www.youtube.com/watch?v=aZxtCKHhAUE
- 16. INFECTION VECTOR Where can the attack come from? PERSISTEN CE How can they maintain access? LATERAL MOVEMENT Where the attack is heading next? 15 BRIDGIN G THE GAP FOCUS
- 17. HYPOTHESES 16 https://sqrrl.com/threat-hunting-reference-guide/ • Hypothesis: Core of the Human Driven element • Example: I think X is happening. I will find evidence of this in by answering these three questions: 1. What data do I need? 2. Where do I get that data from? 3. How do I hunt through that data? THREAT HUNTING LOOP CREATE Hypotheses INFORM & ENRICH Analytics UNCOVER New Patterns & TTPs INVESTIGATE Via Tools & Techniques
- 18. DIY THREAT HUNTING 17 • HOST, NETWORK & LOG DATA – SCCM, WEF+GPO, GRR, Sysmon – Bro – NXLog, FileBeat, WinBeat • STORAGE & ANALYTICS – – ELK Stack: Elastic, Logstash, Kibana – Splunk – XML files!
- 19. ATTACK SCENARIO INFECTION VECTOR 18 DELIVERY METHOD Phishing External Download USB Network Share External Internal EXPLOIT METHOD Office Macro PDF Vulnerability Native executable HTA • Email logs • Proxy logs • Bro logs • Process data • Registry • Windows Events
- 20. ATTACK SCENARIO DELIVERY VECTOR - PHISHING • Phishing is popular – for good reason! • Office Macro • PS encoded stager • PS Empire session • Bypasses controls • Weak link is user 19https://github.com/sensepost/ruler
- 21. ATTACK SCENARIO INFECTION VECTOR - PHISHING 1. What data do I need? • Process execution data • Enhanced PowerShell logging -V2? • Email logs 20 2. Where do I get that data from? • Sysmon/SCCM • Windows Event logs – Forwarding! • Email server 3. How to hunt through that data? • Searching Office programs launching PowerShell • Command arguments w/ encoded command • Obfuscation! 1 2 3 https://www.sans.org/summit-archives/file/summit-archive-1492186586.pdf
- 22. ATTACK SCENARIO MEMORY ANALYSIS • Volatility Framework • Memory Analysis Modules • Malfind/Hollowfind • Automation – Volatility Bot 21 https://countercept.com/our-thinking/memory-analysis-whitepaper/ • Process injection e.g. - Process hollowing - Reflective DLL injection
- 23. ATTACK SCENARIO CODE INJECTION – REFLECTIVE LOAD 1. Migrating the session 22 3. Process dump • IDA/WINDBG • Hash/ Fuzzy Search • Extract IOCs 2. Reflective loading COMMSEC: It’s Friday Evening Professor Moriarty- Nicolas Collery https://github.com/vitaly-kamluk/bitscout
- 25. ATTACK SCENARIO PERSISTENCE – RUN KEYS 24 http://pwndizzle.blogspot.co.uk/2014/01/powershell-retrieve-run-keys-start-menu.html 1. What data? • Registry Run Key locations • Run, RunOnce, RunOnceEx 2. Where do I get that data from? • PowerShell script • Group policy to deploy • Collect to Elastic 3. How to hunt through that data? • Grouping of executable in run key values • Grouping of executable paths • Command line Commands/Arguments • Hashing • First seen/ Last run
- 26. ATTACK SCENARIO PERSISTENCE – RUN KEYS 25 Grouping by Run Key path Host count Hostname Last seen Path 16397 Multiple 2017-08-17 15:47:51 %userprofile%appdataroamingoraclebin javaw.exe Grouping by run key path W/ Command Arguments Host count Hostname Last seen Path Args 1 LAP-01 2017-08-18 19:35:41 %userprofile% wgpb8jf4mgbin javaw.exe jar"%USERPROFILE% AppDataRoaming wgpb8jf4mg 1omqpJLK4Y.HCLUK"
- 27. ATTACK SCENARIO WMI EVENT SUBSCRIPTION 26 • Bind a Condition to an Action – Event Filter: Condition – Event Customer: Action • WMI Auditing • PowerShell Logging • Retrieve stager/payload • Identify RCE! https://github.com/realparisi/WMI_Monitor
- 28. ATTACK SCENARIO PERSISTENCE – WMI 27 http://pwndizzle.blogspot.co.uk/2014/01/powershell-retrieve-run-keys-start-menu.html 1. What data? • List of WMI “conditions” - _EventFilter • List of WMI “actions” - _EventConsumer • WMI process execution w/ context 2. Where do I get that data from? • PowerShell script – ‘WMI Monitor’ • Group policy/ SCCM to deploy • Collect to Elastic/Splunk 3. How to hunt through that data? • Newly registered “Actions” • WMI process execution – PS? • Command line arguments
- 29. ATTACK SCENARIO LATERAL MOVEMENT 28 RECON DNS Zone Transfers LDAP Enumeration Port Scanning ACCESS PsExec RDP PS Remoting • WVT Logs • Bro/Network logs • Enumeration artefacts • IDS log parsing
- 30. ATTACK SCENARIO LATERAL MOVEMENT 29 https://www.mdsec.co.uk/2017/08/introducing-angrypuppy/ 1. What data do I need? • WVT Logs • Bro logs 2. Where do I get that data from? • WinBeat parsing • Collect to Elastic 3. How to hunt through that data? • Anomalous user/service logins • High count ‘one to many’ connections • Traffic on LDAP ports • Session types/privileges Username Date Normal Source Normal Service Anomalous Source Anomalous Service Frank Alright 24/08/17 BZR-LAP-12 EXCHANGE2013$ BZR-FSHARE SHAREPOINTS$
- 32. ATTACK SCENARIO AND MORE… 31https://countercept.com/our-thinking/memory-analysis-whitepaper/ https://countercept.com/our-thinking/machine-learning/ MEMORY ANALYSIS AT SCALE • Tackle “Fileless” malware and techniques • Code Injection • API Hooking MACHINE LEARNING • Large data sets • Establishes baseline • Reveals outliers
- 33. CONCLUSION • You can do Threat Hunting within your CURRENT role! • Improve your OFFENSIVE knowledge and DEFENSIVE skills! • Hunting SPRINTS 32
- 34. PURPLE TEAM HALL OF FAME • Yee-Ching Tok – Threat Hunter who finds 0 days 33 • Kia-Meng Teo – The “Hatsumi” of Threat Hunting
- 35. BLUE IS THE NEW RED… 34 But what about CVE-2017-0144?!
- 36. README.md WHITEPAPERS AND BLOGS https://countercept.com/our-thinking/memory-analysis-whitepaper/ https://countercept.com/our-thinking/a-journey-from-mssp-soc-analyst-to-countercept-threat-hunter/ https://sqrrl.com/threat-hunting-reference-guide/ https://countercept.com/our-thinking/machine-learning/ https://www.sans.org/summit-archives/file/summit-archive-1492186586.pdf http://threathunter.guru/ PRACTICAL SKILLS http://www.malware-traffic-analysis.net/ https://www.vulnhub.com/ https://hackthebox.io https://www.offensive-security.com/information-security-training/penetration-testing-training-kali-linux/ The Art of Memory Forensics Book Practical Malware Analysis Book 35
- 37. QUESTIONS? MANAGED THREAT HUNTING CONTACT: @COUNTERCEPT @HACKERX0DAY HAMZA.BEGHAL@COUNTERCEPT.COM NOW RECRUITING THREAT HUNTERS!