Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Bsides 2019 - Intelligent Threat Hunting
Similar to Bsides 2019 - Intelligent Threat Hunting (20)
Recently uploaded
Recently uploaded (20)
Bsides 2019 - Intelligent Threat Hunting
- 1. Intelligent Threat Hunting Dhruv Majumdar Technical lead and Sr. Security Analyst of ElevatedPrompt Solutions March 18, 2019 | Vancouver, BC
- 2. Agenda ▪ WHOAMI ▪ Threat Hunting Basics ▪ Threat Hunting Recipe ▪ Attack Life Cycle and few ways of detections ▪ Things to Look for – Mitre ATT&CK ▪ Attack ScenarioWalk through ▪ Conclusion
- 3. whoami ▪ Dhruv Majumdar – Technical lead and Sr. Security Analyst for ElevatedPrompt Solutions ▪ Career ▪ Hobbies – Photography – Breaking stuff Disclaimer: Please note that all opinions expressed are my own. All content is owned by ElevatedPrompt Solutions Inc and cannot be copied, distributed or repurposed without prior consent
- 4. Threat Hunting Basics WHAT DO WE DO ? “PROACTIVELY & ITERATIVELY searching through the environments to DETECT & ISOLATE threats that EVADE EXISTINGSECURITYSOLUTIONS”
- 5. Continued…… Traditional SOC • Predominantly Reactive and Product driven • Signature based & Alert driven Threat Hunting • Proactive and Team Work • Detect anomalies* • F3EAD
- 6. Threat Hunting Recipe… RedTeam DFIR Threat Intelligence BlueTeam Threat Hunter
- 7. Important Data sources SIEM Threat Intel (STIX / TAXII) Network Data Host Data Bro Snort Moloch Proxy Logs Mail Server logs Windows Event logs Sysmon GRR Auditd OSSEC
- 8. Threat Hunting Skills A team effort…… Host Analysis •Persistence Mechanism •Privilege Escalation •Code execution •Exploit Network Analysis •Lateral Movement •C2 •Beacon patterns •Payload Delivery Threat Intelligence •STIX •TAXII •Active/ Passive Defence •OSINT
- 9. Attack Lifecycle Attack RECON DELIVERY EXPLOIT INSTALLATION C2 PRIVILEDGE ESCALATION LATERAL MOVEMENT OBJECTIVE Defence GATHER/ AGGREGATE ANALYSE IDENTIFY TRIAGE INVESTIGATE CONTAIN •UNCOVER ANY SUSPICIOUS BEHAVIOUR •ENRICH YOUR THREAT INTELLIGENCE DATA •INFORM •OSINT •DARK WEB •RECON •Know Your Terrain (Client) CREATE THEORIES INVESTIGATE UNCOVER INFORM/ ENRICH
- 10. Things to look for as a Threat Hunter - Beaconing Patterns
- 11. Things to look for as a Threat Hunter - Domain Generated Algorithm (DGA)
- 12. Frequency analysis at Scale DNS HTTP
- 13. Attack Scenario Walk through Phishing / Office Macro What Datapoints do we need? - Process execution data - Enhanced Powershell Logging - Email logs Hunt Hypothesis? - Searching Office Programs launching VB, Powershell or Command line arguments - Persistence mechanisms - Unknown file hash What Data Sources are required? - Sysmon - Windows Events Logs - Email Logs - (some sort of network based events?)
- 14. continued …
- 15. Email Url Analysis Email that got delivered on a shared mail box Loads this java script Redirects to an Ad network
- 16. Frist analysis of the url flagged the analysis for further investigation… We see the directory was recently updated Malicious xml doc Feed the IOC into your Threat Intelligence Platform and time to Blog/ present.
- 17. Things to Look for After Code Execution..
- 19. Persistence Hunting for Persistence Look Out Runkeys Services Scheduled Task Office Template Dll’s Access Features Beacon Patterns Auth ID’s Lateral Movement Persistence
- 20. Lateral Movement Lateral Movement Recon •Port Scanning •PsExsec •RDP •PS- Remoting DNS Zone Transfer Usage of tools like (Mimikatz or Blood Hound/ Angry puppy) LDAP Enum Persistence How to hunt through the data ? - Anonymous User/ Service Logins - High count one to many connections - LDAP traffic - Session Types/ Privileges What Data do I need ? - Sysmon - Bro Logs
- 21. Conclusion • Massive shortage of Cybersecurity Professionals • Demand for experiencedThreat Hunters • Consider threat detection as a standalone function How to get started? SOF ELK - https://github.com/philhagen/sof-elk Security Onion - https://github.com/Security-Onion-Solutions/security-onion Hunting ELK - https://github.com/Cyb3rWard0g/HELK @neondhruv https://www.linkedin.com/in/neondhruv/
Editor's Notes
- Things I want to cover in todays talk What I do and few personal traits, so that people can related with me and come forward by the end of the talk and socialize. What is Threat Hunting and Why is it needed ? - Mitre Attack framework tells us exactly what indicators to look for
- The process always begins from a hypothesis, and common thought that a breach has already happened . From my perspective Threat Hunting is doing a continuous DIFR of your Environment.
- Threat Hunting -- Starts with people and uses technology to achieve the common goal What is F3EAD ? >> Find, Fix, Finish, Exploit & Analyze & Disehmuhnation
- Pentesters Infrastructures Web Applications Security Researcher/ Consultant Exploit Developer Detection Evader Reverse Engineers RED team strategist/ Simulator SOC Analyst Incident Handler Forensic Analyst | DFIR HIDS NIDS Malware Analyst Threat Intelligence Log management Solution (Hadoop, Apache Spark) This gives us the edge over traditional AV. Which are mostly signature based.
- Important sources of Data Point that are needed in order to achieve a Basic level of complete visibility in an environment. Network Data & Host based Data BRO, SNORT , MOLOCH, PROXY LOGS, MAIL SERVER LOGS WINDOWS EVENTS LOGS, GRR, SYSMON , OSSEC, OSQUERRY, Auditd.
- Importance of Host Based Analysis To detect Persistence Priv. Esc Code Execution Exploits exfiltration of data Importance of Network Based Data C2 Payloads Patterns Lateral Movement exfiltration of data Threat Intelligence STIX Gives the structure of way the Threat Intel that’s being generated can be shared TAXI It defines the process of how the data can be shared Active Defence Honeypots of various interaction levels, being deployed in the env to slow the attacker down and also to alert the SOC. OSINT Leveraging Shodan, pastebin, Darkweb to gain tactical threat intelligence and build action items/ or work on the action items as you find them.
- Main motive of the Blue teams or the Threat Hunter is to Contain the situation before the attacker reaches their objective. and every time make a use case to have it monitored and add to your use cases.
- Till now I was bringing you all up to speed. Here I’ll try to demonstrate, how you can leverage all these intelligence together to protect your environment. Here what you are looking at is a HTTP Beaconing Pattern which was more than enough to draw our attention into this leading us to uncover the conflicker Worm . Conficker Worm . F-Secure did an excellent write up on it.
- Here is the finding after a deeper dive .. An instant give away that this is a case of a worm that leverages Domain Generated Algorithm to talk back to its C2 . At this point. You would want to extract out the host and take a deeper dive also start interacting with other IT groups in the Org to pull the plug on this box and do deeper analysis .. We did match the domains and found out this was Conficker Worm.
- As a threat hunter you need some arsenals to help you fight the cause and Detect what’s the Anomality We leverage various methods to help aid this cause and few of these are Shannon Entropy, JA3, Beacon Patten analysis, url extractions from Emails and checking the entropy of the domains, etc here is the example of DNS and HTTP entropy If you look close here you will see byte stream being passed over plain HTTP traffic on which we will be alerted on.
- Rest of this presentation I’ll like to walk you guys through the kill chain process leveraging this example … So this an example of a Phishing Email, with an Attachment >>
- 2 Alerts generated Auto Open Macro – when the malicious email is received . Alert Terse Name - 2nd Stage payload – when the macro has been download and executed.
- From our Host based data we can also see that the following TASK’s have occurred. File Created Run Keys Set for Persistence Mechanism
- So the WinWord Process calls the cmd which then called the Powershell. We get all this data from leveraging Sysmon.
- RunKeys: Runkeys & Services are part of the registry; basically a way to execute automatically every time a user logs in . The more modern malwares leverages Office Template: MSOffice templates are part of the common office applications and are used to customized=s styles. So the base template is used each time an application starts. .dotm template created that can be modified to include a malicious macro. Excel actually doesn’t have a template file by default but one can be created and added that will be automatically loaded . dll: A Malware dll can be made persistent on a Windows host by simply residing in a specific directory with a specific name, with no evidence in the registry or Startup folder and no modified system binaries.
- In this case we are dealing with Emotet and only dealing with credential stealing . But this might very well be an ngRAT and will lead to Lateral Movement.