SlideShare a Scribd company logo

Cyber threat-hunting---part-2-25062021-095909pm

Download as PPTX, PDF
M
MuhammadJalalShah1

This document discusses various types of threat hunting and provides examples of threat hunting use cases. The main types of threat hunting covered are IOC based, hypotheses based, baseline based, and anomaly based threat hunting. Several threat hunting use cases are then described in more detail, including hunting for abnormal cmd.exe spawns, suspicious RDP activities, stopping of Windows defensive services, and suspicious task scheduler usage. The document concludes with an overview of how to conduct an end to end threat hunting process by defining hypotheses and hunting across various data sources and platforms.

Technology
1 of 29
CyberThreat Hunting & Intelligence
Types ofThreat Hunting 2 1. IOC Based Threat Hunting 2. Hypotheses Based Threat Hunting 3. Baseline Based Threat Hunting 4. Anomaly Based Threat Hunting
IOC BasedThreat Hunting 3 • Hunting based on Indicators of Compromise (IOC) collected from Threat Intelligence • More like into Compromise Assessment • Checking whether the IOC is present in the environment • Checking on Specific ThreatActor or Specific Threat Intel Report
Hypotheses BasedThreat Hunting 4 • Creating a hypotheses for certain TTPs • e.g : Hypotheses for hunting on endpoint, hypotheses for hunting on network, • Leverage Framework such as MITRE ATT&CK Framework for creating hypotheses on TTPs of Threat Actor • Defining specific asset for hunting (such as Crown Jewel Asset)
Baseline BasedThreat Hunting 5 • Detect something haven’t seen before based on baseline data in the environment • Needs larger set of data available about your infra for creating the baseline • Sometimes triggers lot of False Positives • Quite effective to spot changes in your infra
Anomaly BasedThreat Hunting 6 • Siting through the log data available for the threat hunters to spot irregularities that might be malicious • Additionally applying patterns on your infra • Quite useful in Fraud detection
Threat Hunting UseCase 7
Use Case 1 : Process Spawn cmd.exe 8 MITRE Reference : CAR-2013-02-003 https://car.mitre.org/analytics/CAR-2013-02-003/ : Processes Spawning cmd.exe • Hypothesis : The Windows Command Prompt (cmd.exe) is a utility that provides command line interface to Windows operating systems. It provides the ability to run additional programs and also has several built-in commands such as dir, copy, mkdir, and type, as well as batch scripts (.bat). • Typically, when a user runs a command prompt, the parent process is explorer.exe or another instance of the prompt. There may be automated programs, logon scripts, or administrative tools that launch instances of the command prompt in order to run scripts or other built-in commands. Spawning the process cmd.exe from certain parents may be more indicative of malice. • Example Use Case Hunting : if Adobe Reader or Outlook launches a command shell, this may suggest that a malicious document has been loaded and should be investigated. Thus, by looking for abnormal parent processes of cmd.exe, it may be possible to detect adversaries.
UseCase 2 : RDPActivities 9 MITRE Reference: CAR-2016-04-005: https://car.mitre.org/wiki/CAR-2016-04-005 • Hypothesis:A remote desktop logon, through RDP, may be typical of a system administrator or IT support, but only from select workstations. • Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary. • Example Use Case Hunting : Looking for Successful RDP Login not from your Country GeoIP login and after office hour
Use Case 3 : StoppingWindows Defensive Services 10 MITRE Reference: CAR-2016-04-003: https://car.mitre.org/wiki/CAR-2016-04-003 • Hypothesis: Spyware and malware remain a serious problem and Microsoft developed security services, Windows Defender and Windows Firewall, to combat this threat. In the event Windows Defender or Windows Firewall is turned off, administrators should correct the issue immediately to prevent the possibility of infection or further infection and investigate to determine if caused by crash or user manipulation. • Example Use Case Hunting : Antivirus services stopped not long after there is a successful logon from internal network via network services
UseCase 4 :Task Scheduler 11 MITRE Reference: CAR-2020-09-001 : Scheduled Task – FileAccess: https://car.mitre.org/analytics/CAR-2020-09-001/ • Hypothesis: In order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows Task Scheduler to schedule a command to be run at a specified time, date, and even host. Task Scheduler stores tasks as files in two locations - C:WindowsTasks (legacy) or C:WindowsSystem32Tasks. Accordingly, this analytic looks for the creation of task files in these two locations. • Example Use Case Hunting : a. Task Scheduler running from a suspicious folder location (e.g : C:Users.. ; C:Windowstemp) b. T ask Scheduler running using suspicious Scripting Utilities (LOLBAS) : cscript.exe, rundll32.exe, mshta.exe, powershell.exe, regsvr32.exe
Use Case 5 : Credential Dumping via WindowsTask Manager 12 MITRE Reference: CAR-2020-09-001 : Credential Dumping via Windows Task Manager : https://car.mitre.org/analytics/CAR-2019-08-001/ • Hypothesis : The Windows Task Manager may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching Task Manager as a privileged user, selecting lsass.exe, and clicking “Create dump file”. This saves a dump file to disk with a deterministic name that includes the name of the process being dumped. • Example Use Case Hunting : Hunting for File Creation (thinking about Sysmon Event ID 11 for example), with the process image is taskmgr.exe
Case Study End to EndThreat Hunting Process 13 Threat Hunters defined the Hypotheses and Start Hunting 1. Hypotheses 1 : User visiting malicious website from Phishing Email 2. Hypotheses 2 : User downloading malicious file after visiting the Malicious Website (Drive by Download maybe? 3. Hypotheses 3 : Malware Run on the User System after being downloaded 4. Hypotheses 4 : Malware doing persistence mechanism on Infected / Exploited Machine 5. Hypotheses 5 : Malware contacting Command and Control Server 6. Hypotheses 6 : ThreatActor exfiltrate Sensitive document to Command and Control Server 7. Hypotheses 7 : Sensitive Data Leaked on the Internet
Hypotheses 1 : User visiting malicious website from Phishing Email 14 • Data Source for Hunting – Passive DNS Log, DNS Server Log, Proxy Log, NGFW Log, Sysmon Log, Email Log, Mail Security Gateway Log • Platform for Hunting – SIEM, Security Analytics Platform • Analysis and Enrichment Data – DNSTwist, Phishing Domain List, Threat Intelligence Feeds, VirusTotal, HybridAnalysis, URL / Domain Sandbox Analysis
Hypotheses 2 : User downloading malicious file after visiting the MaliciousWebsite (Drive by Download maybe?) 15 • Data Source for Hunting – Passive DNS Log, DNS Server Log, Proxy Log, NGFW Log, Sysmon Log, • Platform for Hunting – SIEM, Security Analytics Platform, • Analysis and Enrichment Data – Threat Intelligence Feeds, Alexa top 1M Domain, VirusTotal, HybridAnalysis, URL / Domain Sandbox Analysis, Blacklisted Domain Checker
Hypotheses 3 : Malware Run on the User System after being downloaded 16 • Data Source for Hunting – Prefetch, Shimcache, Amcache, Process Running, Volatile Data (Memory), Sysmon,Auditd, • Platform for Hunting – SIEM, Security Analytics Platform, EDR • Analysis and Enrichment Data – File Hash of Process Executed, Parent-Child Process Analysis(SANS Find Evil Poster as Reference), Folder Location of Executables, Signed of Binary Files, VirusTotal, HybridAnalysis,
Hypotheses 4 : Malware doing persistence mechanism on Infected / Exploited Machine 17 • Data Source for Hunting – ASEP (Auto Start Extensibility Points), Registry, Startup Services and Folder, Task Scheduler, Cron Job, • Platform for Hunting – SIEM, Security Analytics Platform, EDR • Analysis and Enrichment Data – Signature Check, Autoruns Sysinternals, File Hash Check, Date of Creation,
Hypotheses 5 : Malware contacting Command and Control Server 18 • Data Source for Hunting – Netflow, Firewall Log, NGFW Log, IDS, Proxy Logs, Full Packet Capture, DNS Log • Platform for Hunting – SIEM, Security Analytics Platform, NDR, XDR, • Analysis and Enrichment Data – Date of Creation Domain, SSL Cert Attribute Checks, JA3 SSL Fingerprint, GeoIP Location Data, Threat Intelligence Feeds
Hypotheses 6 :ThreatActor exfiltrate Sensitive document toCommand and Control Server 19 • Data Source for Hunting – Netflow, Firewall Log, NGFW Log, IDS, Proxy Logs, Full Packet Capture, DNS Log • Platform for Hunting – SIEM, Security Analytics Platform, NDR, XDR, • Analysis and Enrichment Data – Date of Creation Domain, SSL Cert Attribute Checks, JA3 SSL Fingerprint, GeoIP Location Data, Threat Intelligence Feeds
Hypotheses 7 : Sensitive Data Leaked on the Internet 20 • Data Source for Hunting – OSINT, Dark Web Search, Underground Forum, Threat Intelligence Feeds • Platform for Hunting – Threat Intelligence Platform • Analysis and Enrichment Data – Pastebin, Github, Honeypot
Threat Intelligence 21
Threat Intelligence • Threat intelligence, or cyber threat intelligence, is information an organization uses to understand the threats that have, will, or are currently targeting the organization. • By identifying the threat actors the organization may be targeted by, defenses and monitoring solutions can be created to better protect from attacks. • Threat Hunting is also closely associated withThreat Intelligence, as hunting is the process of using intelligence to search for evidence of sophisticated threat actors, who are already in the network 22
Benefit ofThreat Intelligence • By identifying relevant threat actors, and consuming intelligence from a number of sources, aThreat Intelligence function can help the business better understand risks from cyber-attacks. In short, it helps security teams focus on attackers that are likely to target the organization, and work to develop defences and other measures to prevent or limit the impact of attacks. • ThreatActors have the skills, knowledge, and resources to evade most of security perimeter and tools owned by the organizations.That is why it is quite important to keep up to date with their tactics, and develop unique solutions to detect, response and prevent them to get into our network. 23
Indicator of Compromise 24 IOCs are artifacts that have been identified as acting maliciously or attributed to threat actors. Some of the most common ones include • IP Addresses : An IP that has been observed doing a scanning or exploitation to our network • Domains : A domain that hosts a credential harvesting site or hosting malicious payload • Email Addresses :An email address that has been sending phishing emails with a malicious attachment • File Names : Malicious file names dropped by the attacker during the compromised • File Hashes : The unique hash of a piece of malware / malicious tools used by threat actors
Threat Intelligence Remember IOC != Threat Intelligence 25
Threat Intelligence andThreat Hunting 26 • Threat intelligence and threat hunting are two distinct security area that can be complimentary for each other. For example, threat intelligence can make up a small portion of the threat hunting process. However, subscribing to a threat intelligence feed does not automatically satisfy the need to threat hunt your network. A proper threat hunt can identify threats even when they have not yet been seen in the wild.
Threat Intelligence andThreat Hunting 27 EC Council CTIA Threat Intelligence
28
Thank you 29

Recommended

PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Danny Akacki
 
Reconnaissance not always about resources
Reconnaissance not always about resourcesReconnaissance not always about resources
Reconnaissance not always about resources
idsecconf
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
Hacking - penetration tools
Hacking - penetration toolsHacking - penetration tools
Hacking - penetration tools
JenishChauhan4
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheap
Anjum Ahuja
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
North Texas Chapter of the ISSA
 

Recommended

PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Danny Akacki
 
Reconnaissance not always about resources
Reconnaissance not always about resourcesReconnaissance not always about resources
Reconnaissance not always about resources
idsecconf
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
Hacking - penetration tools
Hacking - penetration toolsHacking - penetration tools
Hacking - penetration tools
JenishChauhan4
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheap
Anjum Ahuja
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
North Texas Chapter of the ISSA
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
Hossein Yavari
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for public
Julia Yu-Chin Cheng
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
EndgameInc
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0
Q Fadlan
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
Chi En (Ashley) Shen
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
amiable_indian
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012
Rian Yulian
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
bartblaze
 
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Chi En (Ashley) Shen
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 
Burning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in ActionBurning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in Action
Josh Sokol
 
Hunt down the evil of your infrastructure
Hunt down the evil of your infrastructureHunt down the evil of your infrastructure
Hunt down the evil of your infrastructure
Bangladesh Network Operators Group
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2
Spyglass Security
 
Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016
Tony Cook
 
Ceh v8 labs module 02 footprinting and reconnaissance
Ceh v8 labs module 02 footprinting and reconnaissanceCeh v8 labs module 02 footprinting and reconnaissance
Ceh v8 labs module 02 footprinting and reconnaissance
Asep Sopyan
 
David Bianco - Enterprise Security Monitoring
David Bianco - Enterprise Security MonitoringDavid Bianco - Enterprise Security Monitoring
David Bianco - Enterprise Security Monitoringbsidesaugusta
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
Er Vivek Rana
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
Splunk
 
Threat Hunting with Data Science
Threat Hunting with Data ScienceThreat Hunting with Data Science
Threat Hunting with Data Science
Austin Taylor
 
Billions & Billions of Logs
Billions & Billions of LogsBillions & Billions of Logs
Billions & Billions of Logs
Jack Crook
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturity
DNIF
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark Arts
Spyglass Security
 

More Related Content

What's hot

Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
Hossein Yavari
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for public
Julia Yu-Chin Cheng
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
EndgameInc
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0
Q Fadlan
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
Chi En (Ashley) Shen
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
amiable_indian
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012
Rian Yulian
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
bartblaze
 
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Chi En (Ashley) Shen
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 
Burning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in ActionBurning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in Action
Josh Sokol
 
Hunt down the evil of your infrastructure
Hunt down the evil of your infrastructureHunt down the evil of your infrastructure
Hunt down the evil of your infrastructure
Bangladesh Network Operators Group
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2
Spyglass Security
 
Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016
Tony Cook
 
Ceh v8 labs module 02 footprinting and reconnaissance
Ceh v8 labs module 02 footprinting and reconnaissanceCeh v8 labs module 02 footprinting and reconnaissance
Ceh v8 labs module 02 footprinting and reconnaissance
Asep Sopyan
 
David Bianco - Enterprise Security Monitoring
David Bianco - Enterprise Security MonitoringDavid Bianco - Enterprise Security Monitoring
David Bianco - Enterprise Security Monitoringbsidesaugusta
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
Er Vivek Rana
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
Splunk
 
Threat Hunting with Data Science
Threat Hunting with Data ScienceThreat Hunting with Data Science
Threat Hunting with Data Science
Austin Taylor
 
Billions & Billions of Logs
Billions & Billions of LogsBillions & Billions of Logs
Billions & Billions of Logs
Jack Crook
 

What's hot (20)

Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for public
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Burning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in ActionBurning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in Action
 
Hunt down the evil of your infrastructure
Hunt down the evil of your infrastructureHunt down the evil of your infrastructure
Hunt down the evil of your infrastructure
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2
 
Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016
 
Ceh v8 labs module 02 footprinting and reconnaissance
Ceh v8 labs module 02 footprinting and reconnaissanceCeh v8 labs module 02 footprinting and reconnaissance
Ceh v8 labs module 02 footprinting and reconnaissance
 
David Bianco - Enterprise Security Monitoring
David Bianco - Enterprise Security MonitoringDavid Bianco - Enterprise Security Monitoring
David Bianco - Enterprise Security Monitoring
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
 
Threat Hunting with Data Science
Threat Hunting with Data ScienceThreat Hunting with Data Science
Threat Hunting with Data Science
 
Billions & Billions of Logs
Billions & Billions of LogsBillions & Billions of Logs
Billions & Billions of Logs
 

Similar to Cyber threat-hunting---part-2-25062021-095909pm

Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturity
DNIF
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark Arts
Spyglass Security
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
APNIC
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Falgun Rathod
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
Mayur Nanotkar
 
Hunting the Evil of your Infrastructure
Hunting the Evil of your InfrastructureHunting the Evil of your Infrastructure
Hunting the Evil of your Infrastructure
A. S. M. Shamim Reza
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
Amy Gerrie
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
Michael Gough
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
MuhammadRehan856177
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacks
APNIC
 
Threat Hunting Professional Online Training Course
Threat Hunting Professional Online Training CourseThreat Hunting Professional Online Training Course
Threat Hunting Professional Online Training Course
ShivamSharma909
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
SKMohamedKasim
 
Computer security
Computer securityComputer security
Computer security
Mohamed Abdo
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
APNIC
 
The New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentThe New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise Assessment
Infocyte
 
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentBlackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Christopher Gerritz
 
Running Head Security Assessment Repot (SAR) .docx
Running Head Security Assessment Repot (SAR) .docxRunning Head Security Assessment Repot (SAR) .docx
Running Head Security Assessment Repot (SAR) .docx
SUBHI7
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and Analysis
Prashant Chopra
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
 

Similar to Cyber threat-hunting---part-2-25062021-095909pm (20)

Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturity
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark Arts
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
 
Hunting the Evil of your Infrastructure
Hunting the Evil of your InfrastructureHunting the Evil of your Infrastructure
Hunting the Evil of your Infrastructure
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacks
 
Threat Hunting Professional Online Training Course
Threat Hunting Professional Online Training CourseThreat Hunting Professional Online Training Course
Threat Hunting Professional Online Training Course
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
 
Computer security
Computer securityComputer security
Computer security
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
 
The New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentThe New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise Assessment
 
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentBlackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
 
Running Head Security Assessment Repot (SAR) .docx
Running Head Security Assessment Repot (SAR) .docxRunning Head Security Assessment Repot (SAR) .docx
Running Head Security Assessment Repot (SAR) .docx
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and Analysis
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 

Recently uploaded

A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
ViralQR
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
UiPathCommunity
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 

Recently uploaded (20)

A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 

Cyber threat-hunting---part-2-25062021-095909pm

  • 1. CyberThreat Hunting & Intelligence
  • 2. Types ofThreat Hunting 2 1. IOC Based Threat Hunting 2. Hypotheses Based Threat Hunting 3. Baseline Based Threat Hunting 4. Anomaly Based Threat Hunting
  • 3. IOC BasedThreat Hunting 3 • Hunting based on Indicators of Compromise (IOC) collected from Threat Intelligence • More like into Compromise Assessment • Checking whether the IOC is present in the environment • Checking on Specific ThreatActor or Specific Threat Intel Report
  • 4. Hypotheses BasedThreat Hunting 4 • Creating a hypotheses for certain TTPs • e.g : Hypotheses for hunting on endpoint, hypotheses for hunting on network, • Leverage Framework such as MITRE ATT&CK Framework for creating hypotheses on TTPs of Threat Actor • Defining specific asset for hunting (such as Crown Jewel Asset)
  • 5. Baseline BasedThreat Hunting 5 • Detect something haven’t seen before based on baseline data in the environment • Needs larger set of data available about your infra for creating the baseline • Sometimes triggers lot of False Positives • Quite effective to spot changes in your infra
  • 6. Anomaly BasedThreat Hunting 6 • Siting through the log data available for the threat hunters to spot irregularities that might be malicious • Additionally applying patterns on your infra • Quite useful in Fraud detection
  • 8. Use Case 1 : Process Spawn cmd.exe 8 MITRE Reference : CAR-2013-02-003 https://car.mitre.org/analytics/CAR-2013-02-003/ : Processes Spawning cmd.exe • Hypothesis : The Windows Command Prompt (cmd.exe) is a utility that provides command line interface to Windows operating systems. It provides the ability to run additional programs and also has several built-in commands such as dir, copy, mkdir, and type, as well as batch scripts (.bat). • Typically, when a user runs a command prompt, the parent process is explorer.exe or another instance of the prompt. There may be automated programs, logon scripts, or administrative tools that launch instances of the command prompt in order to run scripts or other built-in commands. Spawning the process cmd.exe from certain parents may be more indicative of malice. • Example Use Case Hunting : if Adobe Reader or Outlook launches a command shell, this may suggest that a malicious document has been loaded and should be investigated. Thus, by looking for abnormal parent processes of cmd.exe, it may be possible to detect adversaries.
  • 9. UseCase 2 : RDPActivities 9 MITRE Reference: CAR-2016-04-005: https://car.mitre.org/wiki/CAR-2016-04-005 • Hypothesis:A remote desktop logon, through RDP, may be typical of a system administrator or IT support, but only from select workstations. • Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary. • Example Use Case Hunting : Looking for Successful RDP Login not from your Country GeoIP login and after office hour
  • 10. Use Case 3 : StoppingWindows Defensive Services 10 MITRE Reference: CAR-2016-04-003: https://car.mitre.org/wiki/CAR-2016-04-003 • Hypothesis: Spyware and malware remain a serious problem and Microsoft developed security services, Windows Defender and Windows Firewall, to combat this threat. In the event Windows Defender or Windows Firewall is turned off, administrators should correct the issue immediately to prevent the possibility of infection or further infection and investigate to determine if caused by crash or user manipulation. • Example Use Case Hunting : Antivirus services stopped not long after there is a successful logon from internal network via network services
  • 11. UseCase 4 :Task Scheduler 11 MITRE Reference: CAR-2020-09-001 : Scheduled Task – FileAccess: https://car.mitre.org/analytics/CAR-2020-09-001/ • Hypothesis: In order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows Task Scheduler to schedule a command to be run at a specified time, date, and even host. Task Scheduler stores tasks as files in two locations - C:WindowsTasks (legacy) or C:WindowsSystem32Tasks. Accordingly, this analytic looks for the creation of task files in these two locations. • Example Use Case Hunting : a. Task Scheduler running from a suspicious folder location (e.g : C:Users.. ; C:Windowstemp) b. T ask Scheduler running using suspicious Scripting Utilities (LOLBAS) : cscript.exe, rundll32.exe, mshta.exe, powershell.exe, regsvr32.exe
  • 12. Use Case 5 : Credential Dumping via WindowsTask Manager 12 MITRE Reference: CAR-2020-09-001 : Credential Dumping via Windows Task Manager : https://car.mitre.org/analytics/CAR-2019-08-001/ • Hypothesis : The Windows Task Manager may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching Task Manager as a privileged user, selecting lsass.exe, and clicking “Create dump file”. This saves a dump file to disk with a deterministic name that includes the name of the process being dumped. • Example Use Case Hunting : Hunting for File Creation (thinking about Sysmon Event ID 11 for example), with the process image is taskmgr.exe
  • 13. Case Study End to EndThreat Hunting Process 13 Threat Hunters defined the Hypotheses and Start Hunting 1. Hypotheses 1 : User visiting malicious website from Phishing Email 2. Hypotheses 2 : User downloading malicious file after visiting the Malicious Website (Drive by Download maybe? 3. Hypotheses 3 : Malware Run on the User System after being downloaded 4. Hypotheses 4 : Malware doing persistence mechanism on Infected / Exploited Machine 5. Hypotheses 5 : Malware contacting Command and Control Server 6. Hypotheses 6 : ThreatActor exfiltrate Sensitive document to Command and Control Server 7. Hypotheses 7 : Sensitive Data Leaked on the Internet
  • 14. Hypotheses 1 : User visiting malicious website from Phishing Email 14 • Data Source for Hunting – Passive DNS Log, DNS Server Log, Proxy Log, NGFW Log, Sysmon Log, Email Log, Mail Security Gateway Log • Platform for Hunting – SIEM, Security Analytics Platform • Analysis and Enrichment Data – DNSTwist, Phishing Domain List, Threat Intelligence Feeds, VirusTotal, HybridAnalysis, URL / Domain Sandbox Analysis
  • 15. Hypotheses 2 : User downloading malicious file after visiting the MaliciousWebsite (Drive by Download maybe?) 15 • Data Source for Hunting – Passive DNS Log, DNS Server Log, Proxy Log, NGFW Log, Sysmon Log, • Platform for Hunting – SIEM, Security Analytics Platform, • Analysis and Enrichment Data – Threat Intelligence Feeds, Alexa top 1M Domain, VirusTotal, HybridAnalysis, URL / Domain Sandbox Analysis, Blacklisted Domain Checker
  • 16. Hypotheses 3 : Malware Run on the User System after being downloaded 16 • Data Source for Hunting – Prefetch, Shimcache, Amcache, Process Running, Volatile Data (Memory), Sysmon,Auditd, • Platform for Hunting – SIEM, Security Analytics Platform, EDR • Analysis and Enrichment Data – File Hash of Process Executed, Parent-Child Process Analysis(SANS Find Evil Poster as Reference), Folder Location of Executables, Signed of Binary Files, VirusTotal, HybridAnalysis,
  • 17. Hypotheses 4 : Malware doing persistence mechanism on Infected / Exploited Machine 17 • Data Source for Hunting – ASEP (Auto Start Extensibility Points), Registry, Startup Services and Folder, Task Scheduler, Cron Job, • Platform for Hunting – SIEM, Security Analytics Platform, EDR • Analysis and Enrichment Data – Signature Check, Autoruns Sysinternals, File Hash Check, Date of Creation,
  • 18. Hypotheses 5 : Malware contacting Command and Control Server 18 • Data Source for Hunting – Netflow, Firewall Log, NGFW Log, IDS, Proxy Logs, Full Packet Capture, DNS Log • Platform for Hunting – SIEM, Security Analytics Platform, NDR, XDR, • Analysis and Enrichment Data – Date of Creation Domain, SSL Cert Attribute Checks, JA3 SSL Fingerprint, GeoIP Location Data, Threat Intelligence Feeds
  • 19. Hypotheses 6 :ThreatActor exfiltrate Sensitive document toCommand and Control Server 19 • Data Source for Hunting – Netflow, Firewall Log, NGFW Log, IDS, Proxy Logs, Full Packet Capture, DNS Log • Platform for Hunting – SIEM, Security Analytics Platform, NDR, XDR, • Analysis and Enrichment Data – Date of Creation Domain, SSL Cert Attribute Checks, JA3 SSL Fingerprint, GeoIP Location Data, Threat Intelligence Feeds
  • 20. Hypotheses 7 : Sensitive Data Leaked on the Internet 20 • Data Source for Hunting – OSINT, Dark Web Search, Underground Forum, Threat Intelligence Feeds • Platform for Hunting – Threat Intelligence Platform • Analysis and Enrichment Data – Pastebin, Github, Honeypot
  • 22. Threat Intelligence • Threat intelligence, or cyber threat intelligence, is information an organization uses to understand the threats that have, will, or are currently targeting the organization. • By identifying the threat actors the organization may be targeted by, defenses and monitoring solutions can be created to better protect from attacks. • Threat Hunting is also closely associated withThreat Intelligence, as hunting is the process of using intelligence to search for evidence of sophisticated threat actors, who are already in the network 22
  • 23. Benefit ofThreat Intelligence • By identifying relevant threat actors, and consuming intelligence from a number of sources, aThreat Intelligence function can help the business better understand risks from cyber-attacks. In short, it helps security teams focus on attackers that are likely to target the organization, and work to develop defences and other measures to prevent or limit the impact of attacks. • ThreatActors have the skills, knowledge, and resources to evade most of security perimeter and tools owned by the organizations.That is why it is quite important to keep up to date with their tactics, and develop unique solutions to detect, response and prevent them to get into our network. 23
  • 24. Indicator of Compromise 24 IOCs are artifacts that have been identified as acting maliciously or attributed to threat actors. Some of the most common ones include • IP Addresses : An IP that has been observed doing a scanning or exploitation to our network • Domains : A domain that hosts a credential harvesting site or hosting malicious payload • Email Addresses :An email address that has been sending phishing emails with a malicious attachment • File Names : Malicious file names dropped by the attacker during the compromised • File Hashes : The unique hash of a piece of malware / malicious tools used by threat actors
  • 25. Threat Intelligence Remember IOC != Threat Intelligence 25
  • 26. Threat Intelligence andThreat Hunting 26 • Threat intelligence and threat hunting are two distinct security area that can be complimentary for each other. For example, threat intelligence can make up a small portion of the threat hunting process. However, subscribing to a threat intelligence feed does not automatically satisfy the need to threat hunt your network. A proper threat hunt can identify threats even when they have not yet been seen in the wild.
  • 27. Threat Intelligence andThreat Hunting 27 EC Council CTIA Threat Intelligence
  • 28. 28