Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
View webinar: "Cyber Threat Hunting: Identify and Hunt Down Intruders": https://www2.infosecinstitute.com/l/12882/2018-11-29/b9gwfd
View companion webinar:
"Red Team Operations: Attack and Think Like a Criminal": https://www2.infosecinstitute.com/l/12882/2018-11-29/b9gw5q
Are you red team, blue team — or both? Get an inside look at the offensive and defensive sides of information security in our webinar series.
Senior Security Researcher and InfoSec Instructor Jeremy Martin discusses what it takes to be modern-day threat hunter during our webinar, Cyber Threat Hunting: Identify and Hunt Down Intruders.
The webinar covers:
- The job duties of a Cyber Threat Hunting professional
- Frameworks and strategies for Cyber Threat Hunting
- How to get started and progress your defensive security career
- And questions from live viewers!
Learn about InfoSec Institute's Cyber Threat Hunting couse here: https://www.infosecinstitute.com/courses/cyber-threat-hunting/
The document discusses a presentation on threat hunting with Splunk. It provides an agenda that includes topics like threat hunting basics, data sources for threat hunting, using Sysmon endpoint data, the cyber kill chain framework, and doing an advanced threat hunting walkthrough using Splunk. It also discusses applying machine learning and data science techniques to security. The presentation aims to help attendees build their threat hunting methodology and drive maturity in their threat hunting practices.
The document discusses threat hunting techniques using Splunk, including an overview of threat hunting basics, data sources for threat hunting, and Lockheed Martin's Cyber Kill Chain model. It provides examples of using endpoint data to hunt for threats across the kill chain by analyzing processes, communications, and file artifacts in a demo dataset. Advanced techniques discussed include hunting for SQL injection attacks and lateral movement.
This document outlines an overview of intelligent threat hunting presented by Dhruv Majumdar. It discusses the basics of threat hunting, including that it is a proactive and iterative process to detect threats that evade existing security solutions. It provides a threat hunting recipe and describes important data sources and skills needed like host analysis, network analysis, and threat intelligence. It also walks through an attack scenario and things to look for at different stages of an attack lifecycle. Finally, it concludes with the growing demand for threat hunters and recommendations on how to get started with threat hunting.
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
View webinar: "Cyber Threat Hunting: Identify and Hunt Down Intruders": https://www2.infosecinstitute.com/l/12882/2018-11-29/b9gwfd
View companion webinar:
"Red Team Operations: Attack and Think Like a Criminal": https://www2.infosecinstitute.com/l/12882/2018-11-29/b9gw5q
Are you red team, blue team — or both? Get an inside look at the offensive and defensive sides of information security in our webinar series.
Senior Security Researcher and InfoSec Instructor Jeremy Martin discusses what it takes to be modern-day threat hunter during our webinar, Cyber Threat Hunting: Identify and Hunt Down Intruders.
The webinar covers:
- The job duties of a Cyber Threat Hunting professional
- Frameworks and strategies for Cyber Threat Hunting
- How to get started and progress your defensive security career
- And questions from live viewers!
Learn about InfoSec Institute's Cyber Threat Hunting couse here: https://www.infosecinstitute.com/courses/cyber-threat-hunting/
The document discusses a presentation on threat hunting with Splunk. It provides an agenda that includes topics like threat hunting basics, data sources for threat hunting, using Sysmon endpoint data, the cyber kill chain framework, and doing an advanced threat hunting walkthrough using Splunk. It also discusses applying machine learning and data science techniques to security. The presentation aims to help attendees build their threat hunting methodology and drive maturity in their threat hunting practices.
The document discusses threat hunting techniques using Splunk, including an overview of threat hunting basics, data sources for threat hunting, and Lockheed Martin's Cyber Kill Chain model. It provides examples of using endpoint data to hunt for threats across the kill chain by analyzing processes, communications, and file artifacts in a demo dataset. Advanced techniques discussed include hunting for SQL injection attacks and lateral movement.
This document outlines an overview of intelligent threat hunting presented by Dhruv Majumdar. It discusses the basics of threat hunting, including that it is a proactive and iterative process to detect threats that evade existing security solutions. It provides a threat hunting recipe and describes important data sources and skills needed like host analysis, network analysis, and threat intelligence. It also walks through an attack scenario and things to look for at different stages of an attack lifecycle. Finally, it concludes with the growing demand for threat hunters and recommendations on how to get started with threat hunting.
"Cyberhunting" actively looks for signs of compromise within an organization and seeks to control and minimize the overall damage. These rare, but essential, breed of enterprise cyber defenders give proactive security a whole new meaning.
Check out the accompanying webinar: http://www.hosting.com/resources/webinars/?commid=228353
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
The document is a presentation on threat hunting with Splunk. It discusses threat hunting basics, data sources for threat hunting, knowing your endpoint, and using the cyber kill chain framework. It outlines an agenda that includes a hands-on walkthrough of an attack scenario using Splunk's core capabilities. It also discusses advanced threat hunting techniques and tools, enterprise security walkthroughs, and applying machine learning and data science to security.
Threat hunting - Every day is hunting seasonBen Boyd
Breakout Presentation by Ben Boyd during the 2018 Nebraska Cybersecurity Conference.
Introduction to Threat Hunting and helpful steps for building a Threat Hunting Program of any size, from small to massive.
How to Hunt for Lateral Movement on Your NetworkSqrrl
The document discusses threat hunting for lateral movement. It begins with an overview of lateral movement, describing it as techniques attackers use to access and control systems within a network. It then covers the lateral movement process, including initial compromise, reconnaissance, credential theft, and lateral movement events. The document demonstrates Sqrrl's lateral movement detectors, which use data science techniques like graph analysis and machine learning to detect lateral movement in network data. It discusses building a lateral movement detector by aligning it with TTPs, using classifiers to rank events, and implementing it at scale in Spark.
This document discusses techniques for threat hunting on Windows systems. It covers key areas to focus on during incident triage like processes, network connections, filesystem artifacts and logs. It also describes general hunting scenarios using threat intelligence or without intelligence. Specific techniques and artifacts discussed include the Windows Task Scheduler, ShimCache, AmCache, RecentFileCache, rogue services, timeline analysis using MFT, DLL side loading, DLL injection rootkits, autoruns, and the Wdigest credential storage downgrade attack. The document provides details on what to look for and analyze to effectively hunt for threats on Windows.
The document discusses Windows credential attacks and defenses. It describes common credential theft techniques like dumping credentials from LSASS memory using Mimikatz. It then covers various Windows credential hardening defenses over time like Protected Processes, Restricted Admin, and CredentialGuard. It demonstrates CredentialGuard's effectiveness at preventing credential theft compared to normal and older Windows configurations through a lab demo. The presentation aims to educate on real-world credential attacks while showing that effective defense is possible.
The Hunter Games: How to Find the Adversary with Event Query LanguageRoss Wolf
Circle City Con 2019 and BSides SATX 2019
Abstract:
How do you find malicious activity? We often resort to the cliche, you know it when you see it, but how do you even see it, without drowning in data? MITRE’s ATT&CK knowledge base organizes adversary behavior into tactics and techniques, and orients our approach to endpoint data. It suggests questions that might be worth asking, but not a way to ask them. The Event Query Language (EQL) allows a security analyst to naturally express queries for IOC search, hunting, and behavioral detections, while remaining platform and data source agnostic.
In this talk, I will demonstrate the iterative process of establishing situational awareness in your environment, creating targeted detections, and hunting for the adversary in your environment with real data, queries, and results.
Cyber threat intelligence: maturity and metricsMark Arena
From SANS Cyber Threat Intelligence Summit 2016. What are the characteristics of a mature cyber threat intelligence program, and how do you develop meaningful metrics? Traditionally, intelligence has been about providing decision
support to executives whilst the field of cyber threat intelligence supports this customer, and network defenders, who have different requirements. By using the intelligence cycle, this talk will
seek to help attendees understand how they can identify what a mature intelligence program looks like and the steps to take their program to the next level.
Threat hunting is a proactive approach to security that involves actively searching networks for threats that evade traditional defenses like firewalls and antivirus. It involves forming hypotheses about potential attacks based on indicators and then validating those hypotheses by searching for related evidence. While threat hunting requires time, skills, and resources that many organizations lack, Panda Security's Threat Hunting and Investigation Service (THIS) provides threat hunting as a managed service at no extra cost with their Adaptive Defense 360 platform. THIS continuously monitors endpoints, forms hypotheses about attacks, and validates findings to detect threats that other solutions may miss.
The document provides biographies and background information on two cyber threat hunters, Teymur Kheirkhabarov and Sergey Soldatov. It then discusses the process of cyber threat hunting, including collecting log and system event data from endpoints, analyzing that data using tools like Yara and Cuckoo Sandbox, and manually investigating anomalies through iterative hypothesis testing to detect advanced threats. Examples are given of how threat hunters traced back the steps of an attacker who compromised a system by injecting code into the LSASS process and establishing persistence via a scheduled task. The document emphasizes that threat hunting requires both machine analysis of large datasets as well as human reasoning to uncover sophisticated threats that evade other security solutions.
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
How to set up a Threat Hunting Team for Active Defense utilizing Cyber Threat Intelligence and how CTI can help a company grow and improve its security posture.
The document summarizes a presentation about helping utilities prepare for cybersecurity. It discusses the Cybersecurity Capability Maturity Model (C2M2) developed by the Department of Energy (DOE) to help organizations assess their cybersecurity practices. The C2M2 uses a maturity model approach with 10 domains and 4 maturity levels to evaluate an organization's cybersecurity capabilities. It also discusses how the C2M2 can be used to support implementation of the National Institute of Standards and Technology's Cybersecurity Framework.
Threat Hunting Procedures and Measurement MatriceVishal Kumar
This document will provide the basics of Cyber Threat Hunting and answers of some Q such as; What is Threat Hunting?, What is the Importance of Threat Hunting, and How it can be start....Bla..Bla..Bla...
The Information Security Community on LinkedIn, with the support of Cybereason, conducted a comprehensive online research project to gain
more insight into the state of threat hunting in security
operation centers (SOCs). When the 330 cybersecurity and IT professionals were asked what keeps them up at night, many comments revolved around a central theme of undetected threats slipping through an organization’s defenses. Many
responses included “unknown” and “advanced” when
describing threats, indicating the respondents understand
the challenges and fear those emerging threats.
Read the full report here.
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
The document discusses using storytelling to increase understanding of cyber threats through ATT&CK threat sightings. It describes the AC3 methodology for documenting threat actor tactics, techniques, and procedures with full context and observables. Different levels of abstraction and tools are used to translate threat sightings into various formats to ensure understanding across audiences. Maintaining defensive playbooks adapted from threat sightings helps continuous understanding and improvement of defenses.
This document provides an introduction to red team operations from the perspective of a penetration tester transitioning to become a red teamer. It discusses some of the key differences between penetration testing and red teaming such as scope, reconnaissance required, stealth, and infrastructure setup. The document outlines principles for red team operations including protecting infrastructure, logging everything, managing information, and avoiding detection. It also provides examples of tactics, techniques and procedures used in red team operations as well as considerations for tools like Cobalt Strike to help evade detection.
Threat hunting involves proactively searching networks to detect threats like advanced persistent threats that evade existing security systems. It is done through a hunting loop of forming hypotheses based on analytics, intelligence, or situational awareness, investigating through tools and data, uncovering patterns and indicators, and informing analytics. Various methods can be used for hunting like DNS fuzzing to find malicious domains, analyzing passive DNS data, web server logs, emails, and Windows logs. Open source tools used include Maeltego CE, YARA, and AIEngine, while commercial tools are Sqrrl, Exabeam, Infocyte HUNT, Mantix4, and AI Hunter.
"Cyberhunting" actively looks for signs of compromise within an organization and seeks to control and minimize the overall damage. These rare, but essential, breed of enterprise cyber defenders give proactive security a whole new meaning.
Check out the accompanying webinar: http://www.hosting.com/resources/webinars/?commid=228353
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
The document is a presentation on threat hunting with Splunk. It discusses threat hunting basics, data sources for threat hunting, knowing your endpoint, and using the cyber kill chain framework. It outlines an agenda that includes a hands-on walkthrough of an attack scenario using Splunk's core capabilities. It also discusses advanced threat hunting techniques and tools, enterprise security walkthroughs, and applying machine learning and data science to security.
Threat hunting - Every day is hunting seasonBen Boyd
Breakout Presentation by Ben Boyd during the 2018 Nebraska Cybersecurity Conference.
Introduction to Threat Hunting and helpful steps for building a Threat Hunting Program of any size, from small to massive.
How to Hunt for Lateral Movement on Your NetworkSqrrl
The document discusses threat hunting for lateral movement. It begins with an overview of lateral movement, describing it as techniques attackers use to access and control systems within a network. It then covers the lateral movement process, including initial compromise, reconnaissance, credential theft, and lateral movement events. The document demonstrates Sqrrl's lateral movement detectors, which use data science techniques like graph analysis and machine learning to detect lateral movement in network data. It discusses building a lateral movement detector by aligning it with TTPs, using classifiers to rank events, and implementing it at scale in Spark.
This document discusses techniques for threat hunting on Windows systems. It covers key areas to focus on during incident triage like processes, network connections, filesystem artifacts and logs. It also describes general hunting scenarios using threat intelligence or without intelligence. Specific techniques and artifacts discussed include the Windows Task Scheduler, ShimCache, AmCache, RecentFileCache, rogue services, timeline analysis using MFT, DLL side loading, DLL injection rootkits, autoruns, and the Wdigest credential storage downgrade attack. The document provides details on what to look for and analyze to effectively hunt for threats on Windows.
The document discusses Windows credential attacks and defenses. It describes common credential theft techniques like dumping credentials from LSASS memory using Mimikatz. It then covers various Windows credential hardening defenses over time like Protected Processes, Restricted Admin, and CredentialGuard. It demonstrates CredentialGuard's effectiveness at preventing credential theft compared to normal and older Windows configurations through a lab demo. The presentation aims to educate on real-world credential attacks while showing that effective defense is possible.
The Hunter Games: How to Find the Adversary with Event Query LanguageRoss Wolf
Circle City Con 2019 and BSides SATX 2019
Abstract:
How do you find malicious activity? We often resort to the cliche, you know it when you see it, but how do you even see it, without drowning in data? MITRE’s ATT&CK knowledge base organizes adversary behavior into tactics and techniques, and orients our approach to endpoint data. It suggests questions that might be worth asking, but not a way to ask them. The Event Query Language (EQL) allows a security analyst to naturally express queries for IOC search, hunting, and behavioral detections, while remaining platform and data source agnostic.
In this talk, I will demonstrate the iterative process of establishing situational awareness in your environment, creating targeted detections, and hunting for the adversary in your environment with real data, queries, and results.
Cyber threat intelligence: maturity and metricsMark Arena
From SANS Cyber Threat Intelligence Summit 2016. What are the characteristics of a mature cyber threat intelligence program, and how do you develop meaningful metrics? Traditionally, intelligence has been about providing decision
support to executives whilst the field of cyber threat intelligence supports this customer, and network defenders, who have different requirements. By using the intelligence cycle, this talk will
seek to help attendees understand how they can identify what a mature intelligence program looks like and the steps to take their program to the next level.
Threat hunting is a proactive approach to security that involves actively searching networks for threats that evade traditional defenses like firewalls and antivirus. It involves forming hypotheses about potential attacks based on indicators and then validating those hypotheses by searching for related evidence. While threat hunting requires time, skills, and resources that many organizations lack, Panda Security's Threat Hunting and Investigation Service (THIS) provides threat hunting as a managed service at no extra cost with their Adaptive Defense 360 platform. THIS continuously monitors endpoints, forms hypotheses about attacks, and validates findings to detect threats that other solutions may miss.
The document provides biographies and background information on two cyber threat hunters, Teymur Kheirkhabarov and Sergey Soldatov. It then discusses the process of cyber threat hunting, including collecting log and system event data from endpoints, analyzing that data using tools like Yara and Cuckoo Sandbox, and manually investigating anomalies through iterative hypothesis testing to detect advanced threats. Examples are given of how threat hunters traced back the steps of an attacker who compromised a system by injecting code into the LSASS process and establishing persistence via a scheduled task. The document emphasizes that threat hunting requires both machine analysis of large datasets as well as human reasoning to uncover sophisticated threats that evade other security solutions.
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
How to set up a Threat Hunting Team for Active Defense utilizing Cyber Threat Intelligence and how CTI can help a company grow and improve its security posture.
The document summarizes a presentation about helping utilities prepare for cybersecurity. It discusses the Cybersecurity Capability Maturity Model (C2M2) developed by the Department of Energy (DOE) to help organizations assess their cybersecurity practices. The C2M2 uses a maturity model approach with 10 domains and 4 maturity levels to evaluate an organization's cybersecurity capabilities. It also discusses how the C2M2 can be used to support implementation of the National Institute of Standards and Technology's Cybersecurity Framework.
Threat Hunting Procedures and Measurement MatriceVishal Kumar
This document will provide the basics of Cyber Threat Hunting and answers of some Q such as; What is Threat Hunting?, What is the Importance of Threat Hunting, and How it can be start....Bla..Bla..Bla...
The Information Security Community on LinkedIn, with the support of Cybereason, conducted a comprehensive online research project to gain
more insight into the state of threat hunting in security
operation centers (SOCs). When the 330 cybersecurity and IT professionals were asked what keeps them up at night, many comments revolved around a central theme of undetected threats slipping through an organization’s defenses. Many
responses included “unknown” and “advanced” when
describing threats, indicating the respondents understand
the challenges and fear those emerging threats.
Read the full report here.
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
The document discusses using storytelling to increase understanding of cyber threats through ATT&CK threat sightings. It describes the AC3 methodology for documenting threat actor tactics, techniques, and procedures with full context and observables. Different levels of abstraction and tools are used to translate threat sightings into various formats to ensure understanding across audiences. Maintaining defensive playbooks adapted from threat sightings helps continuous understanding and improvement of defenses.
This document provides an introduction to red team operations from the perspective of a penetration tester transitioning to become a red teamer. It discusses some of the key differences between penetration testing and red teaming such as scope, reconnaissance required, stealth, and infrastructure setup. The document outlines principles for red team operations including protecting infrastructure, logging everything, managing information, and avoiding detection. It also provides examples of tactics, techniques and procedures used in red team operations as well as considerations for tools like Cobalt Strike to help evade detection.
Threat hunting involves proactively searching networks to detect threats like advanced persistent threats that evade existing security systems. It is done through a hunting loop of forming hypotheses based on analytics, intelligence, or situational awareness, investigating through tools and data, uncovering patterns and indicators, and informing analytics. Various methods can be used for hunting like DNS fuzzing to find malicious domains, analyzing passive DNS data, web server logs, emails, and Windows logs. Open source tools used include Maeltego CE, YARA, and AIEngine, while commercial tools are Sqrrl, Exabeam, Infocyte HUNT, Mantix4, and AI Hunter.