Adversaries compromise at will, penetrating today’s signature and IOC dependent detection capabilities. Most incident responders are locked in a cycle of constant reaction to the fraction of activity that is known. Often, undetected attackers remain active in the network as reported incidents are remediated. A new approach is needed to break the cycle of reaction and eradicate the unknown.
An offense-based approach must be adopted. Hunting puts the defender on the offensive within their networks, allowing for rapid detection and remediation of threats. Adversary dwell time can be drastically reduced, reducing business impacts and recovery costs. The Endgame hunt platform enables instant protection, visibility, and precision response across your endpoints and automates detection of known and never before seen adversaries without relying on signatures.
This talk covers:
• Description and benefits of hunt
• Challenges of hunting
• Solutions and hunting best practices
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Hunting before a Known Incident
1. 1
Hunting Before a Known Incident
Mark Dufresne
Director of Malware Research and Threat Intelligence
Endgame
2. 2Agenda
• Who am I?
• Assume you are compromised
– Defenses fail. All the time.
• Be Proactive, Think Offense: Hunt!
– What is hunt
– Hunt techniques
– Benefits of hunt
• Hunt vs. traditional IR
• Challenges of hunting and how to overcome
• Hunting best practices
3. 3About Me
• Previous Experience
– 13 years at NSA
• Mix of offense and defense
• Currently
– Director of Malware Research and Threat Intelligence at Endgame
4. 4
The cycle isn’t working: prevention, detection, triage, response
Today’s Reality
• Prevention is important but will be bypassed
• Search and signature-based detection is always behind
• Often, notification is external
• Often, additional adversaries are already active while a known
incident is closed
5. 5Why Does Search/Signature Detection Fail?
• On your network
– Encryption
– Cloud services – staging, C2, exfil…blends in
– Tailored and/or ephemeral attack infrastructure
• On your endpoints
– Polymorphism
– Malware customization and diversification
– Use of legitimate creds and admin tools - Malware as last resort
• Assume compromise!
– Someone else’s IOCs might not help you
– Signatures won’t find everything
• They won’t find what hasn’t been seen before
Attacks are changing
6. 6Be Proactive, Think Offense
• Adversaries are eating your lunch
• You can’t afford to wait
• Offensive, proactive discovery must be the response
– Search is necessary but insufficient
– Look for techniques used by attackers
– Look for patterns in the right data
Hunt within your networks, a.k.a Continuous IR
7. 7Hunting
• Hunting is the proactive, stealthy, and methodical pursuit and
eviction of adversaries inside your network without relying on IOCs
– Detect and eliminate known as well as never-before-seen adversaries
• Adversaries operate on your systems. They leave a trail
– Understand what actions they take in the OS: chokepoints
– Understand breadcrumbs they leave on and across systems: patterns and
anomalies.
• Gain the right visibility, collect the right data, analyze, detect, and
respond
– Lock down systems while you’re doing it
– Be stealthy
8. 8Common Hunt Methods and Techniques
• Indicator of Compromise (IOC)
• Network
• Endpoint
• Manual vs. scheduled vs. continuous
• Outliers/oddities vs. anomaly detection
9. 9Indicator Hunting? (Searching)
• What’s search good for?
– Will help you react to an external notification
– Will help you find well-known campaigns
– Will help you consistently find unsophisticated threats
– Will help you pivot on IOCs you find in your own network
• Determine the extent of an incident
• Your hunt platform needs to facilitate search
– Search is today’s security muscle memory
– But a hunter needs to do more
9
If you know what you are looking for, it is not hunt, it is search
10. 10Hunting on the Network
• Network data is more noisy than host data
– But, it’s still valuable
– Best if you can tie to process
• Listeners
– What ports are listening only a few systems?
– What processes have listening sockets on only a few systems?
• DNS resolutions
– What looks like it could be DGA?
– What looks like it’s trying to masquerade as a real site?
• Beaconing
– What connections look like they could be malware beacons?
• Choose where to focus hunt, collect, analyze, detect, respond
10
11. 11Hunting on Endpoints
• Autoruns locations
– What’s persisting on only a few hosts?
– What’s executing out of a strange location?
• Running processes
– What has a hash mismatch across hosts?
– Which process has a loaded module not present on other systems?
• Execution artifacts
– What strange powershell commands have been run?
– Where do I see unusual remote process executions?
• Many other possibilities
• Again - choose, collect, analyze, detect, respond
11
12. 12Benefits of Hunt
• Reduce dwell time before discovery Reduced costs
– Shorter dwell time usually means reduced incident complexity
– Shorter dwell time usually means less loss or damage
• Break the cycle of reactivity
• Build new security muscle memory
– By continuous hunting, one gains an ability to see and react to patterns
and anomalies
“Organizations that proactively work to discover incidents — ‘hunt’ for them — have a better
chance of finding them and effectively reducing their impact” Gartner 2016
13. 13Hunt and Incident Response
• Very similar methods and skills required
• Similar tools and techniques
• Different starting point
– Hunt: Assume breach and find it
– IR: Known (or suspected) penetration
• Steps after discovery are remarkably similar
• Don’t wait for the incident. Go find it.
– IR teams can be the hunters
– So, consider hunting
13
14. 14Hunt Challenges and Solutions
14
Challenge Solution
Lack of resources Start with free tools
(Hunting on the Cheap)
Difficulty hiring skilled hunters
Lack of time
Automate analysis
Generate detections based on hunt
techniques
Drowning in data Data science and machine learning
Start small and limited in scope
Tipping off the adversary Stealth tools and techniques
To hunt effectively, consistently, and at scale in any organization, you need a
platform that augments and assists your team
15. 15Endgame Advantages
Multi-Mode Operation
Built-in options for discovery, on-demand deployment, and persistence
Stealth
Prevents adversary disruption and evasion
IOC-Independent Detection
Detect never-before-seen and unique attacks
Tailored & Surgical Response
Thread-level response prevents disruption of normal business
Automation
Empowers Tier 1& 2 analysts & minimizes time to remediation
Intelligent Collection
Real-time Automated answers to critical questions
16. 16Summary
• The current detection and IR cycle doesn’t work
• Transform the IR cycle into a Hunt cycle
• Start hunting now
• Automate, automate, automate
16
Stop by Endgame table for a demo!