SlideShare a Scribd company logo

Hunting: Defense Against The Dark Arts v2

Spyglass Security
Spyglass Security

This presentation was delivered at SkyDogCon 6 in October 2016. The A/V is available here: https://www.youtube.com/watch?list=PLLEf-wPc7Tyae19iTuzKOXmPj-IQBIWuU&v=mKxGulV2Z74 It is an updated version of the original deck presented at BSides Augusta 2016 - Added original content including information on use cases and added definition/clarity. Abstract: "We can all agree that threat ("Evil") detection is an essential component of a functioning security monitoring program. Let's start thinking about how to take our tradecraft to the next level and hunt for insecure conditions ("Ways for Evil to do Evil things") that might allow threat actors to succeed in their mission. This talk will run through some of the observations gathered during hunting expeditions inside the networks of multiple Fortune-ranked organizations and challenge you to expand your security operations thinking beyond signature-based detection. - What is Hunting? - How have we done it? - What have we found, and what should be done about those findings? - How might you achieve similar outcomes in your own environment?" Speakers: - Jacqueline Stokes (@find_evil) is an infosec enthusiast who picked up hacking as a preteen and cut her teeth over multiple years in Iraq. Her ongoing mission is to assess and advise clients on the most actionable and forward-thinking methods to improve detection, response, and containment of advanced threats. Jackie likes long walks on the beach, 90's nostalgia, and is the president and founding member of the Kevin Mandia Fan Club.

Technology
1 of 44
Download to read offline
SkyDogCon October 2016 Hunting: Defense Against The Dark Arts
Speaker Background Hunting: Defense Against The Dark Arts 2 Jackie Stokes Director of Incident Response Foundstone Services @ Intel Security Group Past Lives: • Mandiant / FireEye • DoD Contractor - Iraq, Africa • US Army – Iraq • 2600 @find_evil
Hunting: Defense Against The Dark Arts 3 Problem Set • Find Evil • Find Ways for Evil to do Evil Things • Drive maturation of monitoring & detection capabilities
Hunting: Defense Against The Dark Arts 4 Traditional Detection vs. Hunting Not ❌ Tools ❌ Alerts ❌ Automation
Hunting: Defense Against The Dark Arts 5 Methodology? Design process for executing research or development of procedures Not in itself an instrument, method, or procedure.
Threat Hunting Loop Hunting: Defense Against The Dark Arts 6 https://sqrrl.com/solutions/cyber-threat-hunting
Building a Hunt Program Hunting: Defense Against The Dark Arts 7 "Understanding is the first step to acceptance, and only with acceptance can there be recovery.“ — Albus Dumbledore
Hunt Program Mature detection capabilities Use Cases + Playbooks Guiding processes for SOC / CIRT Technology & Tools Operationally-driven and requirements-based SOC + CIRT Security operations and incident response Formalized Security Program Chartered and backed by an executive sponsor Hunting: Defense Against The Dark Arts 8 Hunting Capability Pyramid Must be this tall to ride J
Hunting: Defense Against The Dark Arts 9 http://blog.sqrrl.com/the-cyber-hunting-maturity-model Hunting Maturity Model
Building a Hunt Program Hunting: Defense Against The Dark Arts 10 1. Establish executive sponsorship and mission charter/objectives 2. Establish and implement enterprise logging strategy 3. Aggregate, centralize, and process data 4. Make data available within a (fast) searchable interface 5. Drive maturity • Develop Use Cases • Are we getting the right data? • Review tooling and associated requirements • Reintegrate hunt mission data to security operations
Hunting + IR à Detection Maturation Hunting: Defense Against The Dark Arts 11 HUNT SOC DETECT IR USE CASE Ongoing Hunt Missions Feed Incident Response activities IR outcomes affect SecOps Lessons Learned incorporated to SecOps Detection capability improvement Evil Non-Evil Risk
What is a Use Case? Hunting: Defense Against The Dark Arts 12 • Discrete objectives and processes used to solve mission problems and guide thinking • Can be simple or complex • Helps to identify data / capability requirements and gaps • Aligned to an attacker lifecycle: Kill Chain or ATT&CK • Contains Internal TTP used to achieve the Use Case Objectives • Data – What should we collect to detect EOI? • Tools – What can we use to handle our Data? • Logic – How can we best leverage both our Data and Tools?
EOI, Incidents, and Use Cases Hunting: Defense Against The Dark Arts 13 Incident Events of Interest Detection Use Case Events of Interest, ex. 1. $Endpoint1 seen making DNS requests for known bad domain 2. HTTP Proxy sees $Endpoint1 requesting binary with unknown MD5 3. Network logs show periodic suspicious communications from $Endpoint1 to multiple new hosts in unlikely countries 4. Can you think of more examples?
Use Case Design Tree: Objective Hunting: Defense Against The Dark Arts 14
Use Case Design Tree: Tools & Capabilities Hunting: Defense Against The Dark Arts 15
Hunt Mission Outcomes Hunting: Defense Against The Dark Arts 16 •Benefit: Activity shown not to be present •Next Step: Evaluate hunt mission effectiveness No Detection •Benefits: Activity shown to be present Hunt mission effectiveness validated Identify best practice / compliance issues •Next Step: Escalate as appropriate, monitor to closure Detection: Non-Malicious •Benefits: Activity shown to be present Hunt mission effectiveness validated Identify security incidents •Next Step: Escalate as appropriate, monitor to closure Detection: Malicious
Sorting Out Your Data Hunting: Defense Against The Dark Arts 17 "Not Slytherin, eh? Are you sure? You could be great, you know."
Data Sources - Remote Access - Web Proxy - IDS / IPS - Email - WAF - DNS - DHCP - NetFlow - Firewall - Router / Switch - Wireless Infrastructure - Agents - Antivirus - Operating Systems - Active Directory - File, Print, Database - Other Services External Feeds - Paid, Free, OSINT Internal Feeds - Recon Data - Threat/Risk Models - IR Lessons Learned - Critical Asset Inventory - Identity & Access Management (IAM) - Scheduled Service Interruptions - Terminated Users - Acceptable Use Policy - Employee Work Hours - Physical Access Logs Security Network Endpoint IT Threat Intel HR Hunting: Defense Against The Dark Arts 18
Two Types of Events Hunting: Defense Against The Dark Arts 19 1. Observed à Originated from a device that handled the event in some way 2. Synthetic à Generated through automated analysis of event data
What is the Right Data? Hunting: Defense Against The Dark Arts 20 • Original source data wherever possible • Ensure the presence of important metadata • Generally, observed events > synthetic events • Synthetic events can provide useful context in the form of analytics • Logs must enable pivoting • Minimum - one extractable / consistent data point to correlate log sources
Ready the Spells! Hunting: Defense Against The Dark Arts 21 • Understand the network • Learn critical assets • Develop enterprise logging strategy • Ensure data sources use consistent time settings; implement NTP, use GMT (or UTC) • Plug in to asset, change, and configuration management processes • Account for other organizational use cases • IT Operations • Forensics / Incident Response • Compliance / Audit • Clean up the hunt dataset • Normalization • De-duplication • Parsing • Enrich and contextualize the dataset...!
Event Enrichment Hunting: Defense Against The Dark Arts 22 • Internally-sourced Intelligence • Attack Trees • Red Team / Penetration test output • TTPs from previous incidents • Deviances from baselines / Expected behavior • Organizational risk profile / Threat context • Externally-sourced Intelligence • Paid subscriptions • OSINT • Free feeds • Passive DNS, WHOIS, etc. • Geographical data • ISAC, Infragard, etc. • Context • Environmental • Refer to "Data Source" slide • Previous hunt and IR output • Malware analysis • Analytics, Ex: • Geo-infeasibility • Beacon detection • DNS entropy • Data exfiltration
Tools of the Trade Hunting: Defense Against The Dark Arts 23 "It is important to fight, and fight again, and keep fighting, for only then could evil be kept at bay, though never quite eradicated" — Albus Dumbledore
Criteria for a Working Hunt Platform Hunting: Defense Against The Dark Arts 24 • Rapid search with high quality UI and / or API • Stacking • Group and reduce the dataset to more easily identify outliers • Improves feasibility of analyzing large environments • Pivoting • Move laterally through the dataset • See the whole picture • Nice to Have • Tagging and Enrichments • Intelligence Integration Support • Automation: Rules & Alerting
All About The Galleons Hunting: Defense Against The Dark Arts 25 • Budget! • Driven by Operational Requirements • Tool/Vendor Selection Process • Evaluation Success Criteria • Multiple Tools: Diverse Perspectives • Free and Open Source Software! • NXLog • Sysmon • Moloch • Wireshark • Bro Network Security Monitor • ELK Stack (ElasticSearch, Logstash, Kibana) • Security Onion Linux Distribution– Da Real MVP + a bunch of other stuff not listed here...
Analysis Hunting: Defense Against The Dark Arts 26 "We teachers are rather good at magic, you know."
Sample Hypotheses to Drive Hunt Missions Hunting: Defense Against The Dark Arts 27 1. Sensitive corporate data stored only in approved locations 2. Large or extended outbound data transfers meet business needs 3. Reconnaissance activities against DMZ hosts provide advance warning of pending malicious activity 4. VPN logins by users are geographically feasible 5. Domain controller baselines are simple and deviations rarely occur 6. Service credentials are used only in expected ways and for their appropriate services 7. Web proxies are appropriately configured to block suspicious traffic 8. Services communicate using secure, encrypted protocols 9. Tunneling HTTP traffic and other proxy avoidance techniques are not allowed in or out of our network 10. The use of management tools (such as PSExec) occurs only within approved change windows 11. Endpoints are not added to the network without infosec visibility
More Data, More Problems Hunting: Defense Against The Dark Arts 28 "Dobby is... free."
Hunting: Defense Against The Dark Arts 29 Evil vs. Ways for Evil to do Evil Things
1. Remote Access Hunting: Defense Against The Dark Arts 30 Hypothesis: Remote access to our environment is conducted using approved means Discovery: • Remote access is occurring over multiple protocols to / from unapproved hosts • VNC to / from production network • RDP to domain controllers from DMZ • Evidence of unapproved remote access utilities such as LogMeIn, GoToMyPC, etc Recommendation: • Evaluate unapproved connections for mitigation or for risk acceptance • Ensure that risk accepted software is fully patched and up to date • Implement strong encryption, jump boxes / VPN ACLs, and two-factor authentication where possible
2. Data Storage Hunting: Defense Against The Dark Arts 31 Hypothesis: Corporate data is only stored in approved locations Discovery: • Sensitive corporate data stored on unencrypted and infected external media • Unrestricted use of common cloud data storage providers • Unmanaged source code repositories (intellectual property) Recommendation: • Evaluate DLP implementation and allowed web proxy categories • Consider establishing formalized agreement with a cloud storage provider • Bring unmanaged data stores under management in support of development teams
3. Proxy Infrastructure Hunting: Defense Against The Dark Arts 32 Hypothesis: Our proxy infrastructure is properly configured Discovery: • Not blocking known malicious categories • Not blocking executable downloads • Proxies not logging all necessary protocol metadata • Ex. User Agent, Status Code, Byte Counts, X-Forward-For, etc. Recommendation: • Validate security operations' requirements of proxy infrastructure • Re-evaluate proxy configurations for appropriate changes • Ensure security operations are looped in to the change management process
4. Approved Protocols Hunting: Defense Against The Dark Arts 33 Hypothesis: Protocols transiting our network are secure and approved for use Discovery: • Various insecure protocols identified in use across the network • Unencrypted: Telnet, FTP • Deprecated: SNMP v2, cleartext SMTP • Risky: IRC, TOR / i2p Recommendation: • Identify opportunities to deploy secured versions of protocols • FTP à SFTP • Telnet à SSH • SNMP v2 à SNMP v3, etc. • Evaluate implementation of risk detection and mitigation strategies
5. Approved Clients Hunting: Defense Against The Dark Arts 34 Hypothesis: Internet access is achieved using known and approved client software Discovery: • Suspicious user-agents identified - indicating potential latent infections • Extremely out of date software, including: client browsers, Flash, and Java Recommendation: • Begin incident response procedures to evaluate and triage endpoints • Evaluate consistency of patch and vulnerability management processes
6. Privilege Management Hunting: Defense Against The Dark Arts 35 Hypothesis: Account management is rooted in best practice Discovery: • Service accounts used for unrelated purposes or shared by users • Regular and privileged users with non-specific accounts • Direct privileged logins without approved privilege escalation process (e.g. sudo) • Suspicious usernames that do not conform to the organizational standard • User account belonging to terminated user active on the network Recommendation: • Evaluate suspicious or ambiguous accounts for mitigation or for risk acceptance • Ensure security operations are tied into the HR termination workflow • Update organizational username standard and privilege management processes
7. Security Architecture Hunting: Defense Against The Dark Arts 36 Hypothesis: Event logs provide information needed to validate control effectiveness Discovery: • Non-security specific appliances with disabled security functionality • Ex. Cisco ASA scan detection disabled • Security specific appliances improperly placed • Bro NSM placed post-proxy, post-NAT Recommendation: • Evaluate IT systems for security value (non-traditional security appliances) • Ex. Network devices • Modify configuration and placement of systems to meet requirements
8. Process Execution Hunting: Defense Against The Dark Arts 37 Hypothesis: Endpoints only execute processes required for business functions Discovery: • Obfuscated PowerShell execution • Mimikatz and other persistence toolkit execution • Suspicious filenames/paths/registry entries, etc. • Users installing browser toolbars and miscellaneous adware/spyware Recommendation: • Call the IR Team J • Adjust detections / controls to rapidly detect and prevent future occurrences
9. DNS Hunting: Defense Against The Dark Arts 38 Hypothesis: DNS resolutions occur within the bounds of best practices Discovery: • "Weird" protocol deviations/padded packets suggesting exfil or C&C • Uncontrolled resolutions that are not forced through corporate infrastructure • Resolutions for unusual or risky domains • Ex. Dynamic DNS domains, domains appearing to be algorithmically generated • Initial resolutions for suspicious domains + subsequent unusual communication Recommendation: • Harden organizational DNS infrastructure • Ex. Implement DNSSEC, prevent zone transfers, etc. • Configure perimeter devices to only accept DNS requests from corporate DNS • Implement protocol anomaly detection to identify protocol misuse
Thinking Ahead Hunting: Defense Against The Dark Arts 39 "The one with the power to vanquish the Dark Lord approaches..." — Sybill Trelawney
Ensuring Successful Outcomes Hunting: Defense Against The Dark Arts 40 • Goals • Reduce attack surface • Harden the environment • Improve detection and monitoring • Don't bother hunting without using the outputs! • Lessons Learned / AAR • Feedback loop on IR processes • Create new or improve existing detections • Metrics • Cannot improve what is not measured • The absence of something is still something • Most metrics will trend upwards before they come down • 'Time to Detect' and other metrics will trend downward over time
Hunt Methodology: From Art to Science Hunting: Defense Against The Dark Arts 41 Begin evolution from intuitive art to a more rigorously structured science
Show of Hands... Hunting: Defense Against The Dark Arts 42
Resources Hunting: Defense Against The Dark Arts 43 FireEye Threat Analytics Platform: Hunting at Scale https://www.fireeye.com/products/threat-analytics-platform.html MITRE: Adversarial Tactics, Techniques & Common Knowledge https://attack.mitre.org The Threat Hunting Project: Compendium of useful resources http://www.threathunting.net Loggly: Helpful logging guidelines https://www.loggly.com/intro-to-log-management Security Onion: Peel back the layers of your network https://securityonion.net
Happy Hunting!

Recommended

Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016
Tony Cook
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark Arts
Spyglass Security
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Danny Akacki
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil Refineries
Dragos, Inc.
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
North Texas Chapter of the ISSA
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturity
DNIF
 

Recommended

Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016
Tony Cook
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark Arts
Spyglass Security
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Danny Akacki
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil Refineries
Dragos, Inc.
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
North Texas Chapter of the ISSA
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturity
DNIF
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
EndgameInc
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
InfoSec Addicts
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
Threat Hunting with Data Science
Threat Hunting with Data ScienceThreat Hunting with Data Science
Threat Hunting with Data Science
Austin Taylor
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
Raffael Marty
 
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Chi En (Ashley) Shen
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
Hunting before a Known Incident
Hunting before a Known IncidentHunting before a Known Incident
Hunting before a Known Incident
EndgameInc
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE - ATT&CKcon
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - December
MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE - ATT&CKcon
 
Confusion and deception new tools for data protection
Confusion and deception new tools for data protectionConfusion and deception new tools for data protection
Confusion and deception new tools for data protection
Priyanka Aash
 
Abstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat HuntingAbstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat Hunting
chrissanders88
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE - ATT&CKcon
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
Akash Sarode
 
Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoring
chrissanders88
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
newbie2019
 
honeypots.ppt
honeypots.ppthoneypots.ppt
honeypots.ppt
DetSersi
 

More Related Content

What's hot

PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
EndgameInc
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
InfoSec Addicts
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
Threat Hunting with Data Science
Threat Hunting with Data ScienceThreat Hunting with Data Science
Threat Hunting with Data Science
Austin Taylor
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
Raffael Marty
 
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Chi En (Ashley) Shen
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
Hunting before a Known Incident
Hunting before a Known IncidentHunting before a Known Incident
Hunting before a Known Incident
EndgameInc
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE - ATT&CKcon
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - December
MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE - ATT&CKcon
 
Confusion and deception new tools for data protection
Confusion and deception new tools for data protectionConfusion and deception new tools for data protection
Confusion and deception new tools for data protection
Priyanka Aash
 
Abstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat HuntingAbstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat Hunting
chrissanders88
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE - ATT&CKcon
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
Akash Sarode
 
Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoring
chrissanders88
 

What's hot (20)

PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Threat Hunting with Data Science
Threat Hunting with Data ScienceThreat Hunting with Data Science
Threat Hunting with Data Science
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Hunting before a Known Incident
Hunting before a Known IncidentHunting before a Known Incident
Hunting before a Known Incident
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - December
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
 
Confusion and deception new tools for data protection
Confusion and deception new tools for data protectionConfusion and deception new tools for data protection
Confusion and deception new tools for data protection
 
Abstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat HuntingAbstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat Hunting
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
 
Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoring
 

Similar to Hunting: Defense Against The Dark Arts v2

Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
newbie2019
 
honeypots.ppt
honeypots.ppthoneypots.ppt
honeypots.ppt
DetSersi
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
APNIC
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Falgun Rathod
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
APNIC
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
ssuser4237d4
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
ssuser4237d4
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
ShivamSharma909
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
ShivamSharma909
 
Incident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and CountermeasuresIncident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and Countermeasures
Jose L. Quiñones-Borrero
 
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
IGN MANTRA
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraWorkshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
IGN MANTRA
 
Attack Simulation and Hunting
Attack Simulation and HuntingAttack Simulation and Hunting
Attack Simulation and Hunting
nathi mogomotsi
 
CNIT 50: 9. NSM Operations
CNIT 50: 9. NSM OperationsCNIT 50: 9. NSM Operations
CNIT 50: 9. NSM Operations
Sam Bowne
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Resilient Systems
 
CNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring RationaleCNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring Rationale
Sam Bowne
 
Cyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureCyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics Lecture
Ollie Whitehouse
 
Cyber threat-hunting---part-2-25062021-095909pm
Cyber threat-hunting---part-2-25062021-095909pmCyber threat-hunting---part-2-25062021-095909pm
Cyber threat-hunting---part-2-25062021-095909pm
MuhammadJalalShah1
 
CyberOps.pptx
CyberOps.pptxCyberOps.pptx
CyberOps.pptx
AhmedRobaid1
 

Similar to Hunting: Defense Against The Dark Arts v2 (20)

Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
 
honeypots.ppt
honeypots.ppthoneypots.ppt
honeypots.ppt
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
 
Incident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and CountermeasuresIncident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and Countermeasures
 
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraWorkshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
 
Attack Simulation and Hunting
Attack Simulation and HuntingAttack Simulation and Hunting
Attack Simulation and Hunting
 
CNIT 50: 9. NSM Operations
CNIT 50: 9. NSM OperationsCNIT 50: 9. NSM Operations
CNIT 50: 9. NSM Operations
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About It
 
CNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring RationaleCNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring Rationale
 
Cyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureCyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics Lecture
 
Cyber threat-hunting---part-2-25062021-095909pm
Cyber threat-hunting---part-2-25062021-095909pmCyber threat-hunting---part-2-25062021-095909pm
Cyber threat-hunting---part-2-25062021-095909pm
 
CyberOps.pptx
CyberOps.pptxCyberOps.pptx
CyberOps.pptx
 

Recently uploaded

GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 

Recently uploaded (20)

GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 

Hunting: Defense Against The Dark Arts v2

  • 2. Speaker Background Hunting: Defense Against The Dark Arts 2 Jackie Stokes Director of Incident Response Foundstone Services @ Intel Security Group Past Lives: • Mandiant / FireEye • DoD Contractor - Iraq, Africa • US Army – Iraq • 2600 @find_evil
  • 3. Hunting: Defense Against The Dark Arts 3 Problem Set • Find Evil • Find Ways for Evil to do Evil Things • Drive maturation of monitoring & detection capabilities
  • 4. Hunting: Defense Against The Dark Arts 4 Traditional Detection vs. Hunting Not ❌ Tools ❌ Alerts ❌ Automation
  • 5. Hunting: Defense Against The Dark Arts 5 Methodology? Design process for executing research or development of procedures Not in itself an instrument, method, or procedure.
  • 6. Threat Hunting Loop Hunting: Defense Against The Dark Arts 6 https://sqrrl.com/solutions/cyber-threat-hunting
  • 7. Building a Hunt Program Hunting: Defense Against The Dark Arts 7 "Understanding is the first step to acceptance, and only with acceptance can there be recovery.“ — Albus Dumbledore
  • 8. Hunt Program Mature detection capabilities Use Cases + Playbooks Guiding processes for SOC / CIRT Technology & Tools Operationally-driven and requirements-based SOC + CIRT Security operations and incident response Formalized Security Program Chartered and backed by an executive sponsor Hunting: Defense Against The Dark Arts 8 Hunting Capability Pyramid Must be this tall to ride J
  • 10. Building a Hunt Program Hunting: Defense Against The Dark Arts 10 1. Establish executive sponsorship and mission charter/objectives 2. Establish and implement enterprise logging strategy 3. Aggregate, centralize, and process data 4. Make data available within a (fast) searchable interface 5. Drive maturity • Develop Use Cases • Are we getting the right data? • Review tooling and associated requirements • Reintegrate hunt mission data to security operations
  • 11. Hunting + IR à Detection Maturation Hunting: Defense Against The Dark Arts 11 HUNT SOC DETECT IR USE CASE Ongoing Hunt Missions Feed Incident Response activities IR outcomes affect SecOps Lessons Learned incorporated to SecOps Detection capability improvement Evil Non-Evil Risk
  • 12. What is a Use Case? Hunting: Defense Against The Dark Arts 12 • Discrete objectives and processes used to solve mission problems and guide thinking • Can be simple or complex • Helps to identify data / capability requirements and gaps • Aligned to an attacker lifecycle: Kill Chain or ATT&CK • Contains Internal TTP used to achieve the Use Case Objectives • Data – What should we collect to detect EOI? • Tools – What can we use to handle our Data? • Logic – How can we best leverage both our Data and Tools?
  • 13. EOI, Incidents, and Use Cases Hunting: Defense Against The Dark Arts 13 Incident Events of Interest Detection Use Case Events of Interest, ex. 1. $Endpoint1 seen making DNS requests for known bad domain 2. HTTP Proxy sees $Endpoint1 requesting binary with unknown MD5 3. Network logs show periodic suspicious communications from $Endpoint1 to multiple new hosts in unlikely countries 4. Can you think of more examples?
  • 14. Use Case Design Tree: Objective Hunting: Defense Against The Dark Arts 14
  • 15. Use Case Design Tree: Tools & Capabilities Hunting: Defense Against The Dark Arts 15
  • 16. Hunt Mission Outcomes Hunting: Defense Against The Dark Arts 16 •Benefit: Activity shown not to be present •Next Step: Evaluate hunt mission effectiveness No Detection •Benefits: Activity shown to be present Hunt mission effectiveness validated Identify best practice / compliance issues •Next Step: Escalate as appropriate, monitor to closure Detection: Non-Malicious •Benefits: Activity shown to be present Hunt mission effectiveness validated Identify security incidents •Next Step: Escalate as appropriate, monitor to closure Detection: Malicious
  • 17. Sorting Out Your Data Hunting: Defense Against The Dark Arts 17 "Not Slytherin, eh? Are you sure? You could be great, you know."
  • 18. Data Sources - Remote Access - Web Proxy - IDS / IPS - Email - WAF - DNS - DHCP - NetFlow - Firewall - Router / Switch - Wireless Infrastructure - Agents - Antivirus - Operating Systems - Active Directory - File, Print, Database - Other Services External Feeds - Paid, Free, OSINT Internal Feeds - Recon Data - Threat/Risk Models - IR Lessons Learned - Critical Asset Inventory - Identity & Access Management (IAM) - Scheduled Service Interruptions - Terminated Users - Acceptable Use Policy - Employee Work Hours - Physical Access Logs Security Network Endpoint IT Threat Intel HR Hunting: Defense Against The Dark Arts 18
  • 19. Two Types of Events Hunting: Defense Against The Dark Arts 19 1. Observed à Originated from a device that handled the event in some way 2. Synthetic à Generated through automated analysis of event data
  • 20. What is the Right Data? Hunting: Defense Against The Dark Arts 20 • Original source data wherever possible • Ensure the presence of important metadata • Generally, observed events > synthetic events • Synthetic events can provide useful context in the form of analytics • Logs must enable pivoting • Minimum - one extractable / consistent data point to correlate log sources
  • 21. Ready the Spells! Hunting: Defense Against The Dark Arts 21 • Understand the network • Learn critical assets • Develop enterprise logging strategy • Ensure data sources use consistent time settings; implement NTP, use GMT (or UTC) • Plug in to asset, change, and configuration management processes • Account for other organizational use cases • IT Operations • Forensics / Incident Response • Compliance / Audit • Clean up the hunt dataset • Normalization • De-duplication • Parsing • Enrich and contextualize the dataset...!
  • 22. Event Enrichment Hunting: Defense Against The Dark Arts 22 • Internally-sourced Intelligence • Attack Trees • Red Team / Penetration test output • TTPs from previous incidents • Deviances from baselines / Expected behavior • Organizational risk profile / Threat context • Externally-sourced Intelligence • Paid subscriptions • OSINT • Free feeds • Passive DNS, WHOIS, etc. • Geographical data • ISAC, Infragard, etc. • Context • Environmental • Refer to "Data Source" slide • Previous hunt and IR output • Malware analysis • Analytics, Ex: • Geo-infeasibility • Beacon detection • DNS entropy • Data exfiltration
  • 23. Tools of the Trade Hunting: Defense Against The Dark Arts 23 "It is important to fight, and fight again, and keep fighting, for only then could evil be kept at bay, though never quite eradicated" — Albus Dumbledore
  • 24. Criteria for a Working Hunt Platform Hunting: Defense Against The Dark Arts 24 • Rapid search with high quality UI and / or API • Stacking • Group and reduce the dataset to more easily identify outliers • Improves feasibility of analyzing large environments • Pivoting • Move laterally through the dataset • See the whole picture • Nice to Have • Tagging and Enrichments • Intelligence Integration Support • Automation: Rules & Alerting
  • 25. All About The Galleons Hunting: Defense Against The Dark Arts 25 • Budget! • Driven by Operational Requirements • Tool/Vendor Selection Process • Evaluation Success Criteria • Multiple Tools: Diverse Perspectives • Free and Open Source Software! • NXLog • Sysmon • Moloch • Wireshark • Bro Network Security Monitor • ELK Stack (ElasticSearch, Logstash, Kibana) • Security Onion Linux Distribution– Da Real MVP + a bunch of other stuff not listed here...
  • 27. Sample Hypotheses to Drive Hunt Missions Hunting: Defense Against The Dark Arts 27 1. Sensitive corporate data stored only in approved locations 2. Large or extended outbound data transfers meet business needs 3. Reconnaissance activities against DMZ hosts provide advance warning of pending malicious activity 4. VPN logins by users are geographically feasible 5. Domain controller baselines are simple and deviations rarely occur 6. Service credentials are used only in expected ways and for their appropriate services 7. Web proxies are appropriately configured to block suspicious traffic 8. Services communicate using secure, encrypted protocols 9. Tunneling HTTP traffic and other proxy avoidance techniques are not allowed in or out of our network 10. The use of management tools (such as PSExec) occurs only within approved change windows 11. Endpoints are not added to the network without infosec visibility
  • 28. More Data, More Problems Hunting: Defense Against The Dark Arts 28 "Dobby is... free."
  • 29. Hunting: Defense Against The Dark Arts 29 Evil vs. Ways for Evil to do Evil Things
  • 30. 1. Remote Access Hunting: Defense Against The Dark Arts 30 Hypothesis: Remote access to our environment is conducted using approved means Discovery: • Remote access is occurring over multiple protocols to / from unapproved hosts • VNC to / from production network • RDP to domain controllers from DMZ • Evidence of unapproved remote access utilities such as LogMeIn, GoToMyPC, etc Recommendation: • Evaluate unapproved connections for mitigation or for risk acceptance • Ensure that risk accepted software is fully patched and up to date • Implement strong encryption, jump boxes / VPN ACLs, and two-factor authentication where possible
  • 31. 2. Data Storage Hunting: Defense Against The Dark Arts 31 Hypothesis: Corporate data is only stored in approved locations Discovery: • Sensitive corporate data stored on unencrypted and infected external media • Unrestricted use of common cloud data storage providers • Unmanaged source code repositories (intellectual property) Recommendation: • Evaluate DLP implementation and allowed web proxy categories • Consider establishing formalized agreement with a cloud storage provider • Bring unmanaged data stores under management in support of development teams
  • 32. 3. Proxy Infrastructure Hunting: Defense Against The Dark Arts 32 Hypothesis: Our proxy infrastructure is properly configured Discovery: • Not blocking known malicious categories • Not blocking executable downloads • Proxies not logging all necessary protocol metadata • Ex. User Agent, Status Code, Byte Counts, X-Forward-For, etc. Recommendation: • Validate security operations' requirements of proxy infrastructure • Re-evaluate proxy configurations for appropriate changes • Ensure security operations are looped in to the change management process
  • 33. 4. Approved Protocols Hunting: Defense Against The Dark Arts 33 Hypothesis: Protocols transiting our network are secure and approved for use Discovery: • Various insecure protocols identified in use across the network • Unencrypted: Telnet, FTP • Deprecated: SNMP v2, cleartext SMTP • Risky: IRC, TOR / i2p Recommendation: • Identify opportunities to deploy secured versions of protocols • FTP à SFTP • Telnet à SSH • SNMP v2 à SNMP v3, etc. • Evaluate implementation of risk detection and mitigation strategies
  • 34. 5. Approved Clients Hunting: Defense Against The Dark Arts 34 Hypothesis: Internet access is achieved using known and approved client software Discovery: • Suspicious user-agents identified - indicating potential latent infections • Extremely out of date software, including: client browsers, Flash, and Java Recommendation: • Begin incident response procedures to evaluate and triage endpoints • Evaluate consistency of patch and vulnerability management processes
  • 35. 6. Privilege Management Hunting: Defense Against The Dark Arts 35 Hypothesis: Account management is rooted in best practice Discovery: • Service accounts used for unrelated purposes or shared by users • Regular and privileged users with non-specific accounts • Direct privileged logins without approved privilege escalation process (e.g. sudo) • Suspicious usernames that do not conform to the organizational standard • User account belonging to terminated user active on the network Recommendation: • Evaluate suspicious or ambiguous accounts for mitigation or for risk acceptance • Ensure security operations are tied into the HR termination workflow • Update organizational username standard and privilege management processes
  • 36. 7. Security Architecture Hunting: Defense Against The Dark Arts 36 Hypothesis: Event logs provide information needed to validate control effectiveness Discovery: • Non-security specific appliances with disabled security functionality • Ex. Cisco ASA scan detection disabled • Security specific appliances improperly placed • Bro NSM placed post-proxy, post-NAT Recommendation: • Evaluate IT systems for security value (non-traditional security appliances) • Ex. Network devices • Modify configuration and placement of systems to meet requirements
  • 37. 8. Process Execution Hunting: Defense Against The Dark Arts 37 Hypothesis: Endpoints only execute processes required for business functions Discovery: • Obfuscated PowerShell execution • Mimikatz and other persistence toolkit execution • Suspicious filenames/paths/registry entries, etc. • Users installing browser toolbars and miscellaneous adware/spyware Recommendation: • Call the IR Team J • Adjust detections / controls to rapidly detect and prevent future occurrences
  • 38. 9. DNS Hunting: Defense Against The Dark Arts 38 Hypothesis: DNS resolutions occur within the bounds of best practices Discovery: • "Weird" protocol deviations/padded packets suggesting exfil or C&C • Uncontrolled resolutions that are not forced through corporate infrastructure • Resolutions for unusual or risky domains • Ex. Dynamic DNS domains, domains appearing to be algorithmically generated • Initial resolutions for suspicious domains + subsequent unusual communication Recommendation: • Harden organizational DNS infrastructure • Ex. Implement DNSSEC, prevent zone transfers, etc. • Configure perimeter devices to only accept DNS requests from corporate DNS • Implement protocol anomaly detection to identify protocol misuse
  • 39. Thinking Ahead Hunting: Defense Against The Dark Arts 39 "The one with the power to vanquish the Dark Lord approaches..." — Sybill Trelawney
  • 40. Ensuring Successful Outcomes Hunting: Defense Against The Dark Arts 40 • Goals • Reduce attack surface • Harden the environment • Improve detection and monitoring • Don't bother hunting without using the outputs! • Lessons Learned / AAR • Feedback loop on IR processes • Create new or improve existing detections • Metrics • Cannot improve what is not measured • The absence of something is still something • Most metrics will trend upwards before they come down • 'Time to Detect' and other metrics will trend downward over time
  • 41. Hunt Methodology: From Art to Science Hunting: Defense Against The Dark Arts 41 Begin evolution from intuitive art to a more rigorously structured science
  • 43. Resources Hunting: Defense Against The Dark Arts 43 FireEye Threat Analytics Platform: Hunting at Scale https://www.fireeye.com/products/threat-analytics-platform.html MITRE: Adversarial Tactics, Techniques & Common Knowledge https://attack.mitre.org The Threat Hunting Project: Compendium of useful resources http://www.threathunting.net Loggly: Helpful logging guidelines https://www.loggly.com/intro-to-log-management Security Onion: Peel back the layers of your network https://securityonion.net