Cybereason, profile picture
Uploaded byCybereason
PDF, PPTX2,784 views

Maturing your threat hunting program

This document discusses maturing a threat hunting program. It provides an overview of threat hunting, including defining the process as proactively discovering undesirable activity to elicit a positive outcome. It reviews the hunting process of having a motivation/hypothesis, collecting data, using tools for analysis, and achieving outcomes. It then discusses how hunting outcomes can improve an incident response process by providing detections, new collection techniques, and prevention capabilities. The document dives deeper into expanded hunting of PowerShell techniques like file-less execution, persistence, network communications, and provides examples of how hunting could escalate incidents or enable prevention controls related to PowerShell.

Technology
Related topics:
Threat Hunting

Embed presentation

Download as PDF, PPTX
Total Endpoint Protection: #1 in EDR & Next-Gen AV Threat Hunting 102: Beyond The Basics, Maturing Your Threat Hunting Program
Total Endpoint Protection: #1 in EDR & Next-Gen AV Who Am I? Jayson Wehrend Senior Sales Engineer, Cybereason Former Tech Consultant, RSA
Total Endpoint Protection: #1 in EDR & Next-Gen AV Why We’re Here Today o Quick hunting refresher o I’m hunting! Now what? o Giving back & process integration o Expanded PowerShell use case
Total Endpoint Protection: #1 in EDR & Next-Gen AV REFRESHER: HUNTING DEFINED. The process of proactively discovering undesirable activity to illicit a positive outcome.
Total Endpoint Protection: #1 in EDR & Next-Gen AV REFRESHER: WHY? Prepare? It’s very hard to defend what you can’t see and don’t understand. Be proactive? Don’t wait for the bad to happen, then have to react to fix. Fix stuff? Especially before it breaks!
Total Endpoint Protection: #1 in EDR & Next-Gen AV Time to Change. Intelligence is the ability to adapt to change. -- Stephen Hawking
Total Endpoint Protection: #1 in EDR & Next-Gen AV The Hunting Process Motivation + Hypothesis Data Collection Tooling / Analysis Outcomes Automation
Total Endpoint Protection: #1 in EDR & Next-Gen AV I’m Hunting! Now What? o We’re Giving Back! – Incidents – Detection improvements / new collection techniques – Prevention with confidence – Improve response / triage – Configuration management / compliance / audit
Total Endpoint Protection: #1 in EDR & Next-Gen AV Incident Response Process Prepare Detect Respond Contain / Eradicate Post- Mortem / Prevent
Total Endpoint Protection: #1 in EDR & Next-Gen AV Prepare Detect Respond Contain / Eradicate Post- Mortem / Prevent Motivation + Hypothesis Data Collection Tooling / Analysis Outcomes Automation* Incident Response Process Hunting Process Use blind spots/gaps as sources of motivation + hypothesis High fidelity detections Escalated incident New data collection & analysis techniques improve triage & response SOPs
Total Endpoint Protection: #1 in EDR & Next-Gen AV Hunting: A Deeper Dive o Previous outcomes create new motivation + hypothesis’ o Introducing new datasets to expand previous outcomes o Data stacking becomes more crucial to the journey to analysis/data science
Total Endpoint Protection: #1 in EDR & Next-Gen AV EXPANDED HUNTING: POWERSHELL
Total Endpoint Protection: #1 in EDR & Next-Gen AV File-less Techniques PowerShell Process Execution Persistence Network Comms Service Registry Hidden Obfuscated Encoded Download Commands Shellcode DLL Execution Parent/child Profiling Int2Ext Profiling DNS Queries Service = commandline:powershell or .ps* Registry = commandline:powershell or .ps* commandLine:hidden|1|-nop|iex|- invoke|ICM|scriptblock, commandLine:`|1|^|+|$|*|&|. commandLine:nop|nonl|nol|bypass|e|enc|ec commandLine:DownloadFile|IWE|Invoke-WebRequest|IRM|Invoke- RestMethod|DownloadString|BITS commandLine:dllimport| virtualalloc Parent:wscript|mshta|M SOffice|Browser|WMI* Connections à Filter:isExternalConnection:True URL: .ps* DNS Query: TXT C2 DNS Query: Received vs. Transmitted Ratios
Total Endpoint Protection: #1 in EDR & Next-Gen AV Giving Back…Incident Escalation o Incident 1: PowerShell Web Client – Downloading Stage 2 Payload o Incident 2: Remote .ps file execution / invoking shellcode o Incident 3: Mismatched Services – Adversarial use of .ps o Incident 4: Data Exfil – Powershell BITSTransfer
Total Endpoint Protection: #1 in EDR & Next-Gen AV Giving Back…Prevention o Block execution of PowerShell.exe on all systems where it’s not in use for administrative purposes o Force specific Parent/Child Process Relationships – MSOffice|Wscript|Mshta|Browsers|WMI spawning Powershell.exe o Anchor PowerShell scripts to a specific server directories, block .ps* from running directly on a system o Use endpoint firewall to prevent PowerShell.exe from connecting to non- approved Ips o Block “Bypass” “Hidden” “Download String” “WebClient” “DLLImport” “VirtualAlloc” as a command line argument for execution by an unauthorized user o See #2 for allowing valid applications
Total Endpoint Protection: #1 in EDR & Next-Gen AV Thank you! Questions? jayson.wehrend@cybereason.com @cybereason

More Related Content

PDF
The Cyber Attack Lifecycle
byCybereason
 
PDF
Protecting the manufacturing industry
byCybereason
 
PDF
The attack lifecycle. Cybereason can help you answer: Are you under attack?
byCybereason
 
PPTX
Hunting The Shadows: In Depth Analysis of Escalated APT Attacks
byF _
 
PDF
Deception Technology: Use Cases & Implementation Approaches
byPriyanka Aash
 
PDF
Protecting the healthcare industry
byCybereason
 
PDF
The Incident Response Checklist - 9 Steps Your Current Plan Lacks
byCybereason
 
PPTX
Purple team is awesome
bySumedt Jitpukdebodin
 
The Cyber Attack Lifecycle
byCybereason
 
Protecting the manufacturing industry
byCybereason
 
The attack lifecycle. Cybereason can help you answer: Are you under attack?
byCybereason
 
Hunting The Shadows: In Depth Analysis of Escalated APT Attacks
byF _
 
Deception Technology: Use Cases & Implementation Approaches
byPriyanka Aash
 
Protecting the healthcare industry
byCybereason
 
The Incident Response Checklist - 9 Steps Your Current Plan Lacks
byCybereason
 
Purple team is awesome
bySumedt Jitpukdebodin
 

What's hot

PPTX
Pen Testing Explained
byRand W. Hirt
 
PPTX
Advanced persistent threat (apt)
bymmubashirkhan
 
PDF
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
byRoger Johnston
 
PDF
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
byMITRE - ATT&CKcon
 
PPTX
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
byClare Nelson, CISSP, CIPP-E
 
PDF
2019 FRSecure CISSP Mentor Program: Class Nine
byFRSecure
 
PDF
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
byMITRE - ATT&CKcon
 
PPT
Sp Security 101 Primer 2 1
byBarry Greene
 
PPTX
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
bybeltface
 
PDF
FRSecure 2018 CISSP Mentor Program Session 10
byFRSecure
 
PPTX
Worst-Case Scenario: Being Detected without Knowing You are Detected
byAshwini Almad
 
PDF
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
byHITCON GIRLS
 
PPTX
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
byFRSecure
 
PDF
2018 FRSecure CISSP Mentor Program Session 8
byFRSecure
 
PPTX
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
byFRSecure
 
PDF
2018 CISSP Mentor Program Session 3
byFRSecure
 
PPTX
Extracting the Malware Signal from Internet Noise
byAshwini Almad
 
PDF
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
byHITCON GIRLS
 
PDF
2018 CISSP Mentor Program- Session 6
byFRSecure
 
PDF
2019 FRecure CISSP Mentor Program: Session Two
byFRSecure
 
Pen Testing Explained
byRand W. Hirt
 
Advanced persistent threat (apt)
bymmubashirkhan
 
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
byRoger Johnston
 
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
byMITRE - ATT&CKcon
 
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
byClare Nelson, CISSP, CIPP-E
 
2019 FRSecure CISSP Mentor Program: Class Nine
byFRSecure
 
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
byMITRE - ATT&CKcon
 
Sp Security 101 Primer 2 1
byBarry Greene
 
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
bybeltface
 
FRSecure 2018 CISSP Mentor Program Session 10
byFRSecure
 
Worst-Case Scenario: Being Detected without Knowing You are Detected
byAshwini Almad
 
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
byHITCON GIRLS
 
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
byFRSecure
 
2018 FRSecure CISSP Mentor Program Session 8
byFRSecure
 
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
byFRSecure
 
2018 CISSP Mentor Program Session 3
byFRSecure
 
Extracting the Malware Signal from Internet Noise
byAshwini Almad
 
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
byHITCON GIRLS
 
2018 CISSP Mentor Program- Session 6
byFRSecure
 
2019 FRecure CISSP Mentor Program: Session Two
byFRSecure
 

Similar to Maturing your threat hunting program

PPTX
panw-cortex-xdr-customer-presentation.pptx
byduyanhNguyen70
 
PPTX
Threat hunting in cyber world
byAkash Sarode
 
PPTX
Cyber Threat Hunting Workshop
byDigit Oktavianto
 
PDF
Cyber Threat Hunting Workshop.pdf
byssuser4237d4
 
PDF
Cyber Threat Hunting Workshop.pdf
byssuser4237d4
 
PPTX
The state of endpoint defense in 2021
byAdrian Sanabria
 
PPTX
What is Threat Hunting? - Panda Security
byPanda Security
 
PDF
huntpedia.pdf
byCecilSu
 
PDF
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
byCrowdStrike
 
PDF
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
byNorth Texas Chapter of the ISSA
 
PPTX
BSides London 2017 - Hunt Or Be Hunted
byAlex Davies
 
PPTX
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
byChristopher Gerritz
 
PDF
Threat hunting 101 by Sandeep Singh
byOWASP Delhi
 
PDF
endpoint-detection-and-response-datasheet.pdf
byOlufemi37
 
PDF
Threat Hunting 102: Beyond the Basics
byCybereason
 
PDF
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
byKaspersky
 
PDF
The Importance of EDR Security in Modern Cyber Defense
bySEQRITE
 
PDF
You Can't Stop The Breach Without Prevention And Detection
byCrowdStrike
 
PPTX
The Case for EDR: What's In Your Toolkit
byDawn Yankeelov
 
PPTX
Hunting before a Known Incident
byEndgameInc
 
panw-cortex-xdr-customer-presentation.pptx
byduyanhNguyen70
 
Threat hunting in cyber world
byAkash Sarode
 
Cyber Threat Hunting Workshop
byDigit Oktavianto
 
Cyber Threat Hunting Workshop.pdf
byssuser4237d4
 
Cyber Threat Hunting Workshop.pdf
byssuser4237d4
 
The state of endpoint defense in 2021
byAdrian Sanabria
 
What is Threat Hunting? - Panda Security
byPanda Security
 
huntpedia.pdf
byCecilSu
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
byCrowdStrike
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
byNorth Texas Chapter of the ISSA
 
BSides London 2017 - Hunt Or Be Hunted
byAlex Davies
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
byChristopher Gerritz
 
Threat hunting 101 by Sandeep Singh
byOWASP Delhi
 
endpoint-detection-and-response-datasheet.pdf
byOlufemi37
 
Threat Hunting 102: Beyond the Basics
byCybereason
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
byKaspersky
 
The Importance of EDR Security in Modern Cyber Defense
bySEQRITE
 
You Can't Stop The Breach Without Prevention And Detection
byCrowdStrike
 
The Case for EDR: What's In Your Toolkit
byDawn Yankeelov
 
Hunting before a Known Incident
byEndgameInc
 

More from Cybereason

PDF
Some PowerShell Goodies
byCybereason
 
PDF
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
byCybereason
 
PDF
Antifragile Cyber Defense
byCybereason
 
PDF
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
byCybereason
 
PDF
Ransomware is Coming to a Desktop Near You
byCybereason
 
PDF
Protecting the financial services industry
byCybereason
 
PDF
An Introduction to the Agile SoC
byCybereason
 
Some PowerShell Goodies
byCybereason
 
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
byCybereason
 
Antifragile Cyber Defense
byCybereason
 
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
byCybereason
 
Ransomware is Coming to a Desktop Near You
byCybereason
 
Protecting the financial services industry
byCybereason
 
An Introduction to the Agile SoC
byCybereason
 

Recently uploaded

PDF
Azure DevOps Managed Services: Driving Speed, Security, and Business Growth
byjohncarterjn
 
PPTX
Mastering SQL Server Replication: Types, Setup & Troubleshooting
byGeoPITS Global Pvt Ltd
 
PDF
Kubernetes Cloud Native Indonesia Meetup - January 2026
byPrasta Maha
 
PDF
apidays Australia 2025 | The Strategic Role of APIs in Digital Transformation
byapidays
 
PPTX
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
PPTX
SOFTWARE DEVELOPMENT PROCESS - INTRODUCTION
byParithi Thamizh
 
PDF
How PayPal Account Verification Works – Complete Guide for Online Businesses
byjhdhj3989
 
PDF
Why Are Cloud Migration Services Essential for Modern Business Growth?
byGeoPITS Global Pvt Ltd
 
PPTX
AI and Digital Transformation Solutions.
byBuildingblocks
 
PPTX
CRM for the Insurance Industry Lessons for Insurance CIOs and Digital Leaders...
byKerry Millar
 
PDF
Agentic AI Roadmap 2026: Mastering Autonomous AI Workflows and Systems
byAeafat Ahmed Mubin
 
PPTX
Understanding-Search-Algorithms_09-12-25.pptx
byshaikmahammedtauheed
 
PDF
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
PDF
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
PDF
Deploying Windows Clients & Managing Identities
byVICTOR MAESTRE RAMIREZ
 
PDF
CISO_2027_Playbook: Sovereign AI Resilience & Quantum-Proof Identity
bySaraDavis91
 
PDF
What ONIX can do: Leveraging metadata to support the discoverability of First...
byBookNet Canada
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
Ethical AI applied to publishing: Presenting wâsikan kisewâtisiwin, an AI too...
byBookNet Canada
 
DOCX
Mathematical reviewer gor mmw in theofern
byyeojlevantinojesalva
 
Azure DevOps Managed Services: Driving Speed, Security, and Business Growth
byjohncarterjn
 
Mastering SQL Server Replication: Types, Setup & Troubleshooting
byGeoPITS Global Pvt Ltd
 
Kubernetes Cloud Native Indonesia Meetup - January 2026
byPrasta Maha
 
apidays Australia 2025 | The Strategic Role of APIs in Digital Transformation
byapidays
 
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
SOFTWARE DEVELOPMENT PROCESS - INTRODUCTION
byParithi Thamizh
 
How PayPal Account Verification Works – Complete Guide for Online Businesses
byjhdhj3989
 
Why Are Cloud Migration Services Essential for Modern Business Growth?
byGeoPITS Global Pvt Ltd
 
AI and Digital Transformation Solutions.
byBuildingblocks
 
CRM for the Insurance Industry Lessons for Insurance CIOs and Digital Leaders...
byKerry Millar
 
Agentic AI Roadmap 2026: Mastering Autonomous AI Workflows and Systems
byAeafat Ahmed Mubin
 
Understanding-Search-Algorithms_09-12-25.pptx
byshaikmahammedtauheed
 
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
Deploying Windows Clients & Managing Identities
byVICTOR MAESTRE RAMIREZ
 
CISO_2027_Playbook: Sovereign AI Resilience & Quantum-Proof Identity
bySaraDavis91
 
What ONIX can do: Leveraging metadata to support the discoverability of First...
byBookNet Canada
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Ethical AI applied to publishing: Presenting wâsikan kisewâtisiwin, an AI too...
byBookNet Canada
 
Mathematical reviewer gor mmw in theofern
byyeojlevantinojesalva
 

Maturing your threat hunting program

  • 1.
    Total Endpoint Protection:#1 in EDR & Next-Gen AV Threat Hunting 102: Beyond The Basics, Maturing Your Threat Hunting Program
  • 2.
    Total Endpoint Protection:#1 in EDR & Next-Gen AV Who Am I? Jayson Wehrend Senior Sales Engineer, Cybereason Former Tech Consultant, RSA
  • 3.
    Total Endpoint Protection:#1 in EDR & Next-Gen AV Why We’re Here Today o Quick hunting refresher o I’m hunting! Now what? o Giving back & process integration o Expanded PowerShell use case
  • 4.
    Total Endpoint Protection:#1 in EDR & Next-Gen AV REFRESHER: HUNTING DEFINED. The process of proactively discovering undesirable activity to illicit a positive outcome.
  • 5.
    Total Endpoint Protection:#1 in EDR & Next-Gen AV REFRESHER: WHY? Prepare? It’s very hard to defend what you can’t see and don’t understand. Be proactive? Don’t wait for the bad to happen, then have to react to fix. Fix stuff? Especially before it breaks!
  • 6.
    Total Endpoint Protection:#1 in EDR & Next-Gen AV Time to Change. Intelligence is the ability to adapt to change. -- Stephen Hawking
  • 7.
    Total Endpoint Protection:#1 in EDR & Next-Gen AV The Hunting Process Motivation + Hypothesis Data Collection Tooling / Analysis Outcomes Automation
  • 8.
    Total Endpoint Protection:#1 in EDR & Next-Gen AV I’m Hunting! Now What? o We’re Giving Back! – Incidents – Detection improvements / new collection techniques – Prevention with confidence – Improve response / triage – Configuration management / compliance / audit
  • 9.
    Total Endpoint Protection:#1 in EDR & Next-Gen AV Incident Response Process Prepare Detect Respond Contain / Eradicate Post- Mortem / Prevent
  • 10.
    Total Endpoint Protection:#1 in EDR & Next-Gen AV Prepare Detect Respond Contain / Eradicate Post- Mortem / Prevent Motivation + Hypothesis Data Collection Tooling / Analysis Outcomes Automation* Incident Response Process Hunting Process Use blind spots/gaps as sources of motivation + hypothesis High fidelity detections Escalated incident New data collection & analysis techniques improve triage & response SOPs
  • 11.
    Total Endpoint Protection:#1 in EDR & Next-Gen AV Hunting: A Deeper Dive o Previous outcomes create new motivation + hypothesis’ o Introducing new datasets to expand previous outcomes o Data stacking becomes more crucial to the journey to analysis/data science
  • 12.
    Total Endpoint Protection:#1 in EDR & Next-Gen AV EXPANDED HUNTING: POWERSHELL
  • 13.
    Total Endpoint Protection:#1 in EDR & Next-Gen AV File-less Techniques PowerShell Process Execution Persistence Network Comms Service Registry Hidden Obfuscated Encoded Download Commands Shellcode DLL Execution Parent/child Profiling Int2Ext Profiling DNS Queries Service = commandline:powershell or .ps* Registry = commandline:powershell or .ps* commandLine:hidden|1|-nop|iex|- invoke|ICM|scriptblock, commandLine:`|1|^|+|$|*|&|. commandLine:nop|nonl|nol|bypass|e|enc|ec commandLine:DownloadFile|IWE|Invoke-WebRequest|IRM|Invoke- RestMethod|DownloadString|BITS commandLine:dllimport| virtualalloc Parent:wscript|mshta|M SOffice|Browser|WMI* Connections à Filter:isExternalConnection:True URL: .ps* DNS Query: TXT C2 DNS Query: Received vs. Transmitted Ratios
  • 14.
    Total Endpoint Protection:#1 in EDR & Next-Gen AV Giving Back…Incident Escalation o Incident 1: PowerShell Web Client – Downloading Stage 2 Payload o Incident 2: Remote .ps file execution / invoking shellcode o Incident 3: Mismatched Services – Adversarial use of .ps o Incident 4: Data Exfil – Powershell BITSTransfer
  • 15.
    Total Endpoint Protection:#1 in EDR & Next-Gen AV Giving Back…Prevention o Block execution of PowerShell.exe on all systems where it’s not in use for administrative purposes o Force specific Parent/Child Process Relationships – MSOffice|Wscript|Mshta|Browsers|WMI spawning Powershell.exe o Anchor PowerShell scripts to a specific server directories, block .ps* from running directly on a system o Use endpoint firewall to prevent PowerShell.exe from connecting to non- approved Ips o Block “Bypass” “Hidden” “Download String” “WebClient” “DLLImport” “VirtualAlloc” as a command line argument for execution by an unauthorized user o See #2 for allowing valid applications
  • 16.
    Total Endpoint Protection:#1 in EDR & Next-Gen AV Thank you! Questions? jayson.wehrend@cybereason.com @cybereason