(SACON) Wasim Halani - OSINT threat hunting

THREAT HUNTING
USING OPEN-SOURCE TECHNOLOGY (ELASTIC STACK)
15/02/2019NETWORK INTELLIGENCE INDIA PVT. LTD. | SECURITY ARCHITECTURE CONFERENCE (SACON), 2019 1
SACON 2019

ABOUT ME
NETWORK INTELLIGENCE INDIA PVT. LTD. | SECURITY ARCHITECTURE CONFERENCE (SACON), 2019 15/02/2019 2
Head of Research
and Development
@ Network
Intelligence
Been part of the
infosec community
for 10+ years
Ex-Null Mumbai
Moderator
Presented at
Bsides, Malcon, CSI,
OWASP,
SecurityBytes
@washalsec
wasim.halani@

ABOUT NETWORK INTELLIGENCE
¡ Global cybersecurity provider founded in 2001
¡ More than 550 team members and 8 offices across the globe
¡ Offer services across 5 broad spectrums
¡ Assessment
¡ GRC
¡ Professional Services
¡ MSSP
¡ Cybersecurity Trainings.
We believe that cybersecurity is not a destination, it is a journey and we partner with our clients to address the dynamic cybersecurity threat landscape.

WHAT?
Threat Hunting is the use of traditional and non-
traditional techniques to proactively look for
evidence of an attack taking place within the
network.
NETWORK INTELLIGENCE INDIA PVT. LTD. | SECURITY ARCHITECTURE CONFERENCE (SACON), 2019 415/02/2019

WHAT?
¡ A different Perspective (of looking at logs) and Approach (to analyzing logs)
¡ Asking questions:
¡ Did it happen?
¡ How did it happen?
¡ When did it happen?
¡ Where all did it occur?

WHY?
¡ The annualVerizon Data Breach Report 2018 68% breaches took months or longer to
discover
¡ Which means, organizations investing millions in cyber-security are not detecting attacks on
time
¡ Traditional SIEM/SOC setups are geared more towards standard use cases
¡ Compliance monitoring
¡ Change monitoring
¡ Firewall changes
¡ Operational activities
¡ Network interface up/down

DIFFERENCES AND OVERLAPS
Security
Monitoring
Incident
Response
Threat
Hunting
Search queries, hi-fi rules,TI
Event investigation, IOC extraction,
retro-search

HOW?
Threat
Hunting
People
Skills
Tools
Data
¡ Requires management support and the dedicated
people for the job
¡ Skills define the hunters ability to ask right questions
¡ Tools provide ability to query and interact with the
data
¡ Data sources provide visibility
¡ You need the right data
¡ You need to know your data

THREAT HUNTING APPROACHES
¡ Structured
¡ Hypothesis driven
¡ Unstructured
¡ Anomaly and pattern driven
¡ Hypothesis: a supposition or proposed explanation made on the basis of limited evidence as a starting point for further investigation.

BELK ELASTIC STACK PRIMER
ELASTICSEARCH, LOGSTASH, KIBANA, BEATS

WHY ELASTIC?
¡ Why not!?
¡ Open-source engine
¡ Scalable cluster
¡ Great visualization capabilities - #secviz
¡ Fast search and analytics
Remember, it’s not about the tool, but how you use it

STACK OVERVIEW
¡ Beats
¡ Log shippers - Windows events, System status, Network traffic
¡ Elasticsearch
¡ Data storage, search engine
¡ Logstash
¡ Log management component. Ingest, Process, Output
¡ Kibana
¡ Create visualizations and dashboards from data stored in Elasticsearch

ELK :ARCHITECTURE

ELASTICSEARCH
¡ Created by Shay Banon (~2010)
¡ Elasticsearch is a distributed NoSQL datastore, RESTful search and analytics engine
¡ Based on Apache Lucene
¡ Open-source search engine library
¡ API architecture
¡ Uses inverted index data-structure
Raw Data Stored Indexed Data
Blogpost ID Blog Tags Tags IDs
22 appsec appsec 501,340,22
340 netsec,appsec mobile 501
501 appsec, mobile netsec 340

IMPORTANT TERMS/CONCEPTS

NODES & CLUSTER
¡ A cluster is a collection of one or more nodes (servers) that together holds your entire data and provides
federated indexing and search capabilities across all nodes.
¡ A cluster is identified by a unique name which by default is "elasticsearch".
¡ A node is a single server that is part of your cluster, stores your data, and participates in the cluster’s indexing and
search capabilities.

INDEX & SHARDS
¡ An index is a collection of documents that have somewhat similar characteristics. E.g. customer data, product
catalog, order data
¡ An index is identified by a name (that must be all lowercase)
¡ There is no limit to how many documents you can store on each index
¡ Large Index size => Elasticsearch performance issues

DOCUMENTS
¡ A document is a basic unit of information that can be indexed. E.g. document for a single customer, another
document for a single product, and yet another for a single order.
¡ document is expressed in JSON
Sample document

FIELDS
¡ Fields are the smallest individual unit of data in Elasticsearch.
¡ Each field has a defined type and contains a single piece of data
¡ a Boolean
¡ string
¡ array expression
¡ A collection of fields are together a single Elasticsearch document.

LOGSTASH
¡ Integrated log management framework
¡ log collection
¡ centralization
¡ parsing
¡ storage
¡ Written in JRuby
¡ Runs in JVM
¡ Multiple input mechanism
¡ TCP/UDP
¡ Files
¡ Syslog

LOGSTASH: CONFIGURATION
¡ input {}
¡ filter {}
¡ output {}

LOGSTASH:
PLUGINS

IMPORTANT FILTER PLUGINS
¡ date
¡ mutate
¡ grok
¡ kv
¡ geoip
¡ metrics
¡ translate

UNDERSTANDING GROK
¡ Parse arbitrary text and structure it.
¡ parse crappy unstructured log data into something structured and query-able.
¡ Logstash ships with many patterns by default.You can find them here
¡ https://github.com/logstash-plugins/logstash-patterns-core/tree/master/patterns
¡ http://grokdebug.herokuapp.com
¡ http://grokconstructor.appspot.com/

GROK BASICS
¡ The syntax for a grok pattern is %{SYNTAX:SEMANTIC}
¡ The SYNTAX is the name of the pattern that will match your text.
¡ The SEMANTIC is the identifier you give to the piece of text being matched.
¡ 3.44
¡ SYNTAX: NUMBER || SEMANTIC: duration
¡ 1.3.44.55
¡ SYNTAX: IP || SEMANTIC: clientip
¡ GROK Filter
¡ %{NUMBER:duration} %{IP:client}

GROK EXAMPLE
¡ Log Event
¡ 55.3.244.1 GET /index.html 15824 0.043
¡ Grok Filter
¡ %{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}

KIBANA
¡ Visualization platform
¡ Tightly integrated with Elasticsearch
¡ http://localhost:5601/app/kibana

FILEBEAT
¡ Lightweight file log shipper
¡ Basically does a ‘tail’ of the log file
¡ Automatically sends data appended in real-time

WINLOGBEAT
¡ Lightweight windows events shipper
¡ Automatically sends data appended in real-time
¡ Can filter specific event IDs

DEMO
• INGESTING LOGS
• CREATING
VISUALIZATIONS
• ANALYZING DATA

USE-CASE BUILDING

LET’S SEARCH
¡ Integrate with Threat Intelligence (IoC)
¡ “mimikatz.exe”
¡ Specific Hashes/Filenames/IP-addresses (not found in TI feed)

LET’S THINK PATTERNS
¡ Web Logs
¡ Too many HTTP 200 responses for same pages
¡ Too many HTTP 404 error messages from same IP but different pages
¡ DNS Logs
¡ Spike in NXDomain responses
¡ Firewall
¡ Multiple denied attempts from one machine against one/more machines on different ports

LET’S BUILD A HYPOTHESIS
¡ An attacker has compromised a machine using macro-based Powershell payload sent over email
¡ We need
¡ Endpoint logs
¡ Authentication
¡ Process execution
¡ Network connection
¡ Email gateway logs

LET’S BUILD A HYPOTHESIS
1. Filter for winword.exe processes in endpoint logs
2. Search for events with winword.exe as parent process and powershell.exe as child process
3. Trace back the to original CLI i.e. find the file which contained the payload
4. Identify the path – downloads or email or unknown (?)
1. If email temp folder then look in Exchange logs for other potential targets or payloads

MITRE FRAMEWORKS
¡ Enterprise ATT&CK Matrix
¡ CAR

THANKYOU!
CONTACT:
@WASHAL

(SACON) Wasim Halani - OSINT threat hunting

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to (SACON) Wasim Halani - OSINT threat hunting

Similar to (SACON) Wasim Halani - OSINT threat hunting (20)

More from Priyanka Aash

More from Priyanka Aash (20)

Recently uploaded

Recently uploaded (20)

(SACON) Wasim Halani - OSINT threat hunting