From MITRE ATT&CKcon Power Hour December 2020
By Hieu Tran, Threat Detection Team Lead FPT Cybersecurity Division
No matter how sophisticated and thorough your security precautions may be, you cannot assume your security measures are impenetrable. This is why you need a threat hunting program in place. But how can we implement a proper threat hunting program and run it efficiently? In this talk, we will uncover how to sharpen your threat hunting strategy by leveraging ATT&CK. Ultimately, we’ll be demonstrating how effectively employing the hunting methodology in the real-world battlefield, fighting against well-known cyber espionage actors who strongly focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia.
How to design healthy team dynamics to deliver successful digital projects.pptx
Sharpening your Threat-Hunting Program with ATTACK Framework
1. Sharpening your Threat Hunting
Program with ATT&CK Framework
HieuTran
Detection Team Lead | FPT Cybersecurity Division
2. INDEX
Sharpening your Threat Hunting Program with ATT&CK framework
01 Threat Hunting vs Threat Detection
03 MITRE ATT&CK - Threat
Hunter Common Language
02Threat Hunting Methodology
04Case study
05 Key takeaways
06Q&A
3. Human-driven (and assisted
by tools) practice of
searching iteratively
through data to detect
advanced threats that evade
traditional security controls
4. Threat Hunting vs
Threat Detection
Threat Hunting Threat Detection
DEFINITION
• Proactive
• Humans find bad stuffs with the
help of machines
PROs
• Identifying detection gaps and
creation of new detections
CONs
• Need security expert for
searching, hunting…etc
• Slow and expensive
DEFINITION
• Reactive
• Automated with machines such as
SIEM, IDS/IPS, AV, etc
PROs
• Least expensive approach
CONs
• Likely to miss something (False
Negatives)
• Spend too much time because of
alert fatigues (False Positives)
6. NUMBERS TELL STORIES:
GLOBAL DWELL TIME
It takes so long to detect
bad guys inside your
organization.
FireEye Mandiant M-Trends 2020 Special Report
7. Threat Hunting Methodology
1.Target: Scope the data sets that will be used in your
investigation. Hunts can branch from various starting points.
2.Hunt: Proactively and iteratively search through network
and endpoint data to detect and isolate advanced threats
that evade more traditional security solutions.
3.Disrupt: Seamlessly pivot from hunting to forensic analysis,
in order to disrupt adversaries before they fully execute their
attacks. These analyses can also generate new indicators that
can be fed into complementary security systems, creating a
valuable security feedback loop.
10. Case Study: APT32
Threat Hunting and Incident Response against Cyber Espionage
Threat Actors: APT32 – OceanLotus/SeaLotus/CobaltKitty
Our customer current situation:
• Large enterprise with huge numbers of endpoints: ~1000 Servers,
6000 Workstations.
• Core services (Active Directory, Email Server, Antivirus
Management) already compromised.
• Operations and security staff machines were compromised.
IT IS A CHAOS
12. Based on what we found on compromised servers/workstations, we built our
hypothesis:
• Gain Initial Access by using Spear Phishing to gather Valid (administrator)
Accounts.
• Execution malicious payload with Living-off-the-land Binary (LOLBIN)
techniques.
• Stay Persistence by installing New Service or Registry Run Keys.
• Stay under the radar (Defense Evasion) by Software Packing, DLL Hijacking, File
Deletion….
• Discovery by Network Service Scanning and Bruteforcing using custom
malware/scripts.
• C2 Communication using Commonly Used Port (80, 443, 53)
Case Study: APT32
15. Case Study #1
We deployed independent hunting stacks:
• Endpoint Detection & Response
• Datalake (Gathering all essentials service logs, including: DNS, Proxy, AD…)
• Advanced Threat Detection
• Network Detection & Response
Automate lots of work by leveraging OpenAPI:
• Quickly deploy data acquisitions script across enterprise infrastructure.
• Preventing active C2 connection with Endpoint Isolation and Binary Isolation.
• Speeding up cleaning malware artifacts (remove binary files, executable files
and registry run keys).
16. Case Study #1
At the end of the days, we discovered:
• 13 C2 domains and 12 C2 IPs:
• 04 C2 domains have never seen before.
• 26 servers and 96 clients were compromised.
• 09 UserSIDs were used to install malicious service.
• Multiple malware artifacts, could be divine into 03 groups:
• Binary files (.exe and .dll files)
• Script (Powershell, C#, JScript, .NET)
• Webshell (PHP Script)
• C2 Payload (found in Registry)
17.
18. We will be able to hunting at scale with:
Right staff with right skillsets
Right process/procedures for hunting
Right technical solutions that enable hunters
19. Key Takeaways
1. Assume-breach mindset.
2. Training your staffs with threat hunter skillsets (or
outsource).
3. Building roadmap for implementing solution properly.