Threat Hunting 102: Beyond the Basics

•

2 likes•838 views

Threat hunting is the best, proactive approach. But, excelling at threat hunting, discovering adversaries takes time, patience, planning, and some serious skills. Mature beyond the basics of hunting and evolve your program!

Technology

Why we’re
here today
Quick Hunting Refresher
I’m Hunting!! Now What?
Giving Back & Process Integration
Expanded PowerShell Use Case

The process of proactively
discovering undesirable activity
to illicit a positive outcome.
Refresher: Hunting defined.

Refresher: Why?
Prepare? Its very hard to defend what you can’t see and
don’t understand.
Be proactive? Don’t wait for bad to happen? Then have to
react to fix.
Fix stuff? Especially before it breaks!

Adapt or Perish.
Learning is discovery, the discovery of the
cause of our ignorance. However, the best
way of learning is not the computation of
information. Learning is discovering,
uncovering what is there in us. When we
discover, we are uncovering our own
ability, our own eyes, in order to find our
potential, to see what is going on, to
discover how we can enlarge our lives, to
find means at our disposal that will let us
cope with a difficult situation.
--Bruce Lee

The
Hunting
Process
Motivation +
Hypothesis
Data
Collection
Tooling /
Analysis
Outcomes
Automation*

I’m Hunting! Now What?
We’re Giving Back!
Incidents
Detection Improvements / New Collection Techniques
Prevention w/ Confidence
Config Management / Compliance / Audit
Improve Response / Triage

Incident
Response
Process
Prepare
Detect
Respond
Contain /
Eradicate
Post-Mortem
/ Prevent

Motivation +
Hypothesis
Data
Collection
Tooling /
Analysis
Outcomes
Automation*
Prepare
Detect
Respond
Contain /
Eradicate
Post-
Mortem /
Prevent
Hunting ProcessIncident Response Process
Escalated
Incident
High Fidelity
Detections
Use blind spots / Gaps as sources of
Motivation and Hypothesis/
New Data Collection and Analysis Techniques
Improve Triage and Response SOPs

Hunting: A Deeper Dive
Previous Outcomes create new Motivation + Hypothesis’
Introducing new datasets to expand previous outcomes
Data stacking becomes more crucial to the journey to
analysis / data science

© 2015 Cybereason Inc. All rights reserved.
Powershell
Service = commandline:powershell or .ps*
Fileless
Techniques
Process
Execution
Network
Comms
Persistence
Registry
Services
Hidden
Obfuscated
Shellcode /
DLL
Execution
Encoded
Download
Commands
Parent /
Child
Profiling
Int2Ext
Profiling
DNS Queries
Registry = commandline:powershell or .ps*
commandLine:hidden|1|-nop|iex|-
invoke|ICM|scriptblock,
commandLine:`|1|^|+|$|*|&|.
commandLine:nop|nonl|nol|bypass|e|enc|ec
commandLine: DownloadFile|IWR|Invoke-
WebRequest|IRM|Invoke-RestMethod|DownloadString|BITS
commandLine:dllimport|virtualalloc
Parent: wscript|mshta|MSOffice|Browser|WMI*
Connections → Filter:isExternalConnection:true
URL: .ps*
DNS Query: TXT C2
DNS Query: Received vs Transmitted Ratios

Giving Back…Incident Escalation
Incident 1: Powershell WebClient –
Downloading Stage 2 Payload
Incident 2: Remote .ps file execution / Invoking shellcode
Incident 3: Mismatched Services – Adversarial use of .ps
Incident 4: Data Exfil – Powershell BITSTransfer

Giving Back…Prevention
Block execution of PowerShell.exe on all systems where it’s not in use for administrative purposes
Force specific Parent/Child Process Relationships – MSOffice|Wscript|Mshta|Browsers|WMI spawning
Powershell.exe
Anchor Powershell scripts to a specific server directories, block .ps* from running directly on a system
Use endpoint firewall to prevent powershell.exe from connecting to non-approved IPs
Block “Bypass” “Hidden” ”Download String” “WebClient” ”DLLImport” “VirtualAlloc” as a command line
argument for execution by an unauthorized user
See #2 for allowing valid applications

brad@cybereason.com
@cybereason
Thank you!

Falcon OverWatch Experts Hunt 24/7 To Stop Incidents Before They Become Breaches Is your IT security team suffering from alert fatigue? For many organizations, chasing down every security alert can tax an already overburdened IT department, often resulting in a breach that might have been avoided. Adding to this challenge is an increase in sophisticated threats that strike so fast and frequently, traditional methods of investigation and response can’t offer adequate protection. A new webcast from CrowdStrike, “Proactive Threat Hunting: Game-Changing Endpoint Protection Above and Beyond Alerting,” discusses why so many organizations are vulnerable to unseen threats and alert fatigue, and why having an approach that is both reactive and proactive is key. You’ll also learn about Falcon OverWatch™, CrowdStrike’s proactive threat hunting service that investigates and responds to threats immediately, dramatically increasing your ability to react before a damaging breach occurs. Download the webcast slides to learn: --How constantly reacting to alerts prevents you from getting ahead of the potentially damaging threats designed to bypass standard endpoint security --Why an approach that includes proactive threat hunting, sometimes called Managed Detection and Response, is key to increasing protection against new and advanced threats --How CrowdStrike Falcon OverWatch can provide 24/7 managed threat hunting, augmenting your security efforts with a team of cyber intrusion detection analysts and investigators who proactively identify and prioritize incidents before they become damaging breaches

Cyber Threat Hunting with Phirelight

Hostway|HOSTING

Threat Hunting - Moving from the ad hoc to the formal

Priyanka Aash

In order to effectively defend your organization, you must think about the offensive strategy as well. But before we get ahead of ourselves let’s talk briefly about the building blocks of a good offense. First is an architecture that is built around a security policy that is aligned with the business risk. Risk must be understood and a cookie cutter approach must be avoided here because again every organization is different and so are their risks.

Building a Successful Threat Hunting Program

Carl C. Manion

Understanding the key components necessary to build a successful threat hunting program starts with visibility, the appropriate tools and automation. Skilled, experienced analysts, engineers and incident responders with analytical minds who can apply concepts and approaches to a variety of different toolsets are also instrumental to the process. In this presentation, We'll describe and discuss some of the most common challenges, recommended best practices, and focus areas for achieving an effective threat hunting capability based on lessons learned over the past 15 years.

The Information Security Community on LinkedIn, with the support of Cybereason, conducted a comprehensive online research project to gain more insight into the state of threat hunting in security operation centers (SOCs). When the 330 cybersecurity and IT professionals were asked what keeps them up at night, many comments revolved around a central theme of undetected threats slipping through an organization’s defenses. Many responses included “unknown” and “advanced” when describing threats, indicating the respondents understand the challenges and fear those emerging threats. Read the full report here.

Bsides 2019 - Intelligent Threat Hunting

Dhruv Majumdar

MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...

MITRE - ATT&CKcon

This session discusses Deloitte’s purple teaming approach which is using ATT&CK as a guiding principle to help both teams improve. This session shows how this works in a customer scenario, how to scope that scenario, how to plan the scenario and choose the various TTPs to be covered to how we assist the customers blue team in understanding the TTPs and helping them design detective capabilities for them. When the Blue Team is able to connect the dots from offensive activities in the network and what they see in their logs, firewalls, SIEMs, etc. they have the ability to fully understand what adversaries do and what the TTP’s of attackers actually look like if they are active in their network. It’s much easier to find the needle in the haystack if you know there is a needle to find to begin with. Purple teaming is providing this pointy needle, used to accelerate the Blue Team.

The Diamond Model for Intrusion Analysis - Threat Intelligence

ThreatConnect

Threat hunting - Every day is hunting season

Ben Boyd

(SACON) Shomiron das gupta - threat hunting use cases

Priyanka Aash

The Rise of the Purple Team

Priyanka Aash

As attacker tactics, techniques and procedures evolve, so must the defenses and strategy used to defend against them. Traditional red teaming presents an opportunity to find gaps in security, but leaves more valuable information unabsorbed. Results and methodologies used in red team assessments can drive protections in place use by blue teams and a larger program and vice versa. (Source: RSA USA 2016-San Francisco)

Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour January 2021 By Daniel Wyleczuk-Stern, Senior Security Engineer, Snowflake Cyber security is inherently a function of risk management. Risk management is the identification, evaluation, and prioritization of risks followed by the effort to reduce those risks in a coordinated and economical manner (thanks wikipedia!). In this talk, Daniel will be going over some strategies for measuring and prioritizing your cyber risks using MITRE ATT&CK. He'll discuss some lessons learned in atomic testing of techniques vs attack chaining as well as what to measure and how to make decisions with that data.

Art into Science 2017 - Investigation Theory: A Cognitive Approach

chrissanders88

Effective Threat Hunting with Tactical Threat Intelligence

Dhruv Majumdar

The Best Just Got Better, Intercept X Now With EDR

Netpluz Asia Pte Ltd

Threat Hunting with Splunk Hands-on

Splunk

Crowd-Sourced Threat Intelligence

AlienVault

This talk will include an overview and demo of the Open Threat Exchange (OTX) and describe some of its information sources, including anonymous sharing from Open Source Security Information Management (OSSIM.) Jaime will share some of his experiences using OTX as a security researcher. He will also provide his thoughts on how OWASP members can benefit from security research and threat intelligence to "build in" security rather than constantly reacting.

What's a MITRE with your Security?

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour November 2020 By Matt Snyder, Senior Threat Analytics Engineer, VMware The market for Security products is flooded with vendors offering all sorts of solutions, and organizations are spending a record amount of money defending their environments. Nevertheless, an increasing number of breaches are reported each year, resulting in organizations spending millions of dollars to remediate them. The Security industry responds with more products, all offering to stop the next breach, and the cycle continues. In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, 2020, Matt discusses what VMware is doing internally to address this fundamental flaw in the Security industry and how they are leveraging the MITRE ATT&CK framework to reshape how we think about security.

Ransomware: Why Are Backup Vendors Trying To Scare You?

marketingunitrends

Ransomware. The very word strikes fear into the hearts of admins, backup specialists, and security pros. Backup software vendors know if all your data is not protected, there is a good chance that if (when?) ransomware hits, you will most likely lose data. But, what should scare you more is less than half of ransomware victims fully recover their data, even with backup. What can you do to make sure you are not on the wrong side of a statistic?

Intelligence driven defense webinar

ThreatConnect

Learn to identify, manage, and block threats faster with intelligence. The ThreatConnect Platform was specifically designed to help you understand adversaries, automate workflows, and mitigate threats faster using threat intelligence. But we know security operations and threat intelligence are not one size fits all. That’s why we have options. You'll See: The products: Whether your security team is large or small, advanced or just getting started with threat intelligence, there is a ThreatConnect product that fits your specific needs. Innovative features in the platform: Collective Analytics Layer, which offers immediate insight into how widespread and relevant a threat is. Playbooks: automate nearly any security operation or task - sending alerts, enriching data, or assigning tasks to a teammate; all done with an easy drag-and-drop interface - no coding needed. How ThreatConnect will adapt with your organization as it grows and changes.

MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...

MITRE - ATT&CKcon

The Business Benefits of Threat Intelligence Webinar

ThreatConnect

The Businees Benefits of Threat Intelligence Take 30 minutes of your time to hear Cyber Squared Inc. CEO Adam Vincent review the need for businesses to evaluate the cost of a sophisticated threat intelligence program. Learn more about the ROI calculator that evaluates cost/benefits of threat intelligence investments and offers quantifiable financial benefits and use-cases to demonstrate the overall costs associated with data breaches, and how using threat intelligence can decrease those costs and make existing staff more efficient. Watch the full webinar here: https://attendee.gotowebinar.com/recording/7218699913172089858

ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan bruggink

Gert-Jan Bruggink

The objective of this talk is to inspire defensive strategies designed to impact cost incurred by adversaries to perform compromises. It explores targeting economic considerations when defending against techniques used by adversaries. Diving into economics for adversaries to use or build certain techniques and tools over others. How can defenders defend against specific techniques by increasing the adversaries cost per intrusion. How can ATT&CK be used to make strategic risk management decisions.

Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...

NoNameCon

Talk by Nazar Tymoshyk at NoNameCon 2019. https://nonamecon.org https://cfp.nonamecon.org/nnc2019/talk/GSRUTP/ Incident Detection & Response requires People - to Think, Tools - to provide data and analytics and Processes - to avoid fuckups and assure the quality. But with more alerts, the analysis takes more time, decisions and moreover - actions need to be taken immediately. Attackers actively use automation, so Defenders should also optimize their processes. In our presentation, we'd like to share with the community our lessons learned. Our focus would be on practical moments, the challenges we faced and the simple working solutions we discovered. We plan to challenge the audience with simple but vital questions that will help to establish a good communication bridge to make this delivery effective and valuable for engineers to improve their defense. We'd like to discuss also a variety of actions to be taken after the incident is confirmed. Come and take it.

Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck

North Texas Chapter of the ISSA

What's hot

Threat Hunting Procedures and Measurement Matrice

Vishal Kumar

Threat Hunting Report

Morane Decriem

Bsides 2019 - Intelligent Threat Hunting

Dhruv Majumdar

MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...

MITRE - ATT&CKcon

The Diamond Model for Intrusion Analysis - Threat Intelligence

ThreatConnect

Threat hunting - Every day is hunting season

Ben Boyd

(SACON) Shomiron das gupta - threat hunting use cases

Priyanka Aash

The Rise of the Purple Team

Priyanka Aash

Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...

MITRE - ATT&CKcon

Art into Science 2017 - Investigation Theory: A Cognitive Approach

chrissanders88

Effective Threat Hunting with Tactical Threat Intelligence

Dhruv Majumdar

The Best Just Got Better, Intercept X Now With EDR

Netpluz Asia Pte Ltd

Threat Hunting with Splunk Hands-on

Splunk

Crowd-Sourced Threat Intelligence

AlienVault

What's a MITRE with your Security?

MITRE - ATT&CKcon

Ransomware: Why Are Backup Vendors Trying To Scare You?

marketingunitrends

Intelligence driven defense webinar

ThreatConnect

MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...

MITRE - ATT&CKcon

The Business Benefits of Threat Intelligence Webinar

ThreatConnect

ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan bruggink

Gert-Jan Bruggink

What's hot (20)

Threat Hunting Procedures and Measurement Matrice

Threat Hunting Report

Bsides 2019 - Intelligent Threat Hunting

MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...

The Diamond Model for Intrusion Analysis - Threat Intelligence

Threat hunting - Every day is hunting season

(SACON) Shomiron das gupta - threat hunting use cases

The Rise of the Purple Team

Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...

Art into Science 2017 - Investigation Theory: A Cognitive Approach

Effective Threat Hunting with Tactical Threat Intelligence

The Best Just Got Better, Intercept X Now With EDR

Threat Hunting with Splunk Hands-on

Crowd-Sourced Threat Intelligence

What's a MITRE with your Security?

Ransomware: Why Are Backup Vendors Trying To Scare You?

Intelligence driven defense webinar

MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...

The Business Benefits of Threat Intelligence Webinar

ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan bruggink

Similar to Threat Hunting 102: Beyond the Basics

Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...

NoNameCon

Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck

North Texas Chapter of the ISSA

Maturing your threat hunting program

Cybereason

Common Sense Security Framework

Jerod Brennen

Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...

EC-Council

Today there is a dispute over the ethics of operations involving honeypots and honeynets in cyber security. However, many organizations will adopt the use of such techniques and tools to develop defensive strategies to stop attackers. For professional offensive security practitioners, detecting, bypassing, and even avoiding honeypots is a new challenge and much is to be discovered and shared. This brief will work to accomplish these objectives and begin the development of a new framework for Counter Honeypot Operations (CHOps).

Attack Simulation and Hunting

nathi mogomotsi

Myth-busting in Application Security

DevOps.com

There are a lot of myths in application security. By partnering with developers, Target has busted several common security myths and proved that an effective security program can take a different approach. This session will describe how to successfully implement a “credit score” to security measurement practices, build an exclusive security champions program, and stop “scanning all the things.”

Finding Security a Home in a DevOps World

Shannon Lietz

Big data security

CloudBees

International Conference on Cyber Security, Hide and Go SeekDavid Knox

How to Boost your Cyber Risk Management Program and Capabilities?

PECB

The webinar explores how understanding your organization in crisis due to an exploitation of risk can develop the organization’s resilience and team in the drive for a stronger level of compliance maturity. Main points covered: • Information Security maturity • ROPI • Risk Management • Incident Response • Forensic Readiness • Table Top Exercises • Training • Legislation Presenter: Our presenter for this webinar is Peter Jones, an experienced management professional, digital forensic analyst, cybersecurity professional, ISO 27001 and ISO 17025 auditor and University Lecturer. Peter has a wealth of experience and expertise which incorporates knowledge from being an academic and a practitioner in relation to best practice, data management, cyber security, digital system security and digital forensics, where he has conducted thousands of examinations on behalf of law enforcement and the private sector. Peter has extensive information technology and telecommunications experience which ranges from retail to enterprise environments including supporting the BBC with their hit drama series, ‘Silent Witness’. Link the the YouTube video: https://youtu.be/aREo4l-pDgc

Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx

infosec train

wannabe Cyberpunk; “I don’t know what I’m supposed to do.”

Moshiul Islam, CISSP, CISA, CFE

Purple Teaming - The Collaborative Future of Penetration Testing

FRSecure

Organizations get penetration tests year after year, yet companies still get breached because they’re STILL missing the basics.Traditional penetration tests are failing to prepare organizations for the threats they actually face. They’ve become a commodity of compliance and box-checking. Remediation steps rarely include management objectives. General lack of excitement for Blue Team functions. Red team is sexy, but just a tool. Do you even have a JBOSS server? (Then why are you seeing alerts for it?)

How to assess and manage cyber risk

Stephen Cobb

Incident Response in the wake of Dear CEO

Paul Dutot IEng MIET MBCS CITP OSCP CSTM

DevOps: Lead, Follow or Get Out of the Way - A CISO Perspective

Texas.gov

There comes a time in every good security leader’s career where just saying “no” to DevOps won’t work (although we always reserve the right to do so). Instead, we must come up with a solution to the problem at hand. The time is here and now to embrace DevOps. Join Tim Virtue, Chief Information Security Officer for Texas NICUSA, as he explores the “marriage” of DevOps and Security. He will share the successes and failures from three significant DevOps experiences, with a focus on his most recent encounter with the DevOps/Security union in a heavily regulated Financial Services firm. Tim will share his story – from the crying, screaming, and paranoia – to the eventual success stories and lessons learned. You will walk away from this presentation with the knowledge, skills, and shortcuts to persuade even the staunchest security naysayer to change their mind and support, rather than derail, your DevOps program.

Incident Response: How To Prepare

Resilient Systems

Boxing legend Joe Louis famously said, "Everyone has a plan... until they get hit." While grizzled incident response veterans can relate to this sentiment, they all know that thorough preparation is crucial to success. Response procedures that are so thoroughly ingrained that executing them is like muscle memory have a chance, even in the fog of battle. Have you thoroughly prepared your organization to respond when the inevitable happens? How confident are you that it will work in a real-world situation? Proper incident response preparation is key to answering these questions and is frankly the foundation of any incident response capability. This webinar will review critical components of IR preparation including: - IR Underpinnings - Flexible Frameworks - Leadership Challenges Our featured speakers for this webinar will be: - Ted Julian, Chief Marketing Officer, Co3 Systems - Sean Mason, Global Incident Response Leader, CSC

Carrots not sticks- Using Gamification to Transform Security Mindset of an Or...

Salesforce Engineering

Talk given by Masha Sedova, Senior Director, Trust Engagement at Salesforce, at SANS security awareness summit. Recording: http://dreamforce.vidyard.com/watch/_q13KxSF5xS_ZByddLKyyQ For many employees in organizations across the world, security training is synonymous with getting a root canal. An interaction with the security team is rarely seen as a favorable experience and is often associated with policy enforcement, password rotation and annual computer-based trainings. But envision a work environment where your employees view the security team as a resource for helping them learn how to protect the company, its customers and themselves. Turning your employees into highly attuned human sensors would help to identify and report suspicious activities too nuanced for technology to capture. This presentation focuses on how any security awareness team can use elements of gamification and positive incentives to leverage employees’ “discretionary performance” and organically increase company protection. The presentation will highlight the process of identifying and selecting vital behaviors that demonstrate a secure mindset amongst employees, such as reporting or secure development. After identifying these behaviors, the audience will understand how to develop ways to test for them using engaging campaigns such as badge-surfing competitions and team-based phishing exercises. Using the principles of positive reinforcement, learn how to effectively reward and recognize employees for demonstrating good security behaviors. One of the core examples in the presentation will demonstrate how Salesforce and other organizations have tracked positive behaviors to support leaderboards and champion programs to act as a multiplier of the security team and a catalyst for secure behavior throughout the organization showcasing reporting statistics and phishing click-through rate improvements. The presentation will also examine the effectiveness of simulation and targeted training exercises to impact when behaviors need to be modified throughout an organization. The end result of the program is a set of employees that are rewarded for behaving securely.

What Managers Need to Know about Data Science

Annie Flippo

Similar to Threat Hunting 102: Beyond the Basics (20)

Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...

Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck

Maturing your threat hunting program

Common Sense Security Framework

Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...

Attack Simulation and Hunting

Myth-busting in Application Security

Finding Security a Home in a DevOps World

Big data security

International Conference on Cyber Security, Hide and Go Seek

How to Boost your Cyber Risk Management Program and Capabilities?

Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx

wannabe Cyberpunk; “I don’t know what I’m supposed to do.”

Purple Teaming - The Collaborative Future of Penetration Testing

How to assess and manage cyber risk

Incident Response in the wake of Dear CEO

DevOps: Lead, Follow or Get Out of the Way - A CISO Perspective

Incident Response: How To Prepare

Carrots not sticks- Using Gamification to Transform Security Mindset of an Or...

What Managers Need to Know about Data Science

Recently uploaded

Elizabeth Buie - Older adults: Are we really designing for our future selves?

Nexer Digital

Video Streaming: Then, Now, and in the Future

Alpen-Adria-Universität

In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.

Introduction to CHERI technology - Cybersecurity

mikeeftimakis1

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...

Neo4j

Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.

zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs

Alex Pruden

This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second). Paper: https://eprint.iacr.org/2023/1886

How to Get CNIC Information System with Paksim Ga.pptx

danishmna97

Microsoft - Power Platform_G.Aspiotis.pdf

Uni Systems S.M.S.A.

20240607 QFM018 Elixir Reading List May 2024

Matthew Sinclair

PCI PIN Basics Webinar from the Controlcase Team

ControlCase

UiPath Test Automation using UiPath Test Suite series, part 5

DianaGray10

Large Language Model (LLM) and it’s Geospatial Applications

Rohit Gautam

The Art of the Pitch: WordPress Relationships and Sales

Laura Byrne

Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes? All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

DanBrown980551

Do you want to learn how to model and simulate an electrical network from scratch in under an hour? Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)! During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook. PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides: - A fully editable and extendable library for grid component modelling; - Visualization tools to display your network; - Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses; The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well. What you will learn during the webinar: - For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills; - For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.

DevOps and Testing slides at DASA Connect

Kari Kakkonen

Climate Impact of Software Testing at Nordic Testing Days

Kari Kakkonen

My slides at Nordic Testing Days 6.6.2024 Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.

Monitoring Java Application Security with JDK Tools and JFR Events

Ana-Maria Mihalceanu

A tale of scale & speed: How the US Navy is enabling software delivery from l...

sonjaschweigert1

Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved: - Reduction in onboarding time from 5 weeks to 1 day - Improved developer experience and productivity through actionable findings and reduction of false positives - Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO) Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production. We will cover: - How to remove silos in DevSecOps - How to build efficient development pipeline roles and component templates - How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence) - How to streamline operations with automated policy checks on container images

Free Complete Python - A step towards Data Science

RinaMondal9

みなさんこんにちはこれ何文字まで入るの？40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの？えこ...

名前です男

Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI

Vladimir Iglovikov, Ph.D.

Presented by Vladimir Iglovikov: - https://www.linkedin.com/in/iglovikov/ - https://x.com/viglovikov - https://www.instagram.com/ternaus/ This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation. Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners. This case study covers various aspects, including: People: The contributors and community that have supported Albumentations. Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions. Challenges: The hurdles in monetizing open-source projects and measuring user engagement. Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration. Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community. Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations. Mental Health: Maintaining balance and not feeling pressured by user demands. Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth. Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects. Explore more about Albumentations and join the community at: GitHub: https://github.com/albumentations-team/albumentations Website: https://albumentations.ai/ LinkedIn: https://www.linkedin.com/company/100504475 Twitter: https://x.com/albumentations

Recently uploaded (20)

Elizabeth Buie - Older adults: Are we really designing for our future selves?

Video Streaming: Then, Now, and in the Future

Introduction to CHERI technology - Cybersecurity

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...

zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs

How to Get CNIC Information System with Paksim Ga.pptx

Microsoft - Power Platform_G.Aspiotis.pdf

20240607 QFM018 Elixir Reading List May 2024

PCI PIN Basics Webinar from the Controlcase Team

UiPath Test Automation using UiPath Test Suite series, part 5

Large Language Model (LLM) and it’s Geospatial Applications

The Art of the Pitch: WordPress Relationships and Sales

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

DevOps and Testing slides at DASA Connect

Climate Impact of Software Testing at Nordic Testing Days

Monitoring Java Application Security with JDK Tools and JFR Events

A tale of scale & speed: How the US Navy is enabling software delivery from l...

Free Complete Python - A step towards Data Science

Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI

Threat Hunting 102: Beyond the Basics

1. Hunting 102 Beyond the Basics

2. #whoami Brad Mecha Hunting Team Manager at Cybereason Former Technology Consultant / Cyber Defense at RSA Former CIRT Lead at a Global Advanced Manufacturing Organization

3. Why we’re here today Quick Hunting Refresher I’m Hunting!! Now What? Giving Back & Process Integration Expanded PowerShell Use Case

4. The process of proactively discovering undesirable activity to illicit a positive outcome. Refresher: Hunting defined.

5. Refresher: Why? Prepare? Its very hard to defend what you can’t see and don’t understand. Be proactive? Don’t wait for bad to happen? Then have to react to fix. Fix stuff? Especially before it breaks!

6. Adapt or Perish. Learning is discovery, the discovery of the cause of our ignorance. However, the best way of learning is not the computation of information. Learning is discovering, uncovering what is there in us. When we discover, we are uncovering our own ability, our own eyes, in order to find our potential, to see what is going on, to discover how we can enlarge our lives, to find means at our disposal that will let us cope with a difficult situation. --Bruce Lee

7. The Hunting Process Motivation + Hypothesis Data Collection Tooling / Analysis Outcomes Automation*

8. I’m Hunting! Now What? We’re Giving Back! Incidents Detection Improvements / New Collection Techniques Prevention w/ Confidence Config Management / Compliance / Audit Improve Response / Triage

9. Incident Response Process Prepare Detect Respond Contain / Eradicate Post-Mortem / Prevent

10. Motivation + Hypothesis Data Collection Tooling / Analysis Outcomes Automation* Prepare Detect Respond Contain / Eradicate Post- Mortem / Prevent Hunting ProcessIncident Response Process Escalated Incident High Fidelity Detections Use blind spots / Gaps as sources of Motivation and Hypothesis/ New Data Collection and Analysis Techniques Improve Triage and Response SOPs

11. Hunting: A Deeper Dive Previous Outcomes create new Motivation + Hypothesis’ Introducing new datasets to expand previous outcomes Data stacking becomes more crucial to the journey to analysis / data science

12. Expanded Hunting: Powershell

13. © 2015 Cybereason Inc. All rights reserved. Powershell Service = commandline:powershell or .ps* Fileless Techniques Process Execution Network Comms Persistence Registry Services Hidden Obfuscated Shellcode / DLL Execution Encoded Download Commands Parent / Child Profiling Int2Ext Profiling DNS Queries Registry = commandline:powershell or .ps* commandLine:hidden|1|-nop|iex|- invoke|ICM|scriptblock, commandLine:`|1|^|+|$|*|&|. commandLine:nop|nonl|nol|bypass|e|enc|ec commandLine: DownloadFile|IWR|Invoke- WebRequest|IRM|Invoke-RestMethod|DownloadString|BITS commandLine:dllimport|virtualalloc Parent: wscript|mshta|MSOffice|Browser|WMI* Connections → Filter:isExternalConnection:true URL: .ps* DNS Query: TXT C2 DNS Query: Received vs Transmitted Ratios

14. Giving Back…Incident Escalation Incident 1: Powershell WebClient – Downloading Stage 2 Payload Incident 2: Remote .ps file execution / Invoking shellcode Incident 3: Mismatched Services – Adversarial use of .ps Incident 4: Data Exfil – Powershell BITSTransfer

15. Giving Back…Prevention Block execution of PowerShell.exe on all systems where it’s not in use for administrative purposes Force specific Parent/Child Process Relationships – MSOffice|Wscript|Mshta|Browsers|WMI spawning Powershell.exe Anchor Powershell scripts to a specific server directories, block .ps* from running directly on a system Use endpoint firewall to prevent powershell.exe from connecting to non-approved IPs Block “Bypass” “Hidden” ”Download String” “WebClient” ”DLLImport” “VirtualAlloc” as a command line argument for execution by an unauthorized user See #2 for allowing valid applications

16. brad@cybereason.com @cybereason Thank you!

Threat Hunting 102: Beyond the Basics

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Threat Hunting 102: Beyond the Basics

Similar to Threat Hunting 102: Beyond the Basics (20)

More from Cybereason

More from Cybereason (12)

Recently uploaded

Recently uploaded (20)

Threat Hunting 102: Beyond the Basics