SlideShare a Scribd company logo

Threat Hunting by Falgun Rathod - Cyber Octet Private Limited

Falgun Rathod
Falgun Rathod

Introduction to Threat Hunting by Ethical Hacking Institute in India - Cyber Octet Private Limited - Cyber Security Training & Certifications

1 of 17
Download to read offline
खतरों का शिकार THREAT HUNTING
Who I am Falgun Rathod • Managing Director at Cyber Octet Pvt. Ltd. • 10+ Years Experience in Cyber Security • Served 120+ Clients • Consultant to Government Agencies • Threat Hunter | Ethical Hacker • Penetration Tester • Core Subjects – Industrial Control Systems, Social Engineering, GRC.
Covered Today • Threat Hunting Defined • Why Threat Hunting • Skills required • Threat Detection VS Threat Hunting • What to Hunt • Techniques • Practical • Conclusion
Breaches are Expensive! • Average cost of a breach in the US is $7.9M • Average cost of a breach globally is $3.8M • Takes an average of 197 days to identify a breach • Average span of 69 days to contain a breach
Threat Hunting Defined  Objectives * Identify compromised systems and accounts * Improve security monitoring detection rules * Perform forensics at scale  Hunt Strategies * Threat Intelligence – Sweep for known bad * Anomaly – Configurations with the least frequency of occurrence * Behavioral – Attacker tools, tactics, and techniques  Risks Mitigated * “Pre-existing conditions” – historic compromises * Blind spots – limited security monitoring visibility * Secondary compromises – attackers move off patient 0
Why Threat Hunting • Attacks leave behind valuable traces • Failed attacks • Probes • Discover weaknesses • Find activity before it becomes a disaster
People Involve & Skillset • Team Lead • Provides oversight and direction for hunters • Communicates with internal & external stakeholders • Developer • Integrates threat hunting toolsets and processes • Ability to develop custom scripts • Incident Responder • Identify system configuration anomalies • Develop new or modify rulesets based on findings
Threat Detection vs Threat Hunting
IOC & IOA 1. Unusual Outbound Network Traffc 2. Anomalies In Privileged User Account Activity 3. Geographical Irregularities 4. Log-in Irregularities and Failures 5. Swells In Database Read Volume 6. HTML Response Sizes 7. Large Numbers Of Requests For The Same File 8. Mismatched Port-Application Traffc 9. Suspicious Registry Or System File Changes 10. DNS Request Anomalies
Determining What to Hunt For and How Often Here’s an example list of potential attacker activities and techniques you might identify: • Malware Beaconing • DLL Injection • Pass the Hash (PtH) • Shared Webroot • DNS Tunneling
Data Sources • Endpoint Logs: * Winaudit * EPS – Endpoint Protection System * Windows Event Forwarding * SIEM Collectors * EDR – Endpoint Detection & Response Tools • Network Logs: * DNS * Firewall * IDPS * Wireshark • Account Logs: * Active Directory * VPN’s If you’re capturing any of these logs, you can start hunting for malicious activity – you’ve already got the data!
Network Hunting
You need to be able to prove the Incidents  Tracking * Who did what when? * What systems? * What user accounts? * When did activities occur? * What data is being accessed?  Organization * Visibility into team member activity * Project status tracking at every stage * Quantify metrics
Practical • Process Explorer & Autoruns • Wireshark • System Logs
Case Study An expert threat hunter analyzes the family, studies the characteristics and discovers that: • It is a worm written in JavaScript / VBScript • It is spread by removable drives (pen drives, hard drives, etc.) by creating LNKs • It is placed in the startup of the system • The C & C server updates its code • Anti-debug / anti-vm / anti-emulation measures • Highly obfuscated in the latest versions • Very difficult to detect statically / firm • It spreads throughout the network very quickly • Very difficult to disinfect after spreading through the network
Conclusion Attackers are evolving and adapting to tools and services. Malwares are not only the Concern but the Malware Writers are. Breaches are happening every now and then, Continuous analysis and threat hunting is the solution ! Hunt Hackers Now Before They Hunt You..
Thank you Cyber Octet Team - खतरों के खखलाड़ी info@cyberoctet.com +91- 98244 35293 https://www.cyberoctet.com

Recommended

Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
Mayur Nanotkar
 
Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics
Priyanka Aash
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
Yvonne Marambanyika
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
penetration Tester
 
Honeypot Essentials
Honeypot EssentialsHoneypot Essentials
Honeypot Essentials
Anton Chuvakin
 
Persistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsPersistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent Threats
Sameer Thadani
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
S.E. CTS CERT-GOV-MD
 
Security testing
Security testingSecurity testing
Security testingbaskar p
 

Recommended

Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
Mayur Nanotkar
 
Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics
Priyanka Aash
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
Yvonne Marambanyika
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
penetration Tester
 
Honeypot Essentials
Honeypot EssentialsHoneypot Essentials
Honeypot Essentials
Anton Chuvakin
 
Persistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsPersistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent Threats
Sameer Thadani
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
S.E. CTS CERT-GOV-MD
 
Security testing
Security testingSecurity testing
Security testingbaskar p
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testing
Mohit Belwal
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...RootedCON
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
Career Guidance on Cybersecurity by Mohammed Adam
Career Guidance on Cybersecurity by Mohammed AdamCareer Guidance on Cybersecurity by Mohammed Adam
Career Guidance on Cybersecurity by Mohammed Adam
Mohammed Adam
 
What is Ethical Hacking? | Ethical Hacking for Beginners | Ethical Hacking Co...
What is Ethical Hacking? | Ethical Hacking for Beginners | Ethical Hacking Co...What is Ethical Hacking? | Ethical Hacking for Beginners | Ethical Hacking Co...
What is Ethical Hacking? | Ethical Hacking for Beginners | Ethical Hacking Co...
Edureka!
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Mazenetsolution
 
Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities
Joel Aleburu
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
Priyanka Aash
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
btpsec
 
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
Edureka!
 
Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches
Priyanka Aash
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
Cyber security
Cyber securityCyber security
Cyber security
Eduonix
 
Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554TISA
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
TechWell
 
Threat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident ResponseThreat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident Response
Infocyte
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?
ONE BCG
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
mdagrossa
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
Raghav Bisht
 
Network Security Topic 1 intro
Network Security Topic 1 introNetwork Security Topic 1 intro
Network Security Topic 1 intro
Khawar Nehal khawar.nehal@atrc.net.pk
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
newbie2019
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intruders
rajakhurram
 

More Related Content

What's hot

Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testing
Mohit Belwal
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...RootedCON
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
Career Guidance on Cybersecurity by Mohammed Adam
Career Guidance on Cybersecurity by Mohammed AdamCareer Guidance on Cybersecurity by Mohammed Adam
Career Guidance on Cybersecurity by Mohammed Adam
Mohammed Adam
 
What is Ethical Hacking? | Ethical Hacking for Beginners | Ethical Hacking Co...
What is Ethical Hacking? | Ethical Hacking for Beginners | Ethical Hacking Co...What is Ethical Hacking? | Ethical Hacking for Beginners | Ethical Hacking Co...
What is Ethical Hacking? | Ethical Hacking for Beginners | Ethical Hacking Co...
Edureka!
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Mazenetsolution
 
Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities
Joel Aleburu
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
Priyanka Aash
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
btpsec
 
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
Edureka!
 
Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches
Priyanka Aash
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
Cyber security
Cyber securityCyber security
Cyber security
Eduonix
 
Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554TISA
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
TechWell
 
Threat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident ResponseThreat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident Response
Infocyte
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?
ONE BCG
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
mdagrossa
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
Raghav Bisht
 
Network Security Topic 1 intro
Network Security Topic 1 introNetwork Security Topic 1 intro
Network Security Topic 1 intro
Khawar Nehal khawar.nehal@atrc.net.pk
 

What's hot (20)

Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testing
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Career Guidance on Cybersecurity by Mohammed Adam
Career Guidance on Cybersecurity by Mohammed AdamCareer Guidance on Cybersecurity by Mohammed Adam
Career Guidance on Cybersecurity by Mohammed Adam
 
What is Ethical Hacking? | Ethical Hacking for Beginners | Ethical Hacking Co...
What is Ethical Hacking? | Ethical Hacking for Beginners | Ethical Hacking Co...What is Ethical Hacking? | Ethical Hacking for Beginners | Ethical Hacking Co...
What is Ethical Hacking? | Ethical Hacking for Beginners | Ethical Hacking Co...
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
 
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
 
Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)
 
Cyber security
Cyber securityCyber security
Cyber security
 
Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
 
Threat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident ResponseThreat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident Response
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
 
Network Security Topic 1 intro
Network Security Topic 1 introNetwork Security Topic 1 intro
Network Security Topic 1 intro
 

Similar to Threat Hunting by Falgun Rathod - Cyber Octet Private Limited

Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
newbie2019
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intruders
rajakhurram
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
Atif Ghauri
 
CNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookCNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management Handbook
Sam Bowne
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
APNIC
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
Amy Gerrie
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
Aj Maurya
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself Alert Logic
 
Cs8792 cns - unit v
Cs8792 cns - unit vCs8792 cns - unit v
Cs8792 cns - unit v
ArthyR3
 
Paranoia 2018: A Process is No One
Paranoia 2018: A Process is No OneParanoia 2018: A Process is No One
Paranoia 2018: A Process is No One
Jared Atkinson
 
CNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 LeadsCNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 Leads
Sam Bowne
 
Threat Hunting Professional Online Training Course
Threat Hunting Professional Online Training CourseThreat Hunting Professional Online Training Course
Threat Hunting Professional Online Training Course
ShivamSharma909
 
CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)
Sam Bowne
 
building foundation for ethical hacking.ppt
building foundation for ethical hacking.pptbuilding foundation for ethical hacking.ppt
building foundation for ethical hacking.ppt
ShivaniSingha1
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2
Spyglass Security
 
Implementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitectureImplementing An Automated Incident Response Architecture
Implementing An Automated Incident Response Architecture
Priyanka Aash
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
KashfUlHuda1
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
FaithWestdorp
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturity
DNIF
 

Similar to Threat Hunting by Falgun Rathod - Cyber Octet Private Limited (20)

Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intruders
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
 
CNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookCNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management Handbook
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
 
Cs8792 cns - unit v
Cs8792 cns - unit vCs8792 cns - unit v
Cs8792 cns - unit v
 
Paranoia 2018: A Process is No One
Paranoia 2018: A Process is No OneParanoia 2018: A Process is No One
Paranoia 2018: A Process is No One
 
CNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 LeadsCNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 Leads
 
Threat Hunting Professional Online Training Course
Threat Hunting Professional Online Training CourseThreat Hunting Professional Online Training Course
Threat Hunting Professional Online Training Course
 
CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)
 
building foundation for ethical hacking.ppt
building foundation for ethical hacking.pptbuilding foundation for ethical hacking.ppt
building foundation for ethical hacking.ppt
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2
 
Implementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitectureImplementing An Automated Incident Response Architecture
Implementing An Automated Incident Response Architecture
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturity
 

More from Falgun Rathod

Cyber Octet Private Limited - Ethical Hacking & Cyber Security Training and S...
Cyber Octet Private Limited - Ethical Hacking & Cyber Security Training and S...Cyber Octet Private Limited - Ethical Hacking & Cyber Security Training and S...
Cyber Octet Private Limited - Ethical Hacking & Cyber Security Training and S...
Falgun Rathod
 
Open Source Security Testing Methodology Manual - OSSTMM by Falgun Rathod
Open Source Security Testing Methodology Manual - OSSTMM by Falgun RathodOpen Source Security Testing Methodology Manual - OSSTMM by Falgun Rathod
Open Source Security Testing Methodology Manual - OSSTMM by Falgun Rathod
Falgun Rathod
 
OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...
OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...
OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...
Falgun Rathod
 
Penetration Testing, Auditing & Standards Issue : 02_2012-1
Penetration Testing, Auditing & Standards Issue : 02_2012-1Penetration Testing, Auditing & Standards Issue : 02_2012-1
Penetration Testing, Auditing & Standards Issue : 02_2012-1
Falgun Rathod
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Falgun Rathod
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud Computing
Falgun Rathod
 

More from Falgun Rathod (6)

Cyber Octet Private Limited - Ethical Hacking & Cyber Security Training and S...
Cyber Octet Private Limited - Ethical Hacking & Cyber Security Training and S...Cyber Octet Private Limited - Ethical Hacking & Cyber Security Training and S...
Cyber Octet Private Limited - Ethical Hacking & Cyber Security Training and S...
 
Open Source Security Testing Methodology Manual - OSSTMM by Falgun Rathod
Open Source Security Testing Methodology Manual - OSSTMM by Falgun RathodOpen Source Security Testing Methodology Manual - OSSTMM by Falgun Rathod
Open Source Security Testing Methodology Manual - OSSTMM by Falgun Rathod
 
OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...
OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...
OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...
 
Penetration Testing, Auditing & Standards Issue : 02_2012-1
Penetration Testing, Auditing & Standards Issue : 02_2012-1Penetration Testing, Auditing & Standards Issue : 02_2012-1
Penetration Testing, Auditing & Standards Issue : 02_2012-1
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud Computing
 

Recently uploaded

A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Zilliz
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 

Recently uploaded (20)

A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 

Threat Hunting by Falgun Rathod - Cyber Octet Private Limited

  • 2. Who I am Falgun Rathod • Managing Director at Cyber Octet Pvt. Ltd. • 10+ Years Experience in Cyber Security • Served 120+ Clients • Consultant to Government Agencies • Threat Hunter | Ethical Hacker • Penetration Tester • Core Subjects – Industrial Control Systems, Social Engineering, GRC.
  • 3. Covered Today • Threat Hunting Defined • Why Threat Hunting • Skills required • Threat Detection VS Threat Hunting • What to Hunt • Techniques • Practical • Conclusion
  • 4. Breaches are Expensive! • Average cost of a breach in the US is $7.9M • Average cost of a breach globally is $3.8M • Takes an average of 197 days to identify a breach • Average span of 69 days to contain a breach
  • 5. Threat Hunting Defined  Objectives * Identify compromised systems and accounts * Improve security monitoring detection rules * Perform forensics at scale  Hunt Strategies * Threat Intelligence – Sweep for known bad * Anomaly – Configurations with the least frequency of occurrence * Behavioral – Attacker tools, tactics, and techniques  Risks Mitigated * “Pre-existing conditions” – historic compromises * Blind spots – limited security monitoring visibility * Secondary compromises – attackers move off patient 0
  • 6. Why Threat Hunting • Attacks leave behind valuable traces • Failed attacks • Probes • Discover weaknesses • Find activity before it becomes a disaster
  • 7. People Involve & Skillset • Team Lead • Provides oversight and direction for hunters • Communicates with internal & external stakeholders • Developer • Integrates threat hunting toolsets and processes • Ability to develop custom scripts • Incident Responder • Identify system configuration anomalies • Develop new or modify rulesets based on findings
  • 8. Threat Detection vs Threat Hunting
  • 9. IOC & IOA 1. Unusual Outbound Network Traffc 2. Anomalies In Privileged User Account Activity 3. Geographical Irregularities 4. Log-in Irregularities and Failures 5. Swells In Database Read Volume 6. HTML Response Sizes 7. Large Numbers Of Requests For The Same File 8. Mismatched Port-Application Traffc 9. Suspicious Registry Or System File Changes 10. DNS Request Anomalies
  • 10. Determining What to Hunt For and How Often Here’s an example list of potential attacker activities and techniques you might identify: • Malware Beaconing • DLL Injection • Pass the Hash (PtH) • Shared Webroot • DNS Tunneling
  • 11. Data Sources • Endpoint Logs: * Winaudit * EPS – Endpoint Protection System * Windows Event Forwarding * SIEM Collectors * EDR – Endpoint Detection & Response Tools • Network Logs: * DNS * Firewall * IDPS * Wireshark • Account Logs: * Active Directory * VPN’s If you’re capturing any of these logs, you can start hunting for malicious activity – you’ve already got the data!
  • 13. You need to be able to prove the Incidents  Tracking * Who did what when? * What systems? * What user accounts? * When did activities occur? * What data is being accessed?  Organization * Visibility into team member activity * Project status tracking at every stage * Quantify metrics
  • 14. Practical • Process Explorer & Autoruns • Wireshark • System Logs
  • 15. Case Study An expert threat hunter analyzes the family, studies the characteristics and discovers that: • It is a worm written in JavaScript / VBScript • It is spread by removable drives (pen drives, hard drives, etc.) by creating LNKs • It is placed in the startup of the system • The C & C server updates its code • Anti-debug / anti-vm / anti-emulation measures • Highly obfuscated in the latest versions • Very difficult to detect statically / firm • It spreads throughout the network very quickly • Very difficult to disinfect after spreading through the network
  • 16. Conclusion Attackers are evolving and adapting to tools and services. Malwares are not only the Concern but the Malware Writers are. Breaches are happening every now and then, Continuous analysis and threat hunting is the solution ! Hunt Hackers Now Before They Hunt You..
  • 17. Thank you Cyber Octet Team - खतरों के खखलाड़ी info@cyberoctet.com +91- 98244 35293 https://www.cyberoctet.com