SlideShare a Scribd company logo
THREAT HUNTING:
FROM PLATITUDES TO PRACTICAL
APPLICATION
Neil “Grifter” Wyler
DefCamp 2018 @grifter801
NEW PRESENTATION, WHO DIS?
DefCamp 2018 @grifter801
HUNTING
What is it?
 Proactively searching through data in order to detect
threats which have evaded traditional security measures.
Is it effective?
 It’s often more effective than working incidents out of a
queue. While traditional security programs are still
important, hunting takes you to the next level.
DefCamp 2018 @grifter801
HUNTING
Why hunt?
 Again, because it’s proactive.
– Aren’t you tired of being purely reactive?
 It’s much harder to hide when someone is actively looking
for you.
 It’s much harder to hide when someone knows their
environment.
 By the way, you’ll know your environment better than you
ever have before.
 It increases value to your organization.
DefCamp 2018 @grifter801
WHERE DO WE BEGIN?
Log All the Things
 Collect logs from key areas
– OS Event Logs
– Application Logs
– Know who is authenticating where, and at what level
 Don’t forget your network
– Web Server logs
– Proxy logs
– Full … Packet … Capture
This can be an incredible amount of data
 Big Data is a part of your life now
– Start small and grow your collection as you grow your
program
DefCamp 2018 @grifter801
WHERE DO WE BEGIN?
Situational Awareness
 Understand what normal looks like on your hosts and network.
– Create a baseline that you can diff against
 Become intimately aware of what the norms are so that when
an anomaly occurs, it sticks out like a sore thumb.
Leave preconceived notions at the door
 Don’t always start with an IOC. Start with a question.
– If data was leaving my environment, where’s the most likely place
it would leave?
DefCamp 2018 @grifter801
Persistence
 Look beyond Run keys
 What Scheduled Tasks are configured on the system?
 Are there services that you didn’t create?
 Typos or blank descriptions
 Binary Path is not normal
HUNTING
Hosts
 Know which processes are running on your systems.
– Process Names
– Path to Executables
– Parent Processes
 Look for process injection, hooking, and artifacts in
shimcache.
DefCamp 2018 @grifter801
HUNTING
Network
 What are your ingress and egress points?
– Have they changed?
 Direct to IP Communication
 Communication to services using Dynamic DNS
 Tor traffic
 IRC traffic
 Look at HTTP traffic
– POST activity with no referrer
– User-Agent strings can be a red flag
 Traffic over non-standard ports
DefCamp 2018 @grifter801
HUNTING MINDSET
Have a plan but be ready to adapt
 Know what you’re looking for and go try to find it.
– But don’t be discouraged if/when you don’t
 Remain flexible
– Sometimes what you started searching for will take you down a
completely different path.
 Prepare for pivots, there will be many
 Find tools that help you make sense of the data you’ve
collected
 Document everything you’re doing and what you’ve learned
– Share it!
DefCamp 2018 @grifter801
SO, WHAT NOW?
DefCamp 2018 @grifter801
EXECUTING A HUNT
The Plan
 Provide Hunters /w Network Architecture / Diagrams
 Identify Potential Targets
 Tie IP Addresses to Assets
 Business Criticality
 Focus on Directionality
 Inbound
 Outbound
 Lateral Movement
 Determine Hunting Timeframe
 24 hours on Average
 Expand timeframe for subjects/events of interest
DefCamp 2018 @grifter801
EXECUTING A HUNT
 Service Analysis
 Begin with the Smallest (IRC, VNC, BITTORRENT, RPC, RDP)
 Allows for Quick Elimination
 Continue to Work Backwards
 Document Area that Each Analyst Covered ( Analyst 1 – Outbound/RDP, Outbound/IRC, etc)
 Drill Down on Each Selected Service
 Indicators of Compromise
 Behaviors of Compromise
 Enablers of Compromise
 Rinse and Repeat
DefCamp 2018 @grifter801
EXECUTING A HUNT
Care and Feeding
 Investigate, Investigate, Eliminate
 Find the Signal in the Noise
 Determine what traffic is causing false positives, and manage it.
 As you tune and dial in your environment, actionable data will become
increasingly apparent.
 Build reports and automate the pain away
DefCamp 2018 @grifter801
THE LABYRINTH
DefCamp 2018 @grifter801
SO, WHAT DO WE FIND?
DefCamp 2018 @grifter801
WHAT YEAR IS THIS!?!
DefCamp 2018 @grifter801
BEWARE THE SUPPLY CHAIN
ಠ_ಠ
DefCamp 2018 @grifter801
 Strong Passwords over unencrypted transports?
57R0NG_P@55W0RD5!
DefCamp 2018 @grifter801
YOU’VE GOT SOMETHING IN YOUR API
DefCamp 2018 @grifter801
SOAP call with cleartext Base64 includes password
I CAM SEE YOU
DefCamp 2018 @grifter801
ALWAYS USE A VPN!
DefCamp 2018 @grifter801
THE RSAC DATING POOL
DefCamp 2018 @grifter801
ALL THINGS ARE NOT CONFIGURED EQUALLY
DefCamp 2018 @grifter801
PATCH MANAGEMENT
DefCamp 2018 @grifter801
ZERO DAY, O-DAY OR SAME DAY?
DefCamp 2018 @grifter801
LUXORF
DefCamp 2018 @grifter801
“DEVICES”
DefCamp 2018 @grifter801
Thanks
Neil“Grifter”Wyler
@grifter801

More Related Content

What's hot

AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are Dangerous
Raffael Marty
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE - ATT&CKcon
 
Determining the Fit and Impact of CTI Indicators on Your Monitoring Pipeline ...
Determining the Fit and Impact of CTI Indicators on Your Monitoring Pipeline ...Determining the Fit and Impact of CTI Indicators on Your Monitoring Pipeline ...
Determining the Fit and Impact of CTI Indicators on Your Monitoring Pipeline ...
Alex Pinto
 
SplunkLive! Frankfurt 2019: Splunk at Dachser
SplunkLive! Frankfurt 2019: Splunk at Dachser SplunkLive! Frankfurt 2019: Splunk at Dachser
SplunkLive! Frankfurt 2019: Splunk at Dachser
Splunk
 
The Art and Science of Alert Triage
The Art and Science of Alert TriageThe Art and Science of Alert Triage
The Art and Science of Alert Triage
Sqrrl
 
Sqrrl Enterprise: Big Data Security Analytics Use Case
Sqrrl Enterprise: Big Data Security Analytics Use CaseSqrrl Enterprise: Big Data Security Analytics Use Case
Sqrrl Enterprise: Big Data Security Analytics Use Case
Sqrrl
 
ATAGTR2017 Security Testing for Healthcare applications
ATAGTR2017 Security Testing for Healthcare applicationsATAGTR2017 Security Testing for Healthcare applications
ATAGTR2017 Security Testing for Healthcare applications
Agile Testing Alliance
 
How To Drive Value with Security Data
How To Drive Value with Security DataHow To Drive Value with Security Data
How To Drive Value with Security Data
Raffael Marty
 
Control the Hype: A look at service assurance systems and how they relate to ...
Control the Hype: A look at service assurance systems and how they relate to ...Control the Hype: A look at service assurance systems and how they relate to ...
Control the Hype: A look at service assurance systems and how they relate to ...
stefan vallin
 
Writing Custom Python Detection with Panther (Part 1)
Writing Custom Python Detection with Panther (Part 1)Writing Custom Python Detection with Panther (Part 1)
Writing Custom Python Detection with Panther (Part 1)
Panther Labs
 
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE - ATT&CKcon
 
Log Data Mining
Log Data MiningLog Data Mining
Log Data Mining
Anton Chuvakin
 

What's hot (13)

AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are Dangerous
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
 
Determining the Fit and Impact of CTI Indicators on Your Monitoring Pipeline ...
Determining the Fit and Impact of CTI Indicators on Your Monitoring Pipeline ...Determining the Fit and Impact of CTI Indicators on Your Monitoring Pipeline ...
Determining the Fit and Impact of CTI Indicators on Your Monitoring Pipeline ...
 
SplunkLive! Frankfurt 2019: Splunk at Dachser
SplunkLive! Frankfurt 2019: Splunk at Dachser SplunkLive! Frankfurt 2019: Splunk at Dachser
SplunkLive! Frankfurt 2019: Splunk at Dachser
 
The Art and Science of Alert Triage
The Art and Science of Alert TriageThe Art and Science of Alert Triage
The Art and Science of Alert Triage
 
Sqrrl Enterprise: Big Data Security Analytics Use Case
Sqrrl Enterprise: Big Data Security Analytics Use CaseSqrrl Enterprise: Big Data Security Analytics Use Case
Sqrrl Enterprise: Big Data Security Analytics Use Case
 
ATAGTR2017 Security Testing for Healthcare applications
ATAGTR2017 Security Testing for Healthcare applicationsATAGTR2017 Security Testing for Healthcare applications
ATAGTR2017 Security Testing for Healthcare applications
 
How To Drive Value with Security Data
How To Drive Value with Security DataHow To Drive Value with Security Data
How To Drive Value with Security Data
 
Control the Hype: A look at service assurance systems and how they relate to ...
Control the Hype: A look at service assurance systems and how they relate to ...Control the Hype: A look at service assurance systems and how they relate to ...
Control the Hype: A look at service assurance systems and how they relate to ...
 
Writing Custom Python Detection with Panther (Part 1)
Writing Custom Python Detection with Panther (Part 1)Writing Custom Python Detection with Panther (Part 1)
Writing Custom Python Detection with Panther (Part 1)
 
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
 
Log Data Mining
Log Data MiningLog Data Mining
Log Data Mining
 

Similar to Threat Hunting: From Platitudes to Practical Application

2019 Performance Monitoring and Management Trends and Insights
2019 Performance Monitoring and Management Trends and Insights2019 Performance Monitoring and Management Trends and Insights
2019 Performance Monitoring and Management Trends and Insights
OpsRamp
 
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
TigerGraph
 
Security Intelligence for Energy Control Systems
Security Intelligence for Energy Control SystemsSecurity Intelligence for Energy Control Systems
Security Intelligence for Energy Control Systems
Q1 Labs
 
SplunkLive! Paris 2016 - Plenary session
SplunkLive! Paris 2016 - Plenary sessionSplunkLive! Paris 2016 - Plenary session
SplunkLive! Paris 2016 - Plenary session
Splunk
 
What does "monitoring" mean? (FOSDEM 2017)
What does "monitoring" mean? (FOSDEM 2017)What does "monitoring" mean? (FOSDEM 2017)
What does "monitoring" mean? (FOSDEM 2017)
Brian Brazil
 
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE - ATT&CKcon
 
Splunk for ITOA Breakout Session
Splunk for ITOA Breakout SessionSplunk for ITOA Breakout Session
Splunk for ITOA Breakout Session
Splunk
 
PaloAlto Ignite Conference 2015
PaloAlto Ignite Conference 2015PaloAlto Ignite Conference 2015
PaloAlto Ignite Conference 2015
Mike Spaulding
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security Checklist
APNIC
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Barry Greene
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Angeloluca Barba
 
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Harry McLaren
 
Technical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvertTechnical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvert
ISSA LA
 
Making the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data VisibilityMaking the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data Visibility
dianadvo
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublin
Derek King
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral Analytics
Splunk
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are Dangerous
Priyanka Aash
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
Lancope, Inc.
 
AI and ML in Cybersecurity
AI and ML in CybersecurityAI and ML in Cybersecurity
AI and ML in Cybersecurity
Forcepoint LLC
 

Similar to Threat Hunting: From Platitudes to Practical Application (20)

2019 Performance Monitoring and Management Trends and Insights
2019 Performance Monitoring and Management Trends and Insights2019 Performance Monitoring and Management Trends and Insights
2019 Performance Monitoring and Management Trends and Insights
 
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
 
Security Intelligence for Energy Control Systems
Security Intelligence for Energy Control SystemsSecurity Intelligence for Energy Control Systems
Security Intelligence for Energy Control Systems
 
SplunkLive! Paris 2016 - Plenary session
SplunkLive! Paris 2016 - Plenary sessionSplunkLive! Paris 2016 - Plenary session
SplunkLive! Paris 2016 - Plenary session
 
What does "monitoring" mean? (FOSDEM 2017)
What does "monitoring" mean? (FOSDEM 2017)What does "monitoring" mean? (FOSDEM 2017)
What does "monitoring" mean? (FOSDEM 2017)
 
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
 
Splunk for ITOA Breakout Session
Splunk for ITOA Breakout SessionSplunk for ITOA Breakout Session
Splunk for ITOA Breakout Session
 
PaloAlto Ignite Conference 2015
PaloAlto Ignite Conference 2015PaloAlto Ignite Conference 2015
PaloAlto Ignite Conference 2015
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security Checklist
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
 
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
 
Technical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvertTechnical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvert
 
Making the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data VisibilityMaking the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data Visibility
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublin
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral Analytics
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are Dangerous
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
 
AI and ML in Cybersecurity
AI and ML in CybersecurityAI and ML in Cybersecurity
AI and ML in Cybersecurity
 

More from DefCamp

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
DefCamp
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
DefCamp
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of Trust
DefCamp
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
DefCamp
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
DefCamp
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
DefCamp
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
DefCamp
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
DefCamp
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
DefCamp
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
DefCamp
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
DefCamp
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
DefCamp
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
DefCamp
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
DefCamp
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
DefCamp
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
DefCamp
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
DefCamp
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
DefCamp
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
DefCamp
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your network
DefCamp
 

More from DefCamp (20)

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of Trust
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your network
 

Recently uploaded

inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
LizaNolte
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
christinelarrosa
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
christinelarrosa
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
operationspcvita
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Fwdays
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
UiPathCommunity
 

Recently uploaded (20)

inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
 

Threat Hunting: From Platitudes to Practical Application

  • 1. THREAT HUNTING: FROM PLATITUDES TO PRACTICAL APPLICATION Neil “Grifter” Wyler DefCamp 2018 @grifter801
  • 2. NEW PRESENTATION, WHO DIS? DefCamp 2018 @grifter801
  • 3. HUNTING What is it?  Proactively searching through data in order to detect threats which have evaded traditional security measures. Is it effective?  It’s often more effective than working incidents out of a queue. While traditional security programs are still important, hunting takes you to the next level. DefCamp 2018 @grifter801
  • 4. HUNTING Why hunt?  Again, because it’s proactive. – Aren’t you tired of being purely reactive?  It’s much harder to hide when someone is actively looking for you.  It’s much harder to hide when someone knows their environment.  By the way, you’ll know your environment better than you ever have before.  It increases value to your organization. DefCamp 2018 @grifter801
  • 5. WHERE DO WE BEGIN? Log All the Things  Collect logs from key areas – OS Event Logs – Application Logs – Know who is authenticating where, and at what level  Don’t forget your network – Web Server logs – Proxy logs – Full … Packet … Capture This can be an incredible amount of data  Big Data is a part of your life now – Start small and grow your collection as you grow your program DefCamp 2018 @grifter801
  • 6. WHERE DO WE BEGIN? Situational Awareness  Understand what normal looks like on your hosts and network. – Create a baseline that you can diff against  Become intimately aware of what the norms are so that when an anomaly occurs, it sticks out like a sore thumb. Leave preconceived notions at the door  Don’t always start with an IOC. Start with a question. – If data was leaving my environment, where’s the most likely place it would leave? DefCamp 2018 @grifter801
  • 7. Persistence  Look beyond Run keys  What Scheduled Tasks are configured on the system?  Are there services that you didn’t create?  Typos or blank descriptions  Binary Path is not normal HUNTING Hosts  Know which processes are running on your systems. – Process Names – Path to Executables – Parent Processes  Look for process injection, hooking, and artifacts in shimcache. DefCamp 2018 @grifter801
  • 8. HUNTING Network  What are your ingress and egress points? – Have they changed?  Direct to IP Communication  Communication to services using Dynamic DNS  Tor traffic  IRC traffic  Look at HTTP traffic – POST activity with no referrer – User-Agent strings can be a red flag  Traffic over non-standard ports DefCamp 2018 @grifter801
  • 9. HUNTING MINDSET Have a plan but be ready to adapt  Know what you’re looking for and go try to find it. – But don’t be discouraged if/when you don’t  Remain flexible – Sometimes what you started searching for will take you down a completely different path.  Prepare for pivots, there will be many  Find tools that help you make sense of the data you’ve collected  Document everything you’re doing and what you’ve learned – Share it! DefCamp 2018 @grifter801
  • 10. SO, WHAT NOW? DefCamp 2018 @grifter801
  • 11. EXECUTING A HUNT The Plan  Provide Hunters /w Network Architecture / Diagrams  Identify Potential Targets  Tie IP Addresses to Assets  Business Criticality  Focus on Directionality  Inbound  Outbound  Lateral Movement  Determine Hunting Timeframe  24 hours on Average  Expand timeframe for subjects/events of interest DefCamp 2018 @grifter801
  • 12. EXECUTING A HUNT  Service Analysis  Begin with the Smallest (IRC, VNC, BITTORRENT, RPC, RDP)  Allows for Quick Elimination  Continue to Work Backwards  Document Area that Each Analyst Covered ( Analyst 1 – Outbound/RDP, Outbound/IRC, etc)  Drill Down on Each Selected Service  Indicators of Compromise  Behaviors of Compromise  Enablers of Compromise  Rinse and Repeat DefCamp 2018 @grifter801
  • 13. EXECUTING A HUNT Care and Feeding  Investigate, Investigate, Eliminate  Find the Signal in the Noise  Determine what traffic is causing false positives, and manage it.  As you tune and dial in your environment, actionable data will become increasingly apparent.  Build reports and automate the pain away DefCamp 2018 @grifter801
  • 15. SO, WHAT DO WE FIND? DefCamp 2018 @grifter801
  • 16. WHAT YEAR IS THIS!?! DefCamp 2018 @grifter801 BEWARE THE SUPPLY CHAIN
  • 18.  Strong Passwords over unencrypted transports? 57R0NG_P@55W0RD5! DefCamp 2018 @grifter801
  • 19. YOU’VE GOT SOMETHING IN YOUR API DefCamp 2018 @grifter801 SOAP call with cleartext Base64 includes password
  • 20. I CAM SEE YOU DefCamp 2018 @grifter801
  • 21. ALWAYS USE A VPN! DefCamp 2018 @grifter801
  • 22. THE RSAC DATING POOL DefCamp 2018 @grifter801
  • 23. ALL THINGS ARE NOT CONFIGURED EQUALLY DefCamp 2018 @grifter801
  • 25. ZERO DAY, O-DAY OR SAME DAY? DefCamp 2018 @grifter801

Editor's Notes

  1. Share stats on CIRT Hunting
  2. Share stats on CIRT Hunting
  3. Again, because it's proactive. Hiding from people who are actively looking for threat actors, versus reacting to alerts, is much harder to do. When you're comparing known good against the current state of a system, you will be able to recognize changes, regardless of how skilled the attacker is. You will become intimately aware of the nuances of your environment. This will help you make improvements where necessary, and find problems before attackers do. Documenting your environment, processes, and lessons learned is incredibly valuable for your organization.
  4. Moving from a reactive state, to a proactive state. Knowing that attackers could be there, and looking for them. I don't have a specific indicator that I'm looking for. This is counter to what traditional IR teams do. Normally we get threat intel. We turn that into a parser. An alert is kicked off, which generates an Incident ticket. We respond to the ticket and close it out. Come to the table with an idea, or a question. Is sensitive data leaving my environment? Are users accessing data they shouldn't be?
  5. Define what is "normal" inside your organization and how that differs from department to department, or machine to machine. Know which processes are running on your systems and what they're doing. Process Names - Not Great Path to Executable - Running from Parent Process - If you run sysinternals and see cmd.exe being spawned from flash, not good task manager or pslist - sysinternals - procmon - Are processes running with the right privileges? local admin? ----------------------------------------------------------------------------------------------------------------------------- Look beyond Run keys. What scheduled tasks are configured on the system? Duqu 2 used TaskScheduler for Lateral Movement Are there services that you didn't create? - Typos or Blank Description Fields - Binary Path is not the normal location – Coming from a non-standard directory - Look for Events 106/129/200/201 Task Registered,Created Task Process, And Actions Started or Completed
  6. Which applications are communicating on the network? Should they be listening for connections? Netstat Data is great What are your ingress and egress points? Have they changed? Direct to IP Communication Look at HTTP traffic. Anomalous User-Agent strings can be a red flag. -- Unique or non-existent versions POST activity with no refferer.
  7. So when I say, “ensure availability and security,” what do I mean by “ensure?” -the Black Hat Conference teaches the latest offensive and defensive skills -these are paid training sessions -and while the tools and techniques are meant for educational purposes only, the NOC monitors the network so that these classes are self-contained. We need to ensure that while the Trainings attendees can participate in their own course, we watch to make sure they aren’t leveraging that new knowledge to go attack other classes. -the NOC also monitors the wireless network to ensure the same