Threat hunting != Throwing arrow! Hunting for adversaries in your it environment

•

7 likes•877 views

Threat hunting involves proactively searching networks to detect advanced threats that evade existing security solutions. It is not a reactive process like alerting, but instead involves repeated searches through networks using various approaches like data-centric hunting, endpoint hunting, and deception techniques. The document provides examples of hunting techniques for lateral movement, command and control, data exfiltration, and malware on networks. It emphasizes that threat hunting is an ongoing process of iterative searches to continuously identify security threats.

Technology

Threat hunting != Throwing arrow!
Hunting for adversaries in your IT environment
Md Nahidul kibria
Co-Founder, Beetles

Md Nahidul Kibria
Co-Founder, Beetles
@nahidupa
[~] $ whoami

Threat hunting is a approach to answer that question.
Am i compromised today?

What is hunting?
Hunting as the process of proactively and
iteratively searching through networks to
detect and isolate advanced threats that
evade existing security solutions.
“You Can’t Hunt That With a Bow and Arrow!

What is Threat hunting is and is not.
Threat hunting != Throwing arrow!

Threat landscape
Cybercriminals Hacktivists Nation state
Insiders

The hunting loop
ref:http://blog.sqrrl.com/the-threat-hunting-reference-model-part-2-the-hunting-loop

Hunting vs. Alerting
Alerting
1. Reactive
2. Detect/forget
Hunting
1. Proactive
2. Repeated searches

Approaches to Threat Hunting
1. Data-centric Hunting
2. Hunting on the Endpoint(DFIR)
3. Deception

Adversary simulation
1. Attacking web application
2. OS Command execute
3. Download malicious files (powershell webclient)
4. Getting reverse shell
5. Privilege escape
6. Scan internal host
7. Lateral Movement

Hunt Lateral MovementAttackers quietly traverse your Network.

Lateral Movement - Techniques, Tactics &
Procedures (TTPs)
Psexec
File shares
Powershell
Pass-the-hash
Scheduled tasks
WMI
SMB
SSH

Psexec
psexec.exe -i -s %SystemRoot%system32cmd.exe

Hunt other TTPs
“net” Reconnaissance of Domain Admin Group
Command
C: > net group "Domain Admin" /domain
Credential Harvesting with WMI and WCE
net use 172.31.3.16 PASSWORD /user:SANDBOXAdministrator
copy w.exe 172.31.3.16c$PerfLogs
wmic /NODE:172.31.3.16 /USER:"SANDBOXAdministrator" /PASSWORD:"PASSWORD" process call create "cmd /c C:Perflogsw.exe -w >
C:Perflogso.txt"
Ref: http://www.crypsisgroup.com/images/site/CG_WhitePaper_Splunkmon_1216.pdf

Ref: http://www.crypsisgroup.com/images/site/CG_WhitePaper_Splunkmon_1216.pdf

Hunting Command and Control(c2)
C2 via Dynamic DNS
Finding the Unknown with HTTP URIs
Beacon Detection via Intra-Request Time Deltas
Finding C2 in Network Sessions

#wannacry
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.

Producer-Consumer Ratio for Detecting Data Exfiltration
Ref
https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/analyze_producer_consumer_ratio.md

Unusual Windows Behavior
https://www.sans.org/security-resources/posters/dfir-find-evil/35/download

Query
(NewProcessName: "svchost.exe" AND NOT NewProcessName: "C:WindowsSystem32svchost.exe") OR (NewProcessName:
"smss.exe" AND NOT NewProcessName: "C:WindowsSystem32smss.exe") OR (NewProcessName: "wininit.exe" AND NOT
NewProcessName: "C:WindowsSystem32wininit.exe") OR (NewProcessName: "taskhost.exe" AND NOT NewProcessName:
"C:WindowsSystem32taskhost.exe") OR (NewProcessName: "lsass.exe" AND NOT NewProcessName:
"C:WindowsSystem32lsass.exe") OR (NewProcessName: "winlogon.exe" AND NOT NewProcessName:
"C:WindowsSystem32winlogon.exe") OR (NewProcessName: "explorer.exe" AND NOT NewProcessName:
"C:Windowsexplorer.exe") OR (NewProcessName: "lsm.exe" AND NOT NewProcessName: "C:WindowsSystem32lsm.exe")
OR (NewProcessName: "services.exe" AND NOT NewProcessName: "C:WindowsSystem32services.exe") OR
(NewProcessName: "csrss.exe" AND NOT NewProcessName: "C:WindowsSystem32csrss.exe")

WannaCry detection
Ref:
https://github.com/Neo23x0/sigma/tree/master/rules/windows/sysmon

Hunt in memory
Malware become fileless- Kovter,Poweliks
Volatility-/rekall
https://github.com/google/rekall

Happy Hunting!
@nahidupa
Must check
http://www.threathunting.net/

Nonamecon 2021 presentation. Network logs are one of the most efficient sources to hunt adversaries, but building good analytics capabilities require a deep understanding of benign activity and attacker behavior. This training focuses on detecting real-case attacks, tools and scenarios by the past year. The training is highly interactive and retains a good balance between theory and a lot of hands-on exercises for the students to get used to the detection engineering methodology and prepare them to start implementing this at their organizations. Presentation topics: - Netflow Mitre Matrix view - Full packet captures vs Netflow - Zeek - Zeek packages - RDP initial comprometation - Empire Powershell and CobaltStrike or what to expect after initial loader execution. - Empire powershell initial connection - Beaconing. RITA - Scanning detection - Internal enumeration detection - Lateral movement techniques widely used - Kerberos attacks - PSExec and fileless ways of delivering payloads in the network - Zerologon detection - Data exfiltration - Data exfiltration over C2 channel - Data exfiltration using time size limits (data chunks) - DNS exfiltration - Detecting ransomware in your network - Real incident investigation Authors: Oleh Levytskyi (https://twitter.com/LeOleg97) Bogdan Vennyk (https://twitter.com/bogdanvennyk)

Adaptive Defense - Understanding Cyber Attacks

Jermund Ottermo

Assume Compromise

Zach Grace

The security landscape has changed such that simply focusing on preventing is no longer an effective strategy. This talk will look at the idea of Assume Breach and how detection and response to threats aligns to an attacker methodology. Demonstrations and research will highlight how organizations can achieve more finely tuned detection capabilities through threat simulation and war-game exercises.

Hiding in plain sight

Rob Gillen

Breaking the cyber kill chain!

Nahidul Kibria

Extending Zeek for ICS Defense

James Dickenson

Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...

CODE BLUE

In many targeted attack cases, once the attacker gains entry into the network, malware infection will spread laterally. In incident responses, investigating this lateral movement activity is very important. Methods for investigating lateral movement include log analysis of infected hosts and forensic analysis of disk images. However, in many cases, useful logs for incident investigation are not recorded in infected hosts, making it difficult to trace the attackers' behavior. This often results in not being able to get a clear picture of how the infection spreads across the network. Therefore, we conducted investigation on attackers' C2 servers and malware to gain insight into their actives. By decoding the malware's communication logs and C2 server logs, we were able to understand the attackers’ activity after the network intrusion. We also found common patterns in how infection spread laterally. Also, even in different campaigns with different malware deployed, many common tools were used by attackers. Taking advantage of the similarity, we figured that tracking these tools is effective in understanding lateral movements. In Windows PCs, which are the main target of APT attacks, certain

Industroyer: biggest threat to industrial control systems since Stuxnet by An...

CODE BLUE

Industroyer is the first ever malware specifically designed to attack power grids. This unique and extremely dangerous malware framework was involved in the December 2016 blackout in Ukraine. What sets Industroyer apart from other malware targeting infrastructure, such as BlackEnergy (a.k.a. SandWorm), is its ability to control switches and circuit breakers directly via 4 different industrial communication protocols. In addition to explaining why Industroyer can be considered the biggest threat to industrial control systems since the infamous Stuxnet worm, we will take a look at the 2016 power outage in the context of the other numerous cyberattacks against Ukrainian critical infrastructure in the recent years. As the protocols and hardware targeted by Industroyer are employed in power supply infrastructure, transportation control systems, and other critical infrastructure systems, like water and gas, worldwide, the malware can be re-purposed to target vital services in other countries. This discovery should serve as a wake-up call for those responsible for security of these critical systems. Anton Cherepanov Anton Cherepanov is currently working at ESET as Senior Malware Researcher; his responsibilities include the analysis of complex threats. He has done extensive research on cyber-attacks in Ukraine. His research was presented on numerous conferences, including Virus Bulletin, CARO Workshop, PHDays, and ZeroNights. His interests focus on reverse engineering and malware analysis automation. Róbert Lipovský Róbert Lipovský is Senior Malware Researcher in ESET’s Security Research Laboratory, with 10 years’ experience with malware research. He is responsible for malware intelligence and analysis and leads the Malware Research team in ESET’s HQ in Bratislava. He is a regular speaker at security conferences, including Black Hat, Virus Bulletin, and CARO. He runs a reverse engineering course at the Slovak University of Technology, his alma mater and the Comenius University. When not bound to a keyboard, he enjoys sports, playing guitar and flying an airplane.

Attackers have found compromise trivial for decades. But as additional security layers get deployed and next generation solutions come to market, attackers are turning to old and new techniques for bypassing security controls to launch their attacks and stay hidden. This session will explore the latest techniques and how simple defense techniques can foil even the most sophisticated attacks. (Source: RSA USA 2016-San Francisco)

Laura Garcia - Shodan API and Coding Skills [rooted2019]

RootedCON

Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...OpenDNS

Docker Plugin For DevSecOps

Pichaya Morimoto

"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...

PROIDEA

Banking Trojans have been part of the financial cybercrime landscape for over a decade, causing losses measured in billions of dollars. On the flip side, the constant evolution of defenses against this type of malware has forced Trojan operators to adjust to security controls designed to keep them out. As a result, many Trojan operators have either disappeared or considerably narrowed their activity scope, but more interestingly, are using novel techniques to achieve their goals. In this talk, we will present three top malware operators active in the wild and their use of automated scripts to tackle their challenges: The notorious Gozi (ISFB) malware used to run its own executable files. Nowadays, it avoids storing malicious payloads on disk and instead, writes a Powershell script to the Windows registry and executes it using a special regex-based run-key. Ramnit, a dated foe that focuses on UK banks, encrypts its payload using a Windows API function with a device-unique key. In every system reboot, it decrypts the payload in-memory and runs it with a Visual Basic script that runs Powershell. This allows Ramnit to avoid running a detectable, executable file as it used to do in the past. BackSwap is a new banking Trojan that attacks financial institutions in Spain. Its dropper is a JavaScript Encoded (JSE) file. When decoded, the dropper results in a 30k lines-of-code script which downloads a binary sample from a remote Command-and-Control server. Together with our audience, we will walk through the research process and share our findings along with our (sometimes) quick-and-dirty solutions. We aim to enhance our participants’ knowledge of today’s bankers and help them get deeper into current-day scripting-related techniques cybercriminals use.

"A rootkits writer’s guide to defense" - Michal Purzynski

PROIDEA

Michal will take you on a journey all the way to 90’s and back, sharing the Mozilla detection framework - a systematic way to detect and hunt down threat actors. Why did we spend hours digging through some old Phrack issues? How does a blue team's member approach writing rootkits? What is better - a fail negative or a false positive? I will share answers to these questions plus a lot of alerting and evil-doing code.

Windows persistence presentation

OlehLevytskyi1

A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...

CODE BLUE

We propose a new exploit technique that brings a whole-new attack surface to bypass SSRF (Server Side Request Forgery) protections. This is a very general attack approach, in which we used in combination with our own fuzzing tool to discover many 0days in built-in libraries of very widely-used programming languages, including Python, PHP, Perl, Ruby, Java, JavaScript, Wget and cURL. The root cause of the problem lies in the inconsistency of URL parsers and URL requesters. Being a very fundamental problem that exists in built-in libraries, sophisticated web applications such as WordPress (27% of the Web), vBulletin, MyBB and GitHub can also suffer, and 0days have been discovered in them via this technique. This general technique can also adapt to various code contexts and lead to protocol smuggling and SSRF bypassing. Several scenarios will be demonstrated to illustrate how URL parsers can be exploited to bypass SSRF protection and achieve RCE (Remote Code Execution), which is the case in our GitHub Enterprise demo. Understanding the basics of this technique, the audience won’t be surprised to know that more than 20 vulnerabilities have been found in famous programming languages and web applications aforementioned via this technique.

SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...

Mauricio Velazco

Carlos García - Pentesting Active Directory Forests [rooted2019]

RootedCON

Bsides Long Island 2019

Mauricio Velazco

BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...

BlueHat Security Conference

Matt Swann, Microsoft As defenders, we watch our intrusion detection systems like a hawk so that we know when to jump into action. However, successfully evicting an adversary in a large-scale environment requires capabilities beyond detection. In this talk I describe 5 capabilities that network defenders must have in order to effectively respond to an intrusion in a large-scale service. I describe how we overcame these challenges in Office 365 with pointers to source code and reusable tooling.

Cryptolocker Webcast

OpenDNS

Each day millions of Internet requests are made to dynamically changing Cryptolocker domains. And it only takes one successful connection from a malware-infected system to the botnet controller for your files to end up encrypted and held for ransom. So how does Cryptolocker actually work? What is the best way to block it? And what implications does this have for security methods going forward? In this webcast, you will learn: -What steps are involved in a Cryptolocker attack -How Domain Generation Algorithms enable it to evade most threat detection methods -Why leveraging our global intelligence has been effective in containing Cryptolocker -What you can do to avoid becoming a victim

"Powershell kung-fu" - Paweł Maziarz

PROIDEA

Powershella lubią admini, programiści, a najbardziej hakerzy. Będąc natywną powłoką systemów Windows nie rzuca się w oczy, jednocześnie dając ogromne możliwości ofensywne. Podczas prelekcji Paweł zaprezentuje zarówno skuteczne one-linery jak i wielolinijkowe skrypty, które mogą siać spustoszenie w nieprzygotowanej organizacji. Pojawią się ciekawe kanały C2, malware napisany w całości w Powershellu, wyszukiwanie i eksploitacja słabo skonfigurowanych serwerów MSSQL etc.100% mięsa.

End-to-End Analysis of a Domain Generating Algorithm Malware Family

CrowdStrike

Select malware families have used Domain Generating Algorithms (DGAs) over the past few years in an effort to evade traditional domain blacklists, allow for fast-flux domain registration and usage, and evade analysts’ abilities to predict attackers’ control servers. While novel work has been done by both private industry and academia with respect to detecting DGA-related network traffic, this presentation demonstrates end-to-end analysis of a DGA malware family, from binary deobfuscation to DGA analysis, to sinkholing, to domain registrant research, to attribution of the malware’s author and accomplices. The malware family discussed in this presentation has thousands of active variants currently running on the Internet and has managed to stay off of the radar of all antivirus firms. Missed this presentation at Black Hat 2013? Take a look at the slides from Jason Geffner's session. This presentation brought to light how this malware is tied to an underground campaign that has been active for at least the past six years.

'Malware Analysis' by PP Singh

Bipin Upadhyay

(130119) #fitalk apt, cyber espionage threat

INSIGHT FORENSIC

Security Ninjas: An Open Source Application Security Training Program

OpenDNS

NOTES -- Slide 8 Some of the categories we will discuss are very broad like this one. Untrusted command – get / post / rest style params Clicks Surprise inputs Slide 13 Very broad too Little or no auth Auth with some bypass possibilities Some problem with how session is generated, managed, expired Insufficient sessionID protection Slide 18 When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site, the injected code travels to the vulnerable web site, which reflects the attack back to the user’s browser. Slide 27 Security hardening throughout Application Stack Unnecessary features enabled or installed? ports, services, pages, accounts, privileges Security settings in your development frameworks (e.g., Struts, Spring, ASP.NET) and libraries not set to secure values? Default accounts/ passwords still enabled and unchanged? Error handling reveal stack traces or other overly informative error messages to users? Software out of date? OS, Web Server, DBMS, applications, code libraries Slide 41 sign up for updates or do regular audits to see versions there might be technical dependencies easily exploited by attackers using metaspoilt, info gathering using headers & responses, etc. Slide 47 We can look at the architecture, give you tips around what you could use, what would be good. This would avoid making any major changes when the product is ready which would save everyone’s time in the long run. Have sprints with dedicated security features and use those as a selling point for our security conscious customers Slide 48 Carefully look at the license to make sure you can use it in your type of product. Ask Fallon if you are not sure Research how much support it gets, how popular it is Look to find out any vulnerabilities in it before you start using it Maintain it; Sign up for CVE updates Ask us if you need to get something reviewed Slide 50 Not only better and more features Security vulnerabilities get patched in new versions New versions get most attention by the companies and old ones stop getting support after some time fully Most Security Support by the community Turn on auto updates for Chrome; always look at updates on AppStore Slide 51 Use different passwords for different sites Password managers let you set complexity, generate random passwords, etc. Slide 52 Only grant access to whats needed to get the job done employee leaves; mistakes; vulnerabilities in other s/w which leverages this; Don’t install redundant software, plugins, etc. This opens up so much risk People forget to uninstall them; s/w doesn't get much attention from community; open ports are left; boom exploited by attackers; Slide 55 To prevent unintended execution actions e.g., fail open auth errors Leak minimal info about infrastructure as this info is leveraged by attackers to carry out further attacks

Billions & Billions of Logs

Jack Crook

Super1neelakanteswarreddy

What's hot

DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...

Felipe Prado

Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy

RootedCON

Hacking Exposed LIVE: Attacking in the Shadows

Priyanka Aash

Laura Garcia - Shodan API and Coding Skills [rooted2019]

RootedCON

Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...OpenDNS

Docker Plugin For DevSecOps

Pichaya Morimoto

"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...

PROIDEA

"A rootkits writer’s guide to defense" - Michal Purzynski

PROIDEA

Windows persistence presentation

OlehLevytskyi1

A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...

CODE BLUE

SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...

Mauricio Velazco

Carlos García - Pentesting Active Directory Forests [rooted2019]

RootedCON

Bsides Long Island 2019

Mauricio Velazco

BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...

BlueHat Security Conference

Cryptolocker Webcast

OpenDNS

"Powershell kung-fu" - Paweł Maziarz

PROIDEA

End-to-End Analysis of a Domain Generating Algorithm Malware Family

CrowdStrike

'Malware Analysis' by PP Singh

Bipin Upadhyay

(130119) #fitalk apt, cyber espionage threat

INSIGHT FORENSIC

Security Ninjas: An Open Source Application Security Training Program

OpenDNS

What's hot (20)

DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...

Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy

Hacking Exposed LIVE: Attacking in the Shadows

Laura Garcia - Shodan API and Coding Skills [rooted2019]

Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...

Docker Plugin For DevSecOps

"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...

"A rootkits writer’s guide to defense" - Michal Purzynski

Windows persistence presentation

A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...

SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...

Carlos García - Pentesting Active Directory Forests [rooted2019]

Bsides Long Island 2019

BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...

Cryptolocker Webcast

"Powershell kung-fu" - Paweł Maziarz

End-to-End Analysis of a Domain Generating Algorithm Malware Family

'Malware Analysis' by PP Singh

(130119) #fitalk apt, cyber espionage threat

Security Ninjas: An Open Source Application Security Training Program

Similar to Threat hunting != Throwing arrow! Hunting for adversaries in your it environment

Billions & Billions of Logs

Jack Crook

Super1neelakanteswarreddy

Anti forensics-techniques-for-browsing-artifacts

gaurang17

Anti-forensics refers to any technique, gadget or software designed to hamper a computer investigation. Achieve Security using Anti Forensics. Anti-forensics Includes: Encryption, stenography, disk cleaning, file wiping. Anti-Forensics mainly for the security purpose.For confidentiality of Information or Securing the Web-Transaction. Smart Criminals are using it to Harden the forensic Investigation.

(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon

Priyanka Aash

hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2

Chris Gates

Why are you still getting CryptoLocker?

Aaron Lancaster

DrupalCamp London 2017 - Web site insecurity

George Boobyer

Common threats to web security with real world case studies of compromised sites, - A 'dissection' of a typical common exploit tool and how it operates, - Simple approaches to mitigating common threats/vulnerabilities, - Defence in depth – an overview of the various components of web security, - Drupal specific measures that standard penetration testing often does not account for. An overview of how to benefit from: - Security monitoring and log analysis - Intrusion Detection Systems & Firewalls - Security headers and Content Security Policies (CSP). see Drupal Camp London for full details: http://drupalcamp.london/session/web-site-insecurity-how-your-cms-site-will-get-hacked-and-how-prevent-it

Ceh certified ethical hackerbestip

Cyber Kill Chain Deck for General Audience

Tom K

Anton Chuvakin on Discovering That Your Linux Box is Hacked

Anton Chuvakin

Drupal Camp Bristol 2017 - Website insecurity

George Boobyer

Public facing web sites are constantly under attack and keeping websites protected is an arms race, yet security rarely gets a look-in at specification and budget allocation stages of delivering a web site - or at best is an afterthought. Yet everyone has an expectation of security and QOS that implies it is central to every project. Security considerations should pervade all stages of a project from initial specification, throughout development and testing and on to ongoing hosting and maintenance. In this session I will cover: * Common threats to web security with real world case studies of compromised sites, * Simple approaches to mitigating common threats/vulnerabilities, * Defence in depth – an overview of the various components of web security, * Drupal specific measures that standard penetration testing often does not account for. * An overview of how to benefit from: * Security monitoring and log analysis * Intrusion Detection Systems & Firewalls * Security headers and Content Security Policies (CSP). Comments: https://joind.in/talk/8bbea

Attack Chaining: Advanced Maneuvers for Hack Fu

Rob Ragan

Just as a good chess player thinks five moves ahead, a great penetration tester should be able to visualize their attack in order to compromise high-value targets. This presentation will explore how a penetration tester can learn to leverage attack chaining for maximum impact. A penetration test is supposed to be a simulation of a real-world attack. Real-world attackers do not use expensive automated tools or a checklist. Nor do they use a single technique or exploit to compromise a target. More commonly they combine several techniques, vulnerabilities, and exploits to create a “chained” attack that achieves a malicious goal. Chained attacks are far more complex and far more difficult to defend against. We want to explore how application vulnerabilities relate to one another and build a mind map that guides penetration testers through various attack scenarios. Prepare to be blown away on this roller coaster ride with real-world examples of massive compromises. If you are not a thrill seeker, this presentation may leave you a bit queasy.

Advanced malware analysis training session 7 malware memory forensics

Cysinfo Cyber Security Community

Intro To Hackingnayakslideshare

DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer

Felipe Prado

SIA302.pptx

reynold298

Adversary tactics config mgmt-&-logs-oh-my

Jesse Moore

Indicators of compromise: From malware analysis to eradication

Michael Boman

44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...

44CON

Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5

sixdub

Similar to Threat hunting != Throwing arrow! Hunting for adversaries in your it environment (20)

Billions & Billions of Logs

Super1

Anti forensics-techniques-for-browsing-artifacts

(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon

hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2

Why are you still getting CryptoLocker?

DrupalCamp London 2017 - Web site insecurity

Ceh certified ethical hacker

Cyber Kill Chain Deck for General Audience

Anton Chuvakin on Discovering That Your Linux Box is Hacked

Drupal Camp Bristol 2017 - Website insecurity

Attack Chaining: Advanced Maneuvers for Hack Fu

Advanced malware analysis training session 7 malware memory forensics

Intro To Hacking

DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer

SIA302.pptx

Adversary tactics config mgmt-&-logs-oh-my

Indicators of compromise: From malware analysis to eradication

44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...

Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5

Recently uploaded

IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx

Abida Shariff

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

FIDO Alliance

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

DanBrown980551

Do you want to learn how to model and simulate an electrical network from scratch in under an hour? Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)! During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook. PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides: - A fully editable and extendable library for grid component modelling; - Visualization tools to display your network; - Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses; The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well. What you will learn during the webinar: - For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills; - For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...

Ramesh Iyer

In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.

Epistemic Interaction - tuning interfaces to provide information for AI support

Alan Dix

Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024 https://alandix.com/academic/papers/synergy2024-epistemic/ As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.

Search and Society: Reimagining Information Access for Radical Futures

Bhaskar Mitra

The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.

DevOps and Testing slides at DASA Connect

Kari Kakkonen

Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...

Product School

FIDO Alliance Osaka Seminar: Overview.pdf

FIDO Alliance

Connector Corner: Automate dynamic content and events by pushing a button

DianaGray10

Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to: Create a campaign using Mailchimp with merge tags/fields Send an interactive Slack channel message (using buttons) Have the message received by managers and peers along with a test email for review But there’s more: In a second workflow supporting the same use case, you’ll see: Your campaign sent to target colleagues for approval If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team But—if the “Reject” button is pushed, colleagues will be alerted via Slack message Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors. And... Speakers: Akshay Agnihotri, Product Manager Charlie Greenberg, Host

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...

Product School

ODC, Data Fabric and Architecture User Group

CatarinaPereira64715

Key Trends Shaping the Future of Infrastructure.pdf

Cheryl Hung

The Future of Platform Engineering

Jemma Hussein Allen

The Art of the Pitch: WordPress Relationships and Sales

Laura Byrne

Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes? All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.

JMeter webinar - integration with InfluxDB and Grafana

RTTS

Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application. In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics. Length: 30 minutes Session Overview ------------------------------------------- During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana: - What out-of-the-box solutions are available for real-time monitoring JMeter tests? - What are the benefits of integrating InfluxDB and Grafana into the load testing stack? - Which features are provided by Grafana? - Demonstration of InfluxDB and Grafana using a practice web application To view the webinar recording, go to: https://www.rttsweb.com/jmeter-integration-webinar

Assuring Contact Center Experiences for Your Customers With ThousandEyes

ThousandEyes

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

BookNet Canada

The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more. Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/ Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.

Accelerate your Kubernetes clusters with Varnish Caching

Thijs Feryn

Neuro-symbolic is not enough, we need neuro-*semantic*

Frank van Harmelen

Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”. All of this illustrated with link prediction over knowledge graphs, but the argument is general.

Recently uploaded (20)

IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...

Epistemic Interaction - tuning interfaces to provide information for AI support

Search and Society: Reimagining Information Access for Radical Futures

DevOps and Testing slides at DASA Connect

Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...

FIDO Alliance Osaka Seminar: Overview.pdf

Connector Corner: Automate dynamic content and events by pushing a button

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...

ODC, Data Fabric and Architecture User Group

Key Trends Shaping the Future of Infrastructure.pdf

The Future of Platform Engineering

The Art of the Pitch: WordPress Relationships and Sales

JMeter webinar - integration with InfluxDB and Grafana

Assuring Contact Center Experiences for Your Customers With ThousandEyes

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

Accelerate your Kubernetes clusters with Varnish Caching

Neuro-symbolic is not enough, we need neuro-*semantic*

Threat hunting != Throwing arrow! Hunting for adversaries in your it environment

1. Threat hunting != Throwing arrow! Hunting for adversaries in your IT environment Md Nahidul kibria Co-Founder, Beetles

2. Md Nahidul Kibria Co-Founder, Beetles @nahidupa [~] $ whoami

3. Threat hunting is a approach to answer that question. Am i compromised today?

4. What is hunting? Hunting as the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions. “You Can’t Hunt That With a Bow and Arrow!

5. What is Threat hunting is and is not. Threat hunting != Throwing arrow!

6. Threat landscape Cybercriminals Hacktivists Nation state Insiders

7. Cyber Attack Lifecycle

8. Cyber Kill Chain

9. Proactive security

10.

11. Sensors >> Data >> monitoring

12. The hunting loop ref:http://blog.sqrrl.com/the-threat-hunting-reference-model-part-2-the-hunting-loop

13. Hunting vs. Alerting Alerting 1. Reactive 2. Detect/forget Hunting 1. Proactive 2. Repeated searches

14. Let's hunt... But from where?

15. Approaches to Threat Hunting 1. Data-centric Hunting 2. Hunting on the Endpoint(DFIR) 3. Deception

16. Adversary simulation 1. Attacking web application 2. OS Command execute 3. Download malicious files (powershell webclient) 4. Getting reverse shell 5. Privilege escape 6. Scan internal host 7. Lateral Movement

17. Data analysis

18. Hunt Lateral MovementAttackers quietly traverse your Network.

19. Lateral Movement - Techniques, Tactics & Procedures (TTPs) Psexec File shares Powershell Pass-the-hash Scheduled tasks WMI SMB SSH

20. Detect using windows event log /Sysmon

21. WebShell -Command injection

22. Psexec psexec.exe -i -s %SystemRoot%system32cmd.exe

23. Sysmon event - psexc.exe

24. Hunt other TTPs “net” Reconnaissance of Domain Admin Group Command C: > net group "Domain Admin" /domain Credential Harvesting with WMI and WCE net use 172.31.3.16 PASSWORD /user:SANDBOXAdministrator copy w.exe 172.31.3.16c$PerfLogs wmic /NODE:172.31.3.16 /USER:"SANDBOXAdministrator" /PASSWORD:"PASSWORD" process call create "cmd /c C:Perflogsw.exe -w > C:Perflogso.txt" Ref: http://www.crypsisgroup.com/images/site/CG_WhitePaper_Splunkmon_1216.pdf

25. Ref: http://www.crypsisgroup.com/images/site/CG_WhitePaper_Splunkmon_1216.pdf

26. Sysmon dashboard

27. Hunting Command and Control(c2)

28. Hunting Command and Control(c2) C2 via Dynamic DNS Finding the Unknown with HTTP URIs Beacon Detection via Intra-Request Time Deltas Finding C2 in Network Sessions

29. Detection Using Bro

30. #wannacry www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.

31. Hunt for Data Exfiltration

32. Producer-Consumer Ratio for Detecting Data Exfiltration Ref https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/analyze_producer_consumer_ratio.md

33. Hunt for Malware

34. Unusual Windows Behavior https://www.sans.org/security-resources/posters/dfir-find-evil/35/download

35. Query (NewProcessName: "svchost.exe" AND NOT NewProcessName: "C:WindowsSystem32svchost.exe") OR (NewProcessName: "smss.exe" AND NOT NewProcessName: "C:WindowsSystem32smss.exe") OR (NewProcessName: "wininit.exe" AND NOT NewProcessName: "C:WindowsSystem32wininit.exe") OR (NewProcessName: "taskhost.exe" AND NOT NewProcessName: "C:WindowsSystem32taskhost.exe") OR (NewProcessName: "lsass.exe" AND NOT NewProcessName: "C:WindowsSystem32lsass.exe") OR (NewProcessName: "winlogon.exe" AND NOT NewProcessName: "C:WindowsSystem32winlogon.exe") OR (NewProcessName: "explorer.exe" AND NOT NewProcessName: "C:Windowsexplorer.exe") OR (NewProcessName: "lsm.exe" AND NOT NewProcessName: "C:WindowsSystem32lsm.exe") OR (NewProcessName: "services.exe" AND NOT NewProcessName: "C:WindowsSystem32services.exe") OR (NewProcessName: "csrss.exe" AND NOT NewProcessName: "C:WindowsSystem32csrss.exe")

36. Svchost.exe with no -k

37. WannaCry detection Ref: https://github.com/Neo23x0/sigma/tree/master/rules/windows/sysmon

38. Hunt in memory Malware become fileless- Kovter,Poweliks Volatility-/rekall https://github.com/google/rekall

39. DEMO

40.

41. The Hunting Maturity Model

42. Machine Learning for Incident Detection

43. Real-time Threat Hunting

44. Happy Hunting! @nahidupa Must check http://www.threathunting.net/

Editor's Notes

New in this con Blue team activity Defense Anyone from incident response Hunting is assume that you are already compromised and now you want to know/verify it.
Pentesting Web application Synack Owasp Sofo
Not a new concept Not Alert Driven Not a tool or product Not standardized Not a silver bullet
It take over month
When everyone in bdnog your org is in under attack
psexec.exe -i -s %SystemRoot%\system32\cmd.exe
http://www.crypsisgroup.com/images/site/CG_WhitePaper_Splunkmon_1216.pdf
http://blog.sqrrl.com/the-cyber-hunting-maturity-model

Threat hunting != Throwing arrow! Hunting for adversaries in your it environment

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Threat hunting != Throwing arrow! Hunting for adversaries in your it environment

Similar to Threat hunting != Throwing arrow! Hunting for adversaries in your it environment (20)

More from Nahidul Kibria

More from Nahidul Kibria (6)

Recently uploaded

Recently uploaded (20)

Threat hunting != Throwing arrow! Hunting for adversaries in your it environment

Editor's Notes