Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hunting the Evil of your Infrastructure

Hunting the Evil of your Infrastructure
###rootconf 2018, Bangalore, India.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to comment

  • Be the first to like this

Hunting the Evil of your Infrastructure

  1. 1. Hunting the Evil of your Infrastructure A Hypothesis Driven Practice A. S. M. Shamim Reza Deputy Manager Network Operation Center Link3 Technologies Ltd.
  2. 2. [~]$ whoami Linux Geek Open Source Software Enthusiast EC-Council Certified Security Analyst ASMShamimReza ShamimRezaSohag
  3. 3. Overview What is Threat Hunting Myths of Threat Hunting The Process Hypothesis – the core of hunting Important Things to Remember
  4. 4. What is Threat Hunting? “Threat hunting is the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions” - sqrrl
  5. 5. Myths about Threat Hunting Hunting can be fully automated It requires vast amount of data and advanced set of tools Hunting is only for elite analytics
  6. 6. The Process Where to start What to hunt for
  7. 7. Questions to ask before start  What data to collect ?  Why collect all those data ?  Which tools to be used ?  Where to store the data ?
  8. 8. What data sources ? End point data Network Data Security Data Process execution metadata Network session data Threat Intelligence Registry access data Bro logs Alerts File data Proxy logs Friendly Intelligence Network data DNS Logs File prevalence Firewall Logs Network Device Logs Source – sqrrl
  9. 9. Useful Tools to Start NetFlow Analyzer - nfsen Network based IDS – Bro, Snort, Suricata Central Log Analysis System – ELK Stack Security Information & Event Management – OSSIM
  10. 10. The Hunting Loop Create Hypothesis Data Collection Tooling & Analysis Uncover New Patterns & TTPs Automation
  11. 11. Hypothesis - The Core of Hunting
  12. 12. Who will do the hypothesis ? What would he/she like to be ? What does he/she have to know ? Do you have updated network diagram ? Do you have a central place to store logs ? Do you have necessary tools to analysis the data ? Does the hunter knows about the OS, application & critical data ? Does the hunter knows how the network infrastructure work ? Hunter’s Thinking
  13. 13. Hypothesis Generation 1 Intelligence Driven Hypotheses 2 Situational Awareness 3 Domain Expertise Source – SANS Institute
  14. 14. Case Studies - Intelligence-Driven Hypotheses Phishing Email  We have received an email, With the Subject “U.S Bank Message”  It passed Central Spam Filter Firewall  Mail properties is 17.4KB  Found two separate domain  One is from sender email ID  Another one from the Link hidden inside the mail body
  15. 15. Email Body
  16. 16. Email Body
  17. 17. Original Mail Content
  18. 18. What we have done  Checked both the domain at  Not IN-listed  Checked both the domain at  - St. James Catholic Church (Valid domain & Site)  - does not have SEO Score
  19. 19. Outcome  It was a preliminary attempt  We have blocked anything from “” at Spam Firewall  Informed the concern person of “” about the fishing activities
  20. 20. Situational Awareness Example – An analyst decides to look past the tactical level of intelligence by considering strategic challenges in the organization. To do this he first looks at non-technical influences on the organization. The analyst receives information that the company is going to acquire a new company. The new company is located in a different part of the world, and its infrastructure will become connected to the new parent company’s networks. The analyst knows that the parent company will also inherit the acquired company’s assets, data and vulnerabilities.
  21. 21. The hunter generates the hypothesis that the connection points between these two companies’ networks will be abused by threat actors that have, potentially, already compromised the acquired company. In an effort to test this hypothesis, the analyst sets up additional monitoring to treat the data flowing in and out of the new network connections as suspect.
  22. 22. Domain Expertise Example – “A threat hunter knows how BGP are intended to work and has previously seen threat actors manipulate these Internet backbone protocols. This leads the analyst to generate the hypothesis that national-level adversaries/evil may be manipulating Internet routing to steal proprietary information from his organization without having to compromise the organization’s network.”
  23. 23. Need to Keep in MIND  Start with formal methods of threat hunting  Integrate people, processes and technology  Balance automated and manual activity of threat hunting  Look for known/normal and never-seen-before malicious/abnormal activity
  24. 24. Resources

    Be the first to comment

    Login to see the comments

Hunting the Evil of your Infrastructure ###rootconf 2018, Bangalore, India.


Total views


On Slideshare


From embeds


Number of embeds