Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Leveraging Threat Intelligence to Guide Your Hunts

470 views

Published on

This webinar training session covers everything from what threat intelligence is to specific examples of how to hunt with it; applying intel during a tactical hunt and what you should be looking out for when searching for adversaries on your enterprise network. Taught by Keith Gilbert, Keith is an experienced threat researcher with a background in Digital Forensics and Incident Response.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Leveraging Threat Intelligence to Guide Your Hunts

  1. 1. LeveragingThreat Intelligence to GuideYour Hunts ByThreat Researcher, Keith Gilbert
  2. 2. © 2017 Sqrrl Data, Inc. All rights reserved. 2 Presenter Keith Gilbert Sqrrl Security Technologist
  3. 3. © 2017 Sqrrl Data, Inc. All rights reserved. 3 TL;DR Threat Data is notThreat Intelligence TheThreat IntelligenceCycle is a continuous process for producingTI Continuing development viaTI Cycle can feed hunting efforts You can’t hunt with non-existent data Orgs benefit from improving theirTI process and their Hunting Maturity As maturity improves,TI Cycle and Hunting Loop will feed each other
  4. 4. © 2017 Sqrrl Data, Inc. All rights reserved. 4 What IsThreat Intelligence?
  5. 5. © 2017 Sqrrl Data, Inc. All rights reserved. 5 BuildingThe Foundation Initial Source – Threat Data Raw &Without Context Example: List of malicious domains Relationship based – Threat Information Building context Labels & Groups Example: Malicious domains with whois details and associated malware Analysis Driven – Threat Intelligence! Human-based processing/analysis Likely not absolute facts (confidence intervals) Should include actual or potential impact
  6. 6. © 2017 Sqrrl Data, Inc. All rights reserved. 6 DevelopingTI –TheTI Cycle
  7. 7. © 2017 Sqrrl Data, Inc. All rights reserved. 7 TI Cycle - Planning What are we going to Produce? What do we need to collect in order to produce that? How are we going to do that?
  8. 8. © 2017 Sqrrl Data, Inc. All rights reserved. 8 TI Cycle - Collection Internal Sources Technical collection & retention Past IR Reports Ongoing ticket handling, IR, Hunting External Sources Feeds (Threat Data!) – Open Source & Commercial News,TI Reports & Other OSINT Relationships
  9. 9. © 2017 Sqrrl Data, Inc. All rights reserved. 9 Side Note on Data: 3 Important Points 1. Can’t mature yourThreat Hunting without data 2. Can’t generate good internalThreat Intel without data 3. Storage is (comparably) cheap
  10. 10. © 2017 Sqrrl Data, Inc. All rights reserved. 10 TI Cycle - Processing Ensure that appropriate links are maintained Keep in mind confidence from specific collection source Enrichment of data Possible pruning (IE: viaWhitelist) Goal: Information should now be queryable and centralized
  11. 11. © 2017 Sqrrl Data, Inc. All rights reserved. 11 TI Cycle - Analysis Analyst based input Does not mean you can’t work towards reducing analyst burden Not always definitive Missing information or source confidence may cause uncertainty Addresses the “SoWhat?” Who /Why? – Not necessarily name/specific How? – Behaviors &TTPs When? – 1-time opportunistic? Continual? Business changes? Impact? – Actual & Potential
  12. 12. © 2017 Sqrrl Data, Inc. All rights reserved. 12 TI Cycle - Dissemination Who’s the audience? Textual reports Resources for IR Technical data for other internal teams What data is missing? Feeds back to planning Identifies areas of analytic judgement Mandiant, “APT1: Exposing One of China’s Cyber Espionage Units,” Mandiant, [2013]
  13. 13. © 2017 Sqrrl Data, Inc. All rights reserved. 13 Hunting Maturing Model
  14. 14. © 2017 Sqrrl Data, Inc. All rights reserved. 14 CouplingTI withThreat Hunting Goal: Undetected tactical outputs fromTI Cycle informs hypothesis creation Reality: Not everyone has a mature enough hunting capability That’s OK! Work to mature the capability in tandem
  15. 15. © 2017 Sqrrl Data, Inc. All rights reserved. 15 TheThreat Hunting Loop
  16. 16. © 2017 Sqrrl Data, Inc. All rights reserved. 16 CouplingTI withThreat Hunting
  17. 17. EXAMPLE HYPOTHESES & HUNT DERIVED INTEL
  18. 18. © 2017 Sqrrl Data, Inc. All rights reserved. 18 Example 1 - Hypotheses and Derived Intel Hypothesis Derived fromThreat Intel Threat Intel Derived from a Hunt I know that [Threat Actor] tends to send its phishing messages from infrastructure hosted in [Country].Therefore, if it is phishing my users, I should be able to examine my incoming email logs to find messages where the geolocation of the sender’s IP is in [Country]. Based on desired email and country of origin hunt, I determined that the organization has not yet received emails from the hypothesized location. I make two analytic conclusions with varying confidence levels that 1.)The threat actor in question may not target our industry and 2.)The threat actor in question may also use additional email sources for phishing.
  19. 19. © 2017 Sqrrl Data, Inc. All rights reserved. 19 Example 2 - Hypotheses and Derived Intel Hypothesis Derived fromThreat Intel Threat Intel Derived from a Hunt Recent industry reporting has informed us that industry peers have seen a recent spike in Business Email Compromise (BEC) targeting. Given that we know a common TTP of these actors is to impersonate executives, I hypothesize that I will find evidence of emails purporting to be from executives, but that originate from external email addresses. During my BEC investigation, I confirmed that our organization did receive emails purporting to be from executives. I also determined that other threat actors are using the same tactic and that a permanent means of detections should be enacted.
  20. 20. © 2017 Sqrrl Data, Inc. All rights reserved. 20 Example 3 - Hypotheses and Derived Intel Hypothesis Derived fromThreat Intel Threat Intel Derived from a Hunt A financial actor known to target my industry has been reported as using a powershell framework during exploitation. I predict that I will be able to identify unknown instances of powershell invocation on my organization’s network. I uncovered unknown instances of powershell invocation on the organization network. It was determined that many are part of legitimate business practices.The remaining invocations were determined to be unknown and led me to uncover a method for discerning between legitimate and potentially malicious powershell use.
  21. 21. EXAMPLE THREAT INTEL HUNT
  22. 22. © 2017 Sqrrl Data, Inc. All rights reserved. 32 A Practical Guide toThreat Hunting What's included: Practical hunting techniques and examples Scorecard for determining SOC maturity Metrics for measuring hunting success Framework for how to determine what high impact activity to hunt for info.sqrrl.com/practical-threat-hunting A new resource available at:
  23. 23. QUESTIONS

×