Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Threat Hunting for Command and Control Activity

404 views

Published on

Sqrrl's Security Technologist Josh Liburdi provides an overview of how to detect C2 through a combination of automated detection and hunting.

Watch the presentation with audio here: http://info.sqrrl.com/threat-hunting-for-command-and-control-activity

Published in: Software
  • Be the first to comment

  • Be the first to like this

Threat Hunting for Command and Control Activity

  1. 1. Threat Hunting for C2 with Sqrrl Nov 30 2016 | Josh Liburdi
  2. 2. Presenter • Josh Liburdi SecurityTechnologist at Sqrrl FormerlyGeneral ElectricCIRT, CrowdStrike Professional Services 3+ years in incident response
  3. 3. WhatYou’ll LearnToday • Why you need to detect command and control activity • How Sqrrl automatically detects command and control patterns • How Sqrrl makes it easy to investigate IOCs • How Sqrrl lets you hunt with common techniques © 2016 Sqrrl Data, Inc. All rights reserved. 3
  4. 4. WHYWE NEEDTO DETECT C2
  5. 5. Understanding the Attack Lifecycle • ‘What is most impactful to the organization?’ – Type of threat (targeted or opportunistic) – Outcome (financial loss, sensitive data loss) • Evaluate threats and prescribe detection © 2016 Sqrrl Data, Inc. All rights reserved. 5 Attacker Defender
  6. 6. WhyWe Need to Detect C2 • Required step of the kill chain in remote attacks • Predictable architecture, diverse execution – Client-Server – Peer-to-Peer • Leading techniques 1. Encrypted channels • Standard protocols (HTTPS) • Custom protocols (XOR) 2. Domain Generation Algorithms (DGA) • Ransomware (Locky, Cryptolocker) 3. Tunneling • Point of Sale malware (FrameworkPOS, NewPosThings) © 2016 Sqrrl Data, Inc. All rights reserved. 6
  7. 7. HUNTING MATURITY MODEL
  8. 8. Hunting Maturity Model © 2016 Sqrrl Data, Inc. All rights reserved. 8 • Many organizations are in HM0, HM1, and HM2
  9. 9. DATA DOMAINS
  10. 10. Data domains © 2016 Sqrrl Data, Inc. All rights reserved. 10 Network Endpoint Application Enrichment
  11. 11. UNCOVERING C2 WITH SQRRL
  12. 12. Sqrrl Detection Analytics • Sqrrl comes with three machine learning-driven C2 detection analytics – Beacon – Domain Generation Algorithms (DGA) – DNS tunneling © 2016 Sqrrl Data, Inc. All rights reserved. 12
  13. 13. DEMO
  14. 14. SUMMARY
  15. 15. Benefits of Hunting with Sqrrl © 2016 Sqrrl Data, Inc. All rights reserved. 15 1. Isolate attackerTTPs, like DGA or DNS tunneling, with detection analytics 2. Determine attack context with data domains unified in a linked model 3. Find emerging threats by acting on the latest intel and analysis procedures
  16. 16. Want to Learn More? © 2016 Sqrrl Data, Inc. All rights reserved. 16 Go to sqrrl.com to… • Download Sqrrl’sThreat Hunting eBook • Download the SqrrlWhite Paper onThreat Hunting Platforms • Request a SqrrlTest DriveVM • Download Sqrrl’s Product Paper • Reach out to us at info@sqrrl.com
  17. 17. APPENDIX
  18. 18. BEACON DEMO SCREENSHOTS
  19. 19. © 2016 Sqrrl Data, Inc. All rights reserved. 19
  20. 20. © 2016 Sqrrl Data, Inc. All rights reserved. 20
  21. 21. © 2016 Sqrrl Data, Inc. All rights reserved. 21
  22. 22. IOC SEARCH DEMO SCREENSHOTS
  23. 23. © 2016 Sqrrl Data, Inc. All rights reserved. 23
  24. 24. © 2016 Sqrrl Data, Inc. All rights reserved. 24
  25. 25. © 2016 Sqrrl Data, Inc. All rights reserved. 25
  26. 26. © 2016 Sqrrl Data, Inc. All rights reserved. 26
  27. 27. STACKING DEMO SCREENSHOTS
  28. 28. © 2016 Sqrrl Data, Inc. All rights reserved. 28
  29. 29. © 2016 Sqrrl Data, Inc. All rights reserved. 29
  30. 30. © 2016 Sqrrl Data, Inc. All rights reserved. 30
  31. 31. © 2016 Sqrrl Data, Inc. All rights reserved. 31

×