SlideShare una empresa de Scribd logo

Threat Hunting: From Platitudes to Practical Application

Descargar como PPTX, PDF
DefCamp
DefCamp

This document discusses threat hunting and practical approaches to threat hunting. It defines threat hunting as proactively searching through data to detect threats that evaded traditional security measures. It argues that threat hunting is more effective than reacting to incidents. The document provides guidance on log collection, developing situational awareness, hunting hosts and networks, maintaining a flexible mindset, and sharing findings. It suggests starting with small data collection and focusing on important systems and network areas. The goal is to understand normal behavior and detect anomalies.

Tecnología
1 de 28
THREAT HUNTING: FROM PLATITUDES TO PRACTICAL APPLICATION Neil “Grifter” Wyler DefCamp 2018 @grifter801
NEW PRESENTATION, WHO DIS? DefCamp 2018 @grifter801
HUNTING What is it?  Proactively searching through data in order to detect threats which have evaded traditional security measures. Is it effective?  It’s often more effective than working incidents out of a queue. While traditional security programs are still important, hunting takes you to the next level. DefCamp 2018 @grifter801
HUNTING Why hunt?  Again, because it’s proactive. – Aren’t you tired of being purely reactive?  It’s much harder to hide when someone is actively looking for you.  It’s much harder to hide when someone knows their environment.  By the way, you’ll know your environment better than you ever have before.  It increases value to your organization. DefCamp 2018 @grifter801
WHERE DO WE BEGIN? Log All the Things  Collect logs from key areas – OS Event Logs – Application Logs – Know who is authenticating where, and at what level  Don’t forget your network – Web Server logs – Proxy logs – Full … Packet … Capture This can be an incredible amount of data  Big Data is a part of your life now – Start small and grow your collection as you grow your program DefCamp 2018 @grifter801
WHERE DO WE BEGIN? Situational Awareness  Understand what normal looks like on your hosts and network. – Create a baseline that you can diff against  Become intimately aware of what the norms are so that when an anomaly occurs, it sticks out like a sore thumb. Leave preconceived notions at the door  Don’t always start with an IOC. Start with a question. – If data was leaving my environment, where’s the most likely place it would leave? DefCamp 2018 @grifter801
Persistence  Look beyond Run keys  What Scheduled Tasks are configured on the system?  Are there services that you didn’t create?  Typos or blank descriptions  Binary Path is not normal HUNTING Hosts  Know which processes are running on your systems. – Process Names – Path to Executables – Parent Processes  Look for process injection, hooking, and artifacts in shimcache. DefCamp 2018 @grifter801
HUNTING Network  What are your ingress and egress points? – Have they changed?  Direct to IP Communication  Communication to services using Dynamic DNS  Tor traffic  IRC traffic  Look at HTTP traffic – POST activity with no referrer – User-Agent strings can be a red flag  Traffic over non-standard ports DefCamp 2018 @grifter801
HUNTING MINDSET Have a plan but be ready to adapt  Know what you’re looking for and go try to find it. – But don’t be discouraged if/when you don’t  Remain flexible – Sometimes what you started searching for will take you down a completely different path.  Prepare for pivots, there will be many  Find tools that help you make sense of the data you’ve collected  Document everything you’re doing and what you’ve learned – Share it! DefCamp 2018 @grifter801
SO, WHAT NOW? DefCamp 2018 @grifter801
EXECUTING A HUNT The Plan  Provide Hunters /w Network Architecture / Diagrams  Identify Potential Targets  Tie IP Addresses to Assets  Business Criticality  Focus on Directionality  Inbound  Outbound  Lateral Movement  Determine Hunting Timeframe  24 hours on Average  Expand timeframe for subjects/events of interest DefCamp 2018 @grifter801
EXECUTING A HUNT  Service Analysis  Begin with the Smallest (IRC, VNC, BITTORRENT, RPC, RDP)  Allows for Quick Elimination  Continue to Work Backwards  Document Area that Each Analyst Covered ( Analyst 1 – Outbound/RDP, Outbound/IRC, etc)  Drill Down on Each Selected Service  Indicators of Compromise  Behaviors of Compromise  Enablers of Compromise  Rinse and Repeat DefCamp 2018 @grifter801
EXECUTING A HUNT Care and Feeding  Investigate, Investigate, Eliminate  Find the Signal in the Noise  Determine what traffic is causing false positives, and manage it.  As you tune and dial in your environment, actionable data will become increasingly apparent.  Build reports and automate the pain away DefCamp 2018 @grifter801
THE LABYRINTH DefCamp 2018 @grifter801
SO, WHAT DO WE FIND? DefCamp 2018 @grifter801
WHAT YEAR IS THIS!?! DefCamp 2018 @grifter801 BEWARE THE SUPPLY CHAIN
ಠ_ಠ DefCamp 2018 @grifter801
 Strong Passwords over unencrypted transports? 57R0NG_P@55W0RD5! DefCamp 2018 @grifter801
YOU’VE GOT SOMETHING IN YOUR API DefCamp 2018 @grifter801 SOAP call with cleartext Base64 includes password
I CAM SEE YOU DefCamp 2018 @grifter801
ALWAYS USE A VPN! DefCamp 2018 @grifter801
THE RSAC DATING POOL DefCamp 2018 @grifter801
ALL THINGS ARE NOT CONFIGURED EQUALLY DefCamp 2018 @grifter801
PATCH MANAGEMENT DefCamp 2018 @grifter801
ZERO DAY, O-DAY OR SAME DAY? DefCamp 2018 @grifter801
LUXORF DefCamp 2018 @grifter801
“DEVICES” DefCamp 2018 @grifter801
Thanks Neil“Grifter”Wyler @grifter801

Recomendados

Threat Hunting with Elastic at SpectorOps: Welcome to HELK
Threat Hunting with Elastic at SpectorOps: Welcome to HELKThreat Hunting with Elastic at SpectorOps: Welcome to HELK
Threat Hunting with Elastic at SpectorOps: Welcome to HELK
Elasticsearch
 
Beyond Matching: Applying Data Science Techniques to IOC-based Detection
Beyond Matching: Applying Data Science Techniques to IOC-based DetectionBeyond Matching: Applying Data Science Techniques to IOC-based Detection
Beyond Matching: Applying Data Science Techniques to IOC-based Detection
Alex Pinto
 
Sample - Extending IBM i2 Analysis with G2 Research
Sample - Extending IBM i2 Analysis with G2 ResearchSample - Extending IBM i2 Analysis with G2 Research
Sample - Extending IBM i2 Analysis with G2 Research
G2 Research Ltd.
 
Biting into the Jawbreaker: Pushing the Boundaries of Threat Hunting Automation
Biting into the Jawbreaker: Pushing the Boundaries of Threat Hunting AutomationBiting into the Jawbreaker: Pushing the Boundaries of Threat Hunting Automation
Biting into the Jawbreaker: Pushing the Boundaries of Threat Hunting Automation
Alex Pinto
 
Data-Driven Threat Intelligence: Useful Methods and Measurements for Handling...
Data-Driven Threat Intelligence: Useful Methods and Measurements for Handling...Data-Driven Threat Intelligence: Useful Methods and Measurements for Handling...
Data-Driven Threat Intelligence: Useful Methods and Measurements for Handling...
Alex Pinto
 
Splunk at the Bank of England
Splunk at the Bank of EnglandSplunk at the Bank of England
Splunk at the Bank of England
Splunk
 
Speaker0 session7874 1
Speaker0 session7874 1Speaker0 session7874 1
Speaker0 session7874 1
Shaveta Datta
 
Towards a Threat Hunting Automation Maturity Model
Towards a Threat Hunting Automation Maturity ModelTowards a Threat Hunting Automation Maturity Model
Towards a Threat Hunting Automation Maturity Model
Alex Pinto
 

Recomendados

Threat Hunting with Elastic at SpectorOps: Welcome to HELK
Threat Hunting with Elastic at SpectorOps: Welcome to HELKThreat Hunting with Elastic at SpectorOps: Welcome to HELK
Threat Hunting with Elastic at SpectorOps: Welcome to HELK
Elasticsearch
 
Beyond Matching: Applying Data Science Techniques to IOC-based Detection
Beyond Matching: Applying Data Science Techniques to IOC-based DetectionBeyond Matching: Applying Data Science Techniques to IOC-based Detection
Beyond Matching: Applying Data Science Techniques to IOC-based Detection
Alex Pinto
 
Sample - Extending IBM i2 Analysis with G2 Research
Sample - Extending IBM i2 Analysis with G2 ResearchSample - Extending IBM i2 Analysis with G2 Research
Sample - Extending IBM i2 Analysis with G2 Research
G2 Research Ltd.
 
Biting into the Jawbreaker: Pushing the Boundaries of Threat Hunting Automation
Biting into the Jawbreaker: Pushing the Boundaries of Threat Hunting AutomationBiting into the Jawbreaker: Pushing the Boundaries of Threat Hunting Automation
Biting into the Jawbreaker: Pushing the Boundaries of Threat Hunting Automation
Alex Pinto
 
Data-Driven Threat Intelligence: Useful Methods and Measurements for Handling...
Data-Driven Threat Intelligence: Useful Methods and Measurements for Handling...Data-Driven Threat Intelligence: Useful Methods and Measurements for Handling...
Data-Driven Threat Intelligence: Useful Methods and Measurements for Handling...
Alex Pinto
 
Splunk at the Bank of England
Splunk at the Bank of EnglandSplunk at the Bank of England
Splunk at the Bank of England
Splunk
 
Speaker0 session7874 1
Speaker0 session7874 1Speaker0 session7874 1
Speaker0 session7874 1
Shaveta Datta
 
Towards a Threat Hunting Automation Maturity Model
Towards a Threat Hunting Automation Maturity ModelTowards a Threat Hunting Automation Maturity Model
Towards a Threat Hunting Automation Maturity Model
Alex Pinto
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are Dangerous
Raffael Marty
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE - ATT&CKcon
 
Determining the Fit and Impact of CTI Indicators on Your Monitoring Pipeline ...
Determining the Fit and Impact of CTI Indicators on Your Monitoring Pipeline ...Determining the Fit and Impact of CTI Indicators on Your Monitoring Pipeline ...
Determining the Fit and Impact of CTI Indicators on Your Monitoring Pipeline ...
Alex Pinto
 
SplunkLive! Frankfurt 2019: Splunk at Dachser
SplunkLive! Frankfurt 2019: Splunk at Dachser SplunkLive! Frankfurt 2019: Splunk at Dachser
SplunkLive! Frankfurt 2019: Splunk at Dachser
Splunk
 
The Art and Science of Alert Triage
The Art and Science of Alert TriageThe Art and Science of Alert Triage
The Art and Science of Alert Triage
Sqrrl
 
Sqrrl Enterprise: Big Data Security Analytics Use Case
Sqrrl Enterprise: Big Data Security Analytics Use CaseSqrrl Enterprise: Big Data Security Analytics Use Case
Sqrrl Enterprise: Big Data Security Analytics Use Case
Sqrrl
 
ATAGTR2017 Security Testing for Healthcare applications
ATAGTR2017 Security Testing for Healthcare applicationsATAGTR2017 Security Testing for Healthcare applications
ATAGTR2017 Security Testing for Healthcare applications
Agile Testing Alliance
 
How To Drive Value with Security Data
How To Drive Value with Security DataHow To Drive Value with Security Data
How To Drive Value with Security Data
Raffael Marty
 
Control the Hype: A look at service assurance systems and how they relate to ...
Control the Hype: A look at service assurance systems and how they relate to ...Control the Hype: A look at service assurance systems and how they relate to ...
Control the Hype: A look at service assurance systems and how they relate to ...
stefan vallin
 
Writing Custom Python Detection with Panther (Part 1)
Writing Custom Python Detection with Panther (Part 1)Writing Custom Python Detection with Panther (Part 1)
Writing Custom Python Detection with Panther (Part 1)
Panther Labs
 
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE - ATT&CKcon
 
Log Data Mining
Log Data MiningLog Data Mining
Log Data Mining
Anton Chuvakin
 
2019 Performance Monitoring and Management Trends and Insights
2019 Performance Monitoring and Management Trends and Insights2019 Performance Monitoring and Management Trends and Insights
2019 Performance Monitoring and Management Trends and Insights
OpsRamp
 
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
TigerGraph
 
Security Intelligence for Energy Control Systems
Security Intelligence for Energy Control SystemsSecurity Intelligence for Energy Control Systems
Security Intelligence for Energy Control Systems
Q1 Labs
 
SplunkLive! Paris 2016 - Plenary session
SplunkLive! Paris 2016 - Plenary sessionSplunkLive! Paris 2016 - Plenary session
SplunkLive! Paris 2016 - Plenary session
Splunk
 
What does "monitoring" mean? (FOSDEM 2017)
What does "monitoring" mean? (FOSDEM 2017)What does "monitoring" mean? (FOSDEM 2017)
What does "monitoring" mean? (FOSDEM 2017)
Brian Brazil
 
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE - ATT&CKcon
 
Splunk for ITOA Breakout Session
Splunk for ITOA Breakout SessionSplunk for ITOA Breakout Session
Splunk for ITOA Breakout Session
Splunk
 
PaloAlto Ignite Conference 2015
PaloAlto Ignite Conference 2015PaloAlto Ignite Conference 2015
PaloAlto Ignite Conference 2015
Mike Spaulding
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security Checklist
APNIC
 

Más contenido relacionado

La actualidad más candente

AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are Dangerous
Raffael Marty
 
Determining the Fit and Impact of CTI Indicators on Your Monitoring Pipeline ...
Determining the Fit and Impact of CTI Indicators on Your Monitoring Pipeline ...Determining the Fit and Impact of CTI Indicators on Your Monitoring Pipeline ...
Determining the Fit and Impact of CTI Indicators on Your Monitoring Pipeline ...
Alex Pinto
 
The Art and Science of Alert Triage
The Art and Science of Alert TriageThe Art and Science of Alert Triage
The Art and Science of Alert Triage
Sqrrl
 
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE - ATT&CKcon
 

La actualidad más candente (13)

AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are Dangerous
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
 
Determining the Fit and Impact of CTI Indicators on Your Monitoring Pipeline ...
Determining the Fit and Impact of CTI Indicators on Your Monitoring Pipeline ...Determining the Fit and Impact of CTI Indicators on Your Monitoring Pipeline ...
Determining the Fit and Impact of CTI Indicators on Your Monitoring Pipeline ...
 
SplunkLive! Frankfurt 2019: Splunk at Dachser
SplunkLive! Frankfurt 2019: Splunk at Dachser SplunkLive! Frankfurt 2019: Splunk at Dachser
SplunkLive! Frankfurt 2019: Splunk at Dachser
 
The Art and Science of Alert Triage
The Art and Science of Alert TriageThe Art and Science of Alert Triage
The Art and Science of Alert Triage
 
Sqrrl Enterprise: Big Data Security Analytics Use Case
Sqrrl Enterprise: Big Data Security Analytics Use CaseSqrrl Enterprise: Big Data Security Analytics Use Case
Sqrrl Enterprise: Big Data Security Analytics Use Case
 
ATAGTR2017 Security Testing for Healthcare applications
ATAGTR2017 Security Testing for Healthcare applicationsATAGTR2017 Security Testing for Healthcare applications
ATAGTR2017 Security Testing for Healthcare applications
 
How To Drive Value with Security Data
How To Drive Value with Security DataHow To Drive Value with Security Data
How To Drive Value with Security Data
 
Control the Hype: A look at service assurance systems and how they relate to ...
Control the Hype: A look at service assurance systems and how they relate to ...Control the Hype: A look at service assurance systems and how they relate to ...
Control the Hype: A look at service assurance systems and how they relate to ...
 
Writing Custom Python Detection with Panther (Part 1)
Writing Custom Python Detection with Panther (Part 1)Writing Custom Python Detection with Panther (Part 1)
Writing Custom Python Detection with Panther (Part 1)
 
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
 
Log Data Mining
Log Data MiningLog Data Mining
Log Data Mining
 

Similar a Threat Hunting: From Platitudes to Practical Application

2019 Performance Monitoring and Management Trends and Insights
2019 Performance Monitoring and Management Trends and Insights2019 Performance Monitoring and Management Trends and Insights
2019 Performance Monitoring and Management Trends and Insights
OpsRamp
 
Security Intelligence for Energy Control Systems
Security Intelligence for Energy Control SystemsSecurity Intelligence for Energy Control Systems
Security Intelligence for Energy Control Systems
Q1 Labs
 
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE - ATT&CKcon
 
PaloAlto Ignite Conference 2015
PaloAlto Ignite Conference 2015PaloAlto Ignite Conference 2015
PaloAlto Ignite Conference 2015
Mike Spaulding
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Barry Greene
 
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Harry McLaren
 
Making the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data VisibilityMaking the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data Visibility
dianadvo
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are Dangerous
Priyanka Aash
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
Lancope, Inc.
 

Similar a Threat Hunting: From Platitudes to Practical Application (20)

2019 Performance Monitoring and Management Trends and Insights
2019 Performance Monitoring and Management Trends and Insights2019 Performance Monitoring and Management Trends and Insights
2019 Performance Monitoring and Management Trends and Insights
 
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
 
Security Intelligence for Energy Control Systems
Security Intelligence for Energy Control SystemsSecurity Intelligence for Energy Control Systems
Security Intelligence for Energy Control Systems
 
SplunkLive! Paris 2016 - Plenary session
SplunkLive! Paris 2016 - Plenary sessionSplunkLive! Paris 2016 - Plenary session
SplunkLive! Paris 2016 - Plenary session
 
What does "monitoring" mean? (FOSDEM 2017)
What does "monitoring" mean? (FOSDEM 2017)What does "monitoring" mean? (FOSDEM 2017)
What does "monitoring" mean? (FOSDEM 2017)
 
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
 
Splunk for ITOA Breakout Session
Splunk for ITOA Breakout SessionSplunk for ITOA Breakout Session
Splunk for ITOA Breakout Session
 
PaloAlto Ignite Conference 2015
PaloAlto Ignite Conference 2015PaloAlto Ignite Conference 2015
PaloAlto Ignite Conference 2015
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security Checklist
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
 
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
 
Technical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvertTechnical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvert
 
Making the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data VisibilityMaking the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data Visibility
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublin
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral Analytics
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are Dangerous
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
 
AI and ML in Cybersecurity
AI and ML in CybersecurityAI and ML in Cybersecurity
AI and ML in Cybersecurity
 

Más de DefCamp

Más de DefCamp (20)

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of Trust
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your network
 

Último

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Último (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 

Threat Hunting: From Platitudes to Practical Application

  • 1. THREAT HUNTING: FROM PLATITUDES TO PRACTICAL APPLICATION Neil “Grifter” Wyler DefCamp 2018 @grifter801
  • 2. NEW PRESENTATION, WHO DIS? DefCamp 2018 @grifter801
  • 3. HUNTING What is it?  Proactively searching through data in order to detect threats which have evaded traditional security measures. Is it effective?  It’s often more effective than working incidents out of a queue. While traditional security programs are still important, hunting takes you to the next level. DefCamp 2018 @grifter801
  • 4. HUNTING Why hunt?  Again, because it’s proactive. – Aren’t you tired of being purely reactive?  It’s much harder to hide when someone is actively looking for you.  It’s much harder to hide when someone knows their environment.  By the way, you’ll know your environment better than you ever have before.  It increases value to your organization. DefCamp 2018 @grifter801
  • 5. WHERE DO WE BEGIN? Log All the Things  Collect logs from key areas – OS Event Logs – Application Logs – Know who is authenticating where, and at what level  Don’t forget your network – Web Server logs – Proxy logs – Full … Packet … Capture This can be an incredible amount of data  Big Data is a part of your life now – Start small and grow your collection as you grow your program DefCamp 2018 @grifter801
  • 6. WHERE DO WE BEGIN? Situational Awareness  Understand what normal looks like on your hosts and network. – Create a baseline that you can diff against  Become intimately aware of what the norms are so that when an anomaly occurs, it sticks out like a sore thumb. Leave preconceived notions at the door  Don’t always start with an IOC. Start with a question. – If data was leaving my environment, where’s the most likely place it would leave? DefCamp 2018 @grifter801
  • 7. Persistence  Look beyond Run keys  What Scheduled Tasks are configured on the system?  Are there services that you didn’t create?  Typos or blank descriptions  Binary Path is not normal HUNTING Hosts  Know which processes are running on your systems. – Process Names – Path to Executables – Parent Processes  Look for process injection, hooking, and artifacts in shimcache. DefCamp 2018 @grifter801
  • 8. HUNTING Network  What are your ingress and egress points? – Have they changed?  Direct to IP Communication  Communication to services using Dynamic DNS  Tor traffic  IRC traffic  Look at HTTP traffic – POST activity with no referrer – User-Agent strings can be a red flag  Traffic over non-standard ports DefCamp 2018 @grifter801
  • 9. HUNTING MINDSET Have a plan but be ready to adapt  Know what you’re looking for and go try to find it. – But don’t be discouraged if/when you don’t  Remain flexible – Sometimes what you started searching for will take you down a completely different path.  Prepare for pivots, there will be many  Find tools that help you make sense of the data you’ve collected  Document everything you’re doing and what you’ve learned – Share it! DefCamp 2018 @grifter801
  • 10. SO, WHAT NOW? DefCamp 2018 @grifter801
  • 11. EXECUTING A HUNT The Plan  Provide Hunters /w Network Architecture / Diagrams  Identify Potential Targets  Tie IP Addresses to Assets  Business Criticality  Focus on Directionality  Inbound  Outbound  Lateral Movement  Determine Hunting Timeframe  24 hours on Average  Expand timeframe for subjects/events of interest DefCamp 2018 @grifter801
  • 12. EXECUTING A HUNT  Service Analysis  Begin with the Smallest (IRC, VNC, BITTORRENT, RPC, RDP)  Allows for Quick Elimination  Continue to Work Backwards  Document Area that Each Analyst Covered ( Analyst 1 – Outbound/RDP, Outbound/IRC, etc)  Drill Down on Each Selected Service  Indicators of Compromise  Behaviors of Compromise  Enablers of Compromise  Rinse and Repeat DefCamp 2018 @grifter801
  • 13. EXECUTING A HUNT Care and Feeding  Investigate, Investigate, Eliminate  Find the Signal in the Noise  Determine what traffic is causing false positives, and manage it.  As you tune and dial in your environment, actionable data will become increasingly apparent.  Build reports and automate the pain away DefCamp 2018 @grifter801
  • 15. SO, WHAT DO WE FIND? DefCamp 2018 @grifter801
  • 16. WHAT YEAR IS THIS!?! DefCamp 2018 @grifter801 BEWARE THE SUPPLY CHAIN
  • 18.  Strong Passwords over unencrypted transports? 57R0NG_P@55W0RD5! DefCamp 2018 @grifter801
  • 19. YOU’VE GOT SOMETHING IN YOUR API DefCamp 2018 @grifter801 SOAP call with cleartext Base64 includes password
  • 20. I CAM SEE YOU DefCamp 2018 @grifter801
  • 21. ALWAYS USE A VPN! DefCamp 2018 @grifter801
  • 22. THE RSAC DATING POOL DefCamp 2018 @grifter801
  • 23. ALL THINGS ARE NOT CONFIGURED EQUALLY DefCamp 2018 @grifter801
  • 25. ZERO DAY, O-DAY OR SAME DAY? DefCamp 2018 @grifter801

Notas del editor

  1. Share stats on CIRT Hunting
  2. Share stats on CIRT Hunting
  3. Again, because it's proactive. Hiding from people who are actively looking for threat actors, versus reacting to alerts, is much harder to do. When you're comparing known good against the current state of a system, you will be able to recognize changes, regardless of how skilled the attacker is. You will become intimately aware of the nuances of your environment. This will help you make improvements where necessary, and find problems before attackers do. Documenting your environment, processes, and lessons learned is incredibly valuable for your organization.
  4. Moving from a reactive state, to a proactive state. Knowing that attackers could be there, and looking for them. I don't have a specific indicator that I'm looking for. This is counter to what traditional IR teams do. Normally we get threat intel. We turn that into a parser. An alert is kicked off, which generates an Incident ticket. We respond to the ticket and close it out. Come to the table with an idea, or a question. Is sensitive data leaving my environment? Are users accessing data they shouldn't be?
  5. Define what is "normal" inside your organization and how that differs from department to department, or machine to machine. Know which processes are running on your systems and what they're doing. Process Names - Not Great Path to Executable - Running from Parent Process - If you run sysinternals and see cmd.exe being spawned from flash, not good task manager or pslist - sysinternals - procmon - Are processes running with the right privileges? local admin? ----------------------------------------------------------------------------------------------------------------------------- Look beyond Run keys. What scheduled tasks are configured on the system? Duqu 2 used TaskScheduler for Lateral Movement Are there services that you didn't create? - Typos or Blank Description Fields - Binary Path is not the normal location – Coming from a non-standard directory - Look for Events 106/129/200/201 Task Registered,Created Task Process, And Actions Started or Completed
  6. Which applications are communicating on the network? Should they be listening for connections? Netstat Data is great What are your ingress and egress points? Have they changed? Direct to IP Communication Look at HTTP traffic. Anomalous User-Agent strings can be a red flag. -- Unique or non-existent versions POST activity with no refferer.
  7. So when I say, “ensure availability and security,” what do I mean by “ensure?” -the Black Hat Conference teaches the latest offensive and defensive skills -these are paid training sessions -and while the tools and techniques are meant for educational purposes only, the NOC monitors the network so that these classes are self-contained. We need to ensure that while the Trainings attendees can participate in their own course, we watch to make sure they aren’t leveraging that new knowledge to go attack other classes. -the NOC also monitors the wireless network to ensure the same