SlideShare una empresa de Scribd logo

Hunting on the Cheap

Descargar como PPTX, PDF
E
EndgameInc

For organizations and individuals with limited security budgets, successfully hunting for cyber adversaries can be a daunting challenge. Threat Intelligence can be expensive and sometimes nothing more than IoCs or blacklists. In this talk, Endgame’s threat research team will present a series of techniques that can enable organizations to leverage free or almost-free sources of data and open-source tools to “hunt on the cheap.” They’ll explain how to: retrieve attackers’ tools from globally distributed honeynets that look like your organization or a juicy launching point to attackers; enrich the data past basic file/tool hashes to identify malicious command and control IPs/domains through automated binary analysis using open-source sandboxes and tools; and use passive DNS data to identify active infections and enrich existing data sets. Attendees will learn how to apply these three techniques to hunt for adversaries within their own networks. They will also learn about the various open-source solutions available, such as graph databases, that make these techniques inexpensive and within the scope of many organizations. Anjum Ahuja, Senior Threat Researcher, Endgame Jamie Butler, Chief Scientist, Endgame Andrew Morris, Threat Researcher, Endgame

Tecnología
1 de 53
Jamie Butler, CTO Andrew Morris, Threat Researcher Anjum Ahuja, Threat Researcher Hunting on the Cheap
2 About US Anjum Ahuja • Threat Researcher @ Endgame • Network Security & Machine Learning • aahuja@endgame.com Andrew Morris • Threat Researcher @ Endgame • Offense Ops & Pentesting • amorris@endgame.com • @andrew___morris Jamie Butler • CTO @ Endgame • Security Researcher • james.butler@endgame.com
Agenda • Threat Hunting • Hunt Cycle • Hunting on the Cheap • Hunting on Network • Hunting on Host • Hunting with Intelligence • Conclusion 3
Adversary Hunting • Assume breach • Finding and eliminating badness that already exists in your network • Mature organizations • Interesting marriage between offense and defense Incident Response meets red teaming meets forensics meets Minority Report 5
Hunting … on the cheap • You can Hunt! • Free tools • Effective Techniques • With or without sources of commercial threat intelligence • Try it before you buy it 6
Cool – So how do I hunt on the cheap? • Look at your network and your hosts • General Hunt methodology • Collect data • Analyze collection – outliers and indications of bad • Follow up on leads • Remediate • Repeat • We will discuss specific places to look and what to look for in the data • Network • Host 7
Hunting on the Network …on the cheap
Why Hunt on the Network • Known bad network IOCs are short-lived • IPs change - SAAS has made it easier to migrate to new infrastructure • Domains change - Domain registration has gotten simpler (little or no validation), cheaper (tons of new TLDs) and stealthy (WHOIS privacy service) • Instead, find unknown bad from higher order signals and patterns 9
Passive DNS “Passively observe inter-server DNS messages and reassemble DNS transactions” 10
Passive DNS • passiveDNS (https://github.com/gamelinux/passivedns) • sie-dns-sensor (https://github.com/farsightsec/sie-dns-sensor ) 11 Fields Interesting values record type A(1), AAAA(28), NS(2), CNAME(5), MX(15) return code NOERR(0) SERVFAIL(2) NXDOMAIN(3)
Workflow • Discover what’s normal • Hunt for outliers • Fast flux • Domain Generation Algorithm (DGA) • NXDOMAIN • Periodicity • Phishing detection • Validate & IR 11
Whitelist Friendly neighborhood whitelist - Alexa top domains • Alexa tracks popularity of websites • From browser’s address bar • Doesn’t include all the media and third party content requested by the main page • PassiveDNS captures queries from all applications, of all record types, even failures and unsolicited responses 12
Dynamic DNS domains Dynamic dns domain Alexa rank sytes.net 14,424 zapto.org 64,151 hopto.org 60,658 dynu.com 108,459 redirectme.net 159,783 servehttp.com 207,700 serveftp.com 465,177 13
Fast Flux “Large number of IPs associated with a single domain that are swapped in and out at high frequency” • Load balancers also do the same • Anycast looks similar • But, diversity of the IP address space separates the two classes 14
Fast flux (benign) Domain # IPs Owner of IP space prod-w.nexus.live.com.akadns.net. 21 microsoft informatica ltda, microsoft corp, microsoft corporation www-google-analytics.l.google.com. 26 google inc sync.teads.tv. 21 amazon.com inc, amazon technologies inc, amazon data services ireland limited prodlb01-1956114858.eu-west- 1.elb.amazonaws.com. 19 amazon data services ireland ltd, amazon web services, elastic compute cloud ec2 eu, amazon.com inc, amazon technologies inc, dub5 ec2 ap.gslb.spotify.com. 25 spotify ltd, spotify ab profile.ess-apple.com.akadns.net. 23 apple inc 15
Fast Flux (malicious) Domain # IPs CC distribution Owner of IP space ahmdallame.no-ip.biz 34 iq,fr dynamic ip pool, earthlink ltd. Communications & internet services liiion999.zapto.org 45 fr, ma, it, us, hu, at, ro, mx edis infrastructure in france, mexico server, telentia enterprise customer, amplusnet srl, micfo llc., serverastra kft, india server, dynamic ip pool, adsl_maroc_telecom, psinet inc, national computer systems co liiion777.zapto.org 50 fr, ma, us, hu, at, nl, ro, mx dynamic ip pool, mexico server, maroctelecomasdl, edis infrastructure in spain, telentia enterprise customer, amplusnet srl, serverastra kft., india server, leaseweb netherlands b.v., adsl_maroc_telecom,psinet inc. False positive *.pool.ntp.org also hosted on diverse IP address space 16
DGA “Algorithmically generate large number of domain names, to serve as C&C servers” • Thousands of potential domains per day • Botnet controller only needs to register one of them to keep the lights on 17
DGA - Features • Features • Entropy • Length • Vowel to Consonant ratio • Longest consonant sequence • ngrams from Alexa top domains 2LDs • ngrams from English dictionary • RandomForestClassifier 18
DGA (True positives) Cryptolocker (96.4% accuracy) Verdict Confidence vobrbjlloae.fr DGA 0.92 sgnuqrek.uk DGA 0.84 dkoudkavtnjc.tf DGA 0.97 kspruxe.uk DGA 0.62 qalhanhhsockuxj.yt DGA 0.96 wtjawjv.nl DGA 0.64 Tiny Banker (98.2% accuracy) Verdict Confidence sdprjrntgvlw.ru DGA 0.98 fnetiyouqksr.xyz DGA 0.96 cpowrnbskkxt.xyz DGA 0.99 pmiioppkqrvw.pw DGA 0.98 brstpvrtkcpp.com DGA 0.97 htschinwcghk.com DGA 0.86 19
DGA (False Negatives) Domain Verdict Confidence perhapstogether.net DGA 0.52 partydifference.net DGA 0.58 summerdifference.net DGA 0.53 womandifference.net DGA 0.53 gentlemanalthough.net DGA 0.52 experienceevery.net Benign 0.52 beginevery.net Benign 0.76 partyperiod.net Benign 0.69 smokesingle.net Benign 0.69 mountainmatter.net Benign 0.53 mountainapple.net Benign 0.73 20
DGA (False Negatives) 21
NXDOMAIN • Thousands of the DGA domains queries but only few resolve • Normally typos, copy paste errors, browser prefetch. Less than 5% of the traffic Malware Family NXDOMAIN ratio Cryptolocker 2.07 Nivdort 13.58 Telsacrypt 14.38 22
False Positives Domain Class Probability qetdjnndqo.c*****1.org. DGA 0.83 mjhhofjsdrsulcn.c*****1.org DGA 0.96 hicbaxevoldlszl.c*****1.org DGA 0.96 bchbnajexhspfrq.c*****1.org DGA 0.97 mbgmajnvrvyn.c*****1.org DGA 0.96 nlbvxhfomxx.c*****1.org DGA 0.95 • DGA like domains • Most of them NXDOMAINs • WHOIS privacy proxy Chrome DNS wildcard detection! 23
Periodicity 0 2000 4000 6000 8000 10000 12000 Mar0714PM Mar0717PM Mar0720PM Mar0723PM Mar0802AM Mar0805AM Mar0808AM Mar0811AM Mar0814PM Mar0817PM Mar0820PM Mar0823PM Mar0902AM Mar0905AM Mar0908AM Mar0911AM Mar0914PM Mar0917PM Mar0920PM Mar0923PM Mar1002AM Mar1005AM Mar1008AM Mar1011AM Mar1014PM Mar1017PM Mar1020PM Mar1023PM Traffic rate 24
Periodicity • Continuous traffic generated by the OS and background services • For example, software update check, keep alive, content refresh 25
Periodicity (benign) Domain Inter-request time Probability e673.e9.akamaiedge.net 530.5 0.99 itunes-cdn.itunes-apple.com.akadns.net 1190.0 0.97 teredo.ipv6.microsoft.com.nsatc.net 919.0 0.95 ds-comet.yahoo.g01.yahoodns.net 360.0 0.88 itunes.apple.com.edgekey.net 595.0 0.98 Hosted on HA, load balanced networks that are usually on our whitelist 26
Periodicity (malicious) Cryptlocker (~953 sec) Probability vobrbjlloae.fr 0.98 www.tabi104.net 0.84 wtjawjv.nl 0.96 ojqya.pw 0.98 netvegonhi.nl 0.98 Nivdort family (~1892 sec) Probability desireproduce.net 0.70 partyorderly.net 0.89 stillaction.net 0.87 desireoclock.net 0.73 fightbattle.net 0.77 27
Phishing Detection • “Edit distance : number of operations like removal, insertion or substitution of characters that converts one string to the other” • Longest common substring: use a suffix tree for O(n) Real website Fake site facebook.com facebookc.om malware.com rnalware.com apple.com applesoftupdate.com paypal.com paypal.com.user.accounts.lwproductions.net 28
Next Steps • Validate outliers • New or consistent behavior? • How many hosts? • How many models triggered • Identify the user(s)/process generating the traffic, assess maliciousness • If malicious, kick off incident response process 29
One more thing • Every network is different, find out what’s normal for yours • Maintain a list of newly observed domains in your network • Segment your network by the source of outliers 30
Hunting on the Host …on the cheap
General idea • You have lots of hosts • And, they are somewhat homogenous • Look for outliers and things that don’t make sense, investigate • Could be an application only one person is using • Could be malware • Many things to look at • Processes • Network connections and listening ports • Filesystem • User logs • Autoruns • (There’s more…you have to choose what to focus on) 32
Scenarios • Hunting with (open source) intelligence • Consume threat intelligence • Deploy remote Yara scan • Hunting with zero intelligence • Collect specific data from all your hosts • Look for anomalies and outliers 33
Hunting with Intelligence …on the cheap
Hunting with Intelligence • Get Intel • IOC? • Hash? • TTP? • Filename? • Apply Intel • Powershell + Yara! • Remediate • Hope you have a remediation process… 35
Consuming Open Source Intelligence • AlienVault • IOCBucket • Abuse.ch • Blocklist.de • EmergingThreats • VirusTotal • Malwr 36
YARA • Apply standardized binary patterns + sequences to identify badness in a binary • Grep on crack • Scans files and memory • Free signatures for tools used by bad guys targeting your vertical • Signatures are brittle  • But if well written, low false positive rate • And it’s FREE  • Value? This will tell you if a known bad file is on a given host 37 https://plusvic.github.io/yara/
Example Yara Rule • Rule for Mimikatz (tool for dumping plaintext passwords) • Used by red teamers and APT groups alike • https://github.com/gentilkiwi/mimikatz/blob/master/kiwi_passwo rds.yar 38
Remote Yara Scan Leverage Powershell to remotely run a Yara scan with a pre-defined rule set on a given directory • Transfer Yara binary to target machine w/ native Windows functionality PS> copy yara.exe TARGET-HOSTC$TEMPyara.exe • Transfer rules PS> copy rules.yara TARGET-HOSTC$TEMPrules.yara • Execute scan w/ Invoke-Command PS> Invoke-Command -ComputerName TARGET -ScriptBlock { c:TEMPyara.exe c:TEMPrules.yara c:targetdir } -credential USER 39
So what? • You should look for emergent known bad across your network • Yara is a great way to find known bads and kick off the remediation process • Sadly, malware changes rapidly so this is necessary but not sufficient… 40 https://github.com/Yara-Rules/rule
Hunting with no Intelligence …on the cheap
Autoruns • There are lots of places to look on hosts for oddities and outliers • Bad guys love to stick around on a box – persistence • Makes it harder to get rid of an infection • So, we’ll focus our zero intelligence hunting on Autoruns • Where are the autoruns? • Registry run keys • Services • Drivers • Browser add-ons • Tons of other crafty stuff • Over 100 locations – thanks Windows! • Thankfully, free tools can help you out 42
Does this really work • Yup • Autoruns should be relatively consistent across the network • Assuming network is somewhat homogenous and locked down • Anomalous autoruns could indicate badness 43
Sysinternals autoruns • Awesome tool from Microsoft • Pulls most autorun items on a Windows system • Hashes them for you • Can submit them to VirusTotal for you 44
Hash Autorun Items to find Known Malware Leverage Powershell to remotely execute Sysinternals “Autorunsc.exe” to collect autorun items via the command line, submit to VT • Transfer Autoruns binary and required DLL to target machine w/ native Windows functionality PS> copy autorunsc.exe TARGET-HOSTC$TEMPautorunsc.exe PS> copy msvcr100.dll TARGET-HOSTC$TEMPmsvcr100.dll • Execute program w/ Invoke-Command (w/ optional output) PS> Invoke-Command -ComputerName TARGET -ScriptBlock { c:TEMPautorunsc.exe –a (??) –h (>> c:TEMPautoruns-output.txt) } -credential USER • Collect output PS> copy TARGET-HOSTC$TEMPautoruns-output.txt c:directory 45
Hash Autorun Items to find Known Malware (2) • Submit all autorun hashes to VirusTotal • Anything that returns a positive malware hit in VT should be investigated • This can be done inline with the Sysinternals Autoruns tool • Or you can build something yourself easily with the VirusTotal API 46
• Pull hashes of all autorun items (see previous) • Map autorun hashes as HOST:HASH $ cat hash-map.txt 10.54.23.4:0dbca2da61a0a46e41095b92434d16974351f92ae0268eafae67a8a2d26c4449 10.54.23.4:fcaee53875a28ed570d4e1b12610ec9503cfcca26c7964df304390e04e368264 10.54.23.4:0dbca2da61a0a46e41095b92434d16974351f92ae0268eafae67a8a2d26c4449 10.54.23.4:eb0ed2b57db1fee056526e065af4d874b8f2dfec0fad14defbb61184ce32d4cf 10.54.23.4:873e697cc9f3a0d85346befd537905c8642654a8be836d9b3fa41826a2ef729f 10.54.23.4:111655197188bbfe1d7b914d367281002795033638cfce67635dd597f8c31772 10.54.23.4:57359b3f029a3590905d81a3c99d4a7e784fdc33b4f052c95b4d24c41f390312 10.54.23.4:7ca6c3b0cc309f6e0a7ceabec98eb97874e649b155493b52aee90cd06f1acf46 10.54.23.5:111655197188bbfe1d7b914d367281002795033638cfce67635dd597f8c31772 10.54.23.5:eb0ed2b57db1fee056526e065af4d874b8f2dfec0fad14defbb61184ce32d4cf 10.54.23.5:57359b3f029a3590905d81a3c99d4a7e784fdc33b4f052c95b4d24c41f390312 10.54.23.5:7ca6c3b0cc309f6e0a7ceabec98eb97874e649b155493b52aee90cd06f1acf46 ... Stack the Data to Identify Anomalies 47
• Delineate output by colon (:) # cat hash-map.txt | cut -d’:’-f2 > hashes.txt • Reduce by amount of occurrences $ cat hashes.txt | sort | uniq -c | sort -n | tac 42 fcaee53875a28ed570d4e1b12610ec9503cfcca26c7964df304390e04e368264 42 eb0ed2b57db1fee056526e065af4d874b8f2dfec0fad14defbb61184ce32d4cf 42 873e697cc9f3a0d85346befd537905c8642654a8be836d9b3fa41826a2ef729f 42 7d0398d3cdd1de1e004fb26811107ed168e54803c4b9fd6cdd248c84081c9b49 42 7ca6c3b0cc309f6e0a7ceabec98eb97874e649b155493b52aee90cd06f1acf46 42 62b0f613fc4fb0754494bc0d035a0a3162c0ae8a81f0279ccfcf5c69048716ce 42 57359b3f029a3590905d81a3c99d4a7e784fdc33b4f052c95b4d24c41f390312 42 18b553d24823abc903c16993a2072cefe4768f8e9d14a5b4781f1b58e0c9b667 42 111655197188bbfe1d7b914d367281002795033638cfce67635dd597f8c31772 42 0dbca2da61a0a46e41095b92434d16974351f92ae0268eafae67a8a2d26c4449 42 0b85a8f2e728ff357e3e5058e18203dd355af15956a991327d3746e2b5c5fc95 1 9f7537bf60aa99f7654b8278ed7b2ab0051c1ee3268d56536846a46a333b87cd 1 20d550d4bd3fd45e1788847574fa1cc340f2bf910094b75de4f237bb643477f6 Stack the data to identify anomalies (2) 48
• Reference the hash map from initial collection $ grep "20d550d4bd3fd45e1788847574fa1cc340f2bf910094b75de4f237bb643477f6" hash-map.txt 10.54.23.77: 20d550d4bd3fd45e1788847574fa1cc340f2bf910094b75de4f237bb643477f6 Backdoor’ed version of Vmware tools Stack the data to identify anomalies (2) 49
Extra Credit • Dump all of the autoruns from the entire organization into an Elasticsearch cluster • Collect data periodically • Analyze changes over time 50
Conclusion • Understand your network and adversary tactics • Reach out and check for badness on the network • Look at host anomalies to identify badness on your hosts • Once you find badness, kick it to your remediation process • You can do all this very cheap • No signatures • No IOCs • JUST PURE HUNTING GOODNESS 51
Endgame Hunt Cycle  Recon of internal network  Identification of assets to protect  Gather data  Implement mitigation techniques  Prevent adversary techniques  Protect uncompromised systems  Respond intelligently with surgical actions  Act at scale to evict the adversary  Report on the hunt  Analyze collected data for outliers  Discover new indicators of compromise  Pivot to determine the full extent of the breach 4
Thank You. 4 Lunch and Learn, Wednesday April 12 at 12:05 Think Offense: Hunt Smarter, Live Low Mike Nichols, Principal Product manager

Recomendados

Hunting before a Known Incident
Hunting before a Known IncidentHunting before a Known Incident
Hunting before a Known IncidentEndgameInc
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseAshwini Almad
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheapAnjum Ahuja
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Danny Akacki
 
Worst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are DetectedWorst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are DetectedAshwini Almad
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA RulesLionel Faleiro
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesDragos, Inc.
 

Recomendados

Hunting before a Known Incident
Hunting before a Known IncidentHunting before a Known Incident
Hunting before a Known IncidentEndgameInc
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseAshwini Almad
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheapAnjum Ahuja
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Danny Akacki
 
Worst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are DetectedWorst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are DetectedAshwini Almad
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA RulesLionel Faleiro
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesDragos, Inc.
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Insider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization - HITB 2007, Kuala LumpurInsider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization - HITB 2007, Kuala LumpurRaffael Marty
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wireInfoSec Addicts
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Billions & Billions of Logs
Billions & Billions of LogsBillions & Billions of Logs
Billions & Billions of LogsJack Crook
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckNorth Texas Chapter of the ISSA
 
Malicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine LearningMalicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine Learningsecurityxploded
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Priyanka Aash
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware AnalysisRamin Farajpour Cami
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
 
Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Rishabh Upadhyay
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualizationamiable_indian
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...AlienVault
 
Advances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defenseAdvances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defensePriyanka Aash
 
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...EndgameInc
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious CodeSatria Ady Pradana
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturityDNIF
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationSatria Ady Pradana
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014chrissanders88
 
Time Series Analysis for Network Secruity
Time Series Analysis for Network SecruityTime Series Analysis for Network Secruity
Time Series Analysis for Network Secruitymrphilroth
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting WorkshopSplunk
 

Más contenido relacionado

La actualidad más candente

Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Insider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization - HITB 2007, Kuala LumpurInsider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization - HITB 2007, Kuala LumpurRaffael Marty
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wireInfoSec Addicts
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Billions & Billions of Logs
Billions & Billions of LogsBillions & Billions of Logs
Billions & Billions of LogsJack Crook
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckNorth Texas Chapter of the ISSA
 
Malicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine LearningMalicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine Learningsecurityxploded
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Priyanka Aash
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
 
Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Rishabh Upadhyay
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualizationamiable_indian
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...AlienVault
 
Advances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defenseAdvances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defensePriyanka Aash
 
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...EndgameInc
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious CodeSatria Ady Pradana
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturityDNIF
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationSatria Ady Pradana
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014chrissanders88
 

La actualidad más candente (20)

Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Insider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization - HITB 2007, Kuala LumpurInsider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization - HITB 2007, Kuala Lumpur
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
Billions & Billions of Logs
Billions & Billions of LogsBillions & Billions of Logs
Billions & Billions of Logs
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
 
Malicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine LearningMalicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine Learning
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
 
Advances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defenseAdvances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defense
 
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturity
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming Operation
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014
 

Destacado

Time Series Analysis for Network Secruity
Time Series Analysis for Network SecruityTime Series Analysis for Network Secruity
Time Series Analysis for Network Secruitymrphilroth
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting WorkshopSplunk
 
Differential Network Entropy Reveals Cancer System Hallmarks
Differential Network Entropy Reveals Cancer System HallmarksDifferential Network Entropy Reveals Cancer System Hallmarks
Differential Network Entropy Reveals Cancer System HallmarksLinh Huynh, PharmD
 
​Dynamic Detection of Malicious Behavior
​Dynamic Detection of Malicious Behavior​Dynamic Detection of Malicious Behavior
​Dynamic Detection of Malicious BehaviorEndgameInc
 
Demystifying Security Analytics: Data, Methods, Use Cases
Demystifying Security Analytics: Data, Methods, Use CasesDemystifying Security Analytics: Data, Methods, Use Cases
Demystifying Security Analytics: Data, Methods, Use CasesPriyanka Aash
 
Threat Hunting with Splunk
Threat Hunting with Splunk Threat Hunting with Splunk
Threat Hunting with Splunk Splunk
 
Getting The Best Performance With PySpark
Getting The Best Performance With PySparkGetting The Best Performance With PySpark
Getting The Best Performance With PySparkSpark Summit
 
Analysis of malicious pdf
Analysis of malicious pdfAnalysis of malicious pdf
Analysis of malicious pdfRaghunath G
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsRahul Mohandas
 

Destacado (9)

Time Series Analysis for Network Secruity
Time Series Analysis for Network SecruityTime Series Analysis for Network Secruity
Time Series Analysis for Network Secruity
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
 
Differential Network Entropy Reveals Cancer System Hallmarks
Differential Network Entropy Reveals Cancer System HallmarksDifferential Network Entropy Reveals Cancer System Hallmarks
Differential Network Entropy Reveals Cancer System Hallmarks
 
​Dynamic Detection of Malicious Behavior
​Dynamic Detection of Malicious Behavior​Dynamic Detection of Malicious Behavior
​Dynamic Detection of Malicious Behavior
 
Demystifying Security Analytics: Data, Methods, Use Cases
Demystifying Security Analytics: Data, Methods, Use CasesDemystifying Security Analytics: Data, Methods, Use Cases
Demystifying Security Analytics: Data, Methods, Use Cases
 
Threat Hunting with Splunk
Threat Hunting with Splunk Threat Hunting with Splunk
Threat Hunting with Splunk
 
Getting The Best Performance With PySpark
Getting The Best Performance With PySparkGetting The Best Performance With PySpark
Getting The Best Performance With PySpark
 
Analysis of malicious pdf
Analysis of malicious pdfAnalysis of malicious pdf
Analysis of malicious pdf
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day Threats
 

Similar a Hunting on the Cheap

DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...EC-Council
 
What Will You Investigate Today?
What Will You Investigate Today?What Will You Investigate Today?
What Will You Investigate Today?Xavier Mertens
 
What are-you-investigate-today? (version 2.0)
What are-you-investigate-today? (version 2.0)What are-you-investigate-today? (version 2.0)
What are-you-investigate-today? (version 2.0)Xavier Mertens
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisJason Trost
 
Data Junk VTS Prez - 20150925-3
Data Junk VTS Prez - 20150925-3Data Junk VTS Prez - 20150925-3
Data Junk VTS Prez - 20150925-3Paul Sitowitz
 
Dafgjgghhghfhjgghjhgy06-Footprinting.pptx
Dafgjgghhghfhjgghjhgy06-Footprinting.pptxDafgjgghhghfhjgghjhgy06-Footprinting.pptx
Dafgjgghhghfhjgghjhgy06-Footprinting.pptxAlfredObia1
 
Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51martinvoelk
 
Automation Attacks At Scale
Automation Attacks At ScaleAutomation Attacks At Scale
Automation Attacks At ScaleMayank Dhiman
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Malicious Domain Profiling
Malicious Domain Profiling Malicious Domain Profiling
Malicious Domain Profiling E Hacking
 
Cyberscout Presentation
Cyberscout PresentationCyberscout Presentation
Cyberscout PresentationFiroze Hussain
 
DEF CON 27 - MASARAH PAQUET CLOUSTON and OLIVER BILODEAU - the industry of so...
DEF CON 27 - MASARAH PAQUET CLOUSTON and OLIVER BILODEAU - the industry of so...DEF CON 27 - MASARAH PAQUET CLOUSTON and OLIVER BILODEAU - the industry of so...
DEF CON 27 - MASARAH PAQUET CLOUSTON and OLIVER BILODEAU - the industry of so...Felipe Prado
 
Leveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker ActivityLeveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker ActivitySqrrl
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Spyglass Security
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009dnomura
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Brandon Arvanaghi
 
Osint, shoelaces, bubblegum
Osint, shoelaces, bubblegumOsint, shoelaces, bubblegum
Osint, shoelaces, bubblegumJamieMcMurray
 
Nmapper theHarvester OSINT Tool explanation
Nmapper theHarvester OSINT Tool explanationNmapper theHarvester OSINT Tool explanation
Nmapper theHarvester OSINT Tool explanationWangolo Joel
 

Similar a Hunting on the Cheap (20)

DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
 
What Will You Investigate Today?
What Will You Investigate Today?What Will You Investigate Today?
What Will You Investigate Today?
 
What are-you-investigate-today? (version 2.0)
What are-you-investigate-today? (version 2.0)What are-you-investigate-today? (version 2.0)
What are-you-investigate-today? (version 2.0)
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
 
Data Junk VTS Prez - 20150925-3
Data Junk VTS Prez - 20150925-3Data Junk VTS Prez - 20150925-3
Data Junk VTS Prez - 20150925-3
 
Dafgjgghhghfhjgghjhgy06-Footprinting.pptx
Dafgjgghhghfhjgghjhgy06-Footprinting.pptxDafgjgghhghfhjgghjhgy06-Footprinting.pptx
Dafgjgghhghfhjgghjhgy06-Footprinting.pptx
 
Malicious Client Detection using Machine learning
Malicious Client Detection using Machine learningMalicious Client Detection using Machine learning
Malicious Client Detection using Machine learning
 
Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51
 
Automation Attacks At Scale
Automation Attacks At ScaleAutomation Attacks At Scale
Automation Attacks At Scale
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Malicious Domain Profiling
Malicious Domain Profiling Malicious Domain Profiling
Malicious Domain Profiling
 
Cyberscout Presentation
Cyberscout PresentationCyberscout Presentation
Cyberscout Presentation
 
Building a Hacker Resistant Network
Building a Hacker Resistant Network Building a Hacker Resistant Network
Building a Hacker Resistant Network
 
DEF CON 27 - MASARAH PAQUET CLOUSTON and OLIVER BILODEAU - the industry of so...
DEF CON 27 - MASARAH PAQUET CLOUSTON and OLIVER BILODEAU - the industry of so...DEF CON 27 - MASARAH PAQUET CLOUSTON and OLIVER BILODEAU - the industry of so...
DEF CON 27 - MASARAH PAQUET CLOUSTON and OLIVER BILODEAU - the industry of so...
 
Leveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker ActivityLeveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker Activity
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17
 
Osint, shoelaces, bubblegum
Osint, shoelaces, bubblegumOsint, shoelaces, bubblegum
Osint, shoelaces, bubblegum
 
Nmapper theHarvester OSINT Tool explanation
Nmapper theHarvester OSINT Tool explanationNmapper theHarvester OSINT Tool explanation
Nmapper theHarvester OSINT Tool explanation
 

Último

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 

Último (20)

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 

Hunting on the Cheap

  • 1. Jamie Butler, CTO Andrew Morris, Threat Researcher Anjum Ahuja, Threat Researcher Hunting on the Cheap
  • 2. 2 About US Anjum Ahuja • Threat Researcher @ Endgame • Network Security & Machine Learning • aahuja@endgame.com Andrew Morris • Threat Researcher @ Endgame • Offense Ops & Pentesting • amorris@endgame.com • @andrew___morris Jamie Butler • CTO @ Endgame • Security Researcher • james.butler@endgame.com
  • 3. Agenda • Threat Hunting • Hunt Cycle • Hunting on the Cheap • Hunting on Network • Hunting on Host • Hunting with Intelligence • Conclusion 3
  • 4. Adversary Hunting • Assume breach • Finding and eliminating badness that already exists in your network • Mature organizations • Interesting marriage between offense and defense Incident Response meets red teaming meets forensics meets Minority Report 5
  • 5. Hunting … on the cheap • You can Hunt! • Free tools • Effective Techniques • With or without sources of commercial threat intelligence • Try it before you buy it 6
  • 6. Cool – So how do I hunt on the cheap? • Look at your network and your hosts • General Hunt methodology • Collect data • Analyze collection – outliers and indications of bad • Follow up on leads • Remediate • Repeat • We will discuss specific places to look and what to look for in the data • Network • Host 7
  • 7. Hunting on the Network …on the cheap
  • 8. Why Hunt on the Network • Known bad network IOCs are short-lived • IPs change - SAAS has made it easier to migrate to new infrastructure • Domains change - Domain registration has gotten simpler (little or no validation), cheaper (tons of new TLDs) and stealthy (WHOIS privacy service) • Instead, find unknown bad from higher order signals and patterns 9
  • 9. Passive DNS “Passively observe inter-server DNS messages and reassemble DNS transactions” 10
  • 10. Passive DNS • passiveDNS (https://github.com/gamelinux/passivedns) • sie-dns-sensor (https://github.com/farsightsec/sie-dns-sensor ) 11 Fields Interesting values record type A(1), AAAA(28), NS(2), CNAME(5), MX(15) return code NOERR(0) SERVFAIL(2) NXDOMAIN(3)
  • 11. Workflow • Discover what’s normal • Hunt for outliers • Fast flux • Domain Generation Algorithm (DGA) • NXDOMAIN • Periodicity • Phishing detection • Validate & IR 11
  • 12. Whitelist Friendly neighborhood whitelist - Alexa top domains • Alexa tracks popularity of websites • From browser’s address bar • Doesn’t include all the media and third party content requested by the main page • PassiveDNS captures queries from all applications, of all record types, even failures and unsolicited responses 12
  • 13. Dynamic DNS domains Dynamic dns domain Alexa rank sytes.net 14,424 zapto.org 64,151 hopto.org 60,658 dynu.com 108,459 redirectme.net 159,783 servehttp.com 207,700 serveftp.com 465,177 13
  • 14. Fast Flux “Large number of IPs associated with a single domain that are swapped in and out at high frequency” • Load balancers also do the same • Anycast looks similar • But, diversity of the IP address space separates the two classes 14
  • 15. Fast flux (benign) Domain # IPs Owner of IP space prod-w.nexus.live.com.akadns.net. 21 microsoft informatica ltda, microsoft corp, microsoft corporation www-google-analytics.l.google.com. 26 google inc sync.teads.tv. 21 amazon.com inc, amazon technologies inc, amazon data services ireland limited prodlb01-1956114858.eu-west- 1.elb.amazonaws.com. 19 amazon data services ireland ltd, amazon web services, elastic compute cloud ec2 eu, amazon.com inc, amazon technologies inc, dub5 ec2 ap.gslb.spotify.com. 25 spotify ltd, spotify ab profile.ess-apple.com.akadns.net. 23 apple inc 15
  • 16. Fast Flux (malicious) Domain # IPs CC distribution Owner of IP space ahmdallame.no-ip.biz 34 iq,fr dynamic ip pool, earthlink ltd. Communications & internet services liiion999.zapto.org 45 fr, ma, it, us, hu, at, ro, mx edis infrastructure in france, mexico server, telentia enterprise customer, amplusnet srl, micfo llc., serverastra kft, india server, dynamic ip pool, adsl_maroc_telecom, psinet inc, national computer systems co liiion777.zapto.org 50 fr, ma, us, hu, at, nl, ro, mx dynamic ip pool, mexico server, maroctelecomasdl, edis infrastructure in spain, telentia enterprise customer, amplusnet srl, serverastra kft., india server, leaseweb netherlands b.v., adsl_maroc_telecom,psinet inc. False positive *.pool.ntp.org also hosted on diverse IP address space 16
  • 17. DGA “Algorithmically generate large number of domain names, to serve as C&C servers” • Thousands of potential domains per day • Botnet controller only needs to register one of them to keep the lights on 17
  • 18. DGA - Features • Features • Entropy • Length • Vowel to Consonant ratio • Longest consonant sequence • ngrams from Alexa top domains 2LDs • ngrams from English dictionary • RandomForestClassifier 18
  • 19. DGA (True positives) Cryptolocker (96.4% accuracy) Verdict Confidence vobrbjlloae.fr DGA 0.92 sgnuqrek.uk DGA 0.84 dkoudkavtnjc.tf DGA 0.97 kspruxe.uk DGA 0.62 qalhanhhsockuxj.yt DGA 0.96 wtjawjv.nl DGA 0.64 Tiny Banker (98.2% accuracy) Verdict Confidence sdprjrntgvlw.ru DGA 0.98 fnetiyouqksr.xyz DGA 0.96 cpowrnbskkxt.xyz DGA 0.99 pmiioppkqrvw.pw DGA 0.98 brstpvrtkcpp.com DGA 0.97 htschinwcghk.com DGA 0.86 19
  • 20. DGA (False Negatives) Domain Verdict Confidence perhapstogether.net DGA 0.52 partydifference.net DGA 0.58 summerdifference.net DGA 0.53 womandifference.net DGA 0.53 gentlemanalthough.net DGA 0.52 experienceevery.net Benign 0.52 beginevery.net Benign 0.76 partyperiod.net Benign 0.69 smokesingle.net Benign 0.69 mountainmatter.net Benign 0.53 mountainapple.net Benign 0.73 20
  • 22. NXDOMAIN • Thousands of the DGA domains queries but only few resolve • Normally typos, copy paste errors, browser prefetch. Less than 5% of the traffic Malware Family NXDOMAIN ratio Cryptolocker 2.07 Nivdort 13.58 Telsacrypt 14.38 22
  • 23. False Positives Domain Class Probability qetdjnndqo.c*****1.org. DGA 0.83 mjhhofjsdrsulcn.c*****1.org DGA 0.96 hicbaxevoldlszl.c*****1.org DGA 0.96 bchbnajexhspfrq.c*****1.org DGA 0.97 mbgmajnvrvyn.c*****1.org DGA 0.96 nlbvxhfomxx.c*****1.org DGA 0.95 • DGA like domains • Most of them NXDOMAINs • WHOIS privacy proxy Chrome DNS wildcard detection! 23
  • 25. Periodicity • Continuous traffic generated by the OS and background services • For example, software update check, keep alive, content refresh 25
  • 26. Periodicity (benign) Domain Inter-request time Probability e673.e9.akamaiedge.net 530.5 0.99 itunes-cdn.itunes-apple.com.akadns.net 1190.0 0.97 teredo.ipv6.microsoft.com.nsatc.net 919.0 0.95 ds-comet.yahoo.g01.yahoodns.net 360.0 0.88 itunes.apple.com.edgekey.net 595.0 0.98 Hosted on HA, load balanced networks that are usually on our whitelist 26
  • 27. Periodicity (malicious) Cryptlocker (~953 sec) Probability vobrbjlloae.fr 0.98 www.tabi104.net 0.84 wtjawjv.nl 0.96 ojqya.pw 0.98 netvegonhi.nl 0.98 Nivdort family (~1892 sec) Probability desireproduce.net 0.70 partyorderly.net 0.89 stillaction.net 0.87 desireoclock.net 0.73 fightbattle.net 0.77 27
  • 28. Phishing Detection • “Edit distance : number of operations like removal, insertion or substitution of characters that converts one string to the other” • Longest common substring: use a suffix tree for O(n) Real website Fake site facebook.com facebookc.om malware.com rnalware.com apple.com applesoftupdate.com paypal.com paypal.com.user.accounts.lwproductions.net 28
  • 29. Next Steps • Validate outliers • New or consistent behavior? • How many hosts? • How many models triggered • Identify the user(s)/process generating the traffic, assess maliciousness • If malicious, kick off incident response process 29
  • 30. One more thing • Every network is different, find out what’s normal for yours • Maintain a list of newly observed domains in your network • Segment your network by the source of outliers 30
  • 31. Hunting on the Host …on the cheap
  • 32. General idea • You have lots of hosts • And, they are somewhat homogenous • Look for outliers and things that don’t make sense, investigate • Could be an application only one person is using • Could be malware • Many things to look at • Processes • Network connections and listening ports • Filesystem • User logs • Autoruns • (There’s more…you have to choose what to focus on) 32
  • 33. Scenarios • Hunting with (open source) intelligence • Consume threat intelligence • Deploy remote Yara scan • Hunting with zero intelligence • Collect specific data from all your hosts • Look for anomalies and outliers 33
  • 35. Hunting with Intelligence • Get Intel • IOC? • Hash? • TTP? • Filename? • Apply Intel • Powershell + Yara! • Remediate • Hope you have a remediation process… 35
  • 36. Consuming Open Source Intelligence • AlienVault • IOCBucket • Abuse.ch • Blocklist.de • EmergingThreats • VirusTotal • Malwr 36
  • 37. YARA • Apply standardized binary patterns + sequences to identify badness in a binary • Grep on crack • Scans files and memory • Free signatures for tools used by bad guys targeting your vertical • Signatures are brittle  • But if well written, low false positive rate • And it’s FREE  • Value? This will tell you if a known bad file is on a given host 37 https://plusvic.github.io/yara/
  • 38. Example Yara Rule • Rule for Mimikatz (tool for dumping plaintext passwords) • Used by red teamers and APT groups alike • https://github.com/gentilkiwi/mimikatz/blob/master/kiwi_passwo rds.yar 38
  • 39. Remote Yara Scan Leverage Powershell to remotely run a Yara scan with a pre-defined rule set on a given directory • Transfer Yara binary to target machine w/ native Windows functionality PS> copy yara.exe TARGET-HOSTC$TEMPyara.exe • Transfer rules PS> copy rules.yara TARGET-HOSTC$TEMPrules.yara • Execute scan w/ Invoke-Command PS> Invoke-Command -ComputerName TARGET -ScriptBlock { c:TEMPyara.exe c:TEMPrules.yara c:targetdir } -credential USER 39
  • 40. So what? • You should look for emergent known bad across your network • Yara is a great way to find known bads and kick off the remediation process • Sadly, malware changes rapidly so this is necessary but not sufficient… 40 https://github.com/Yara-Rules/rule
  • 41. Hunting with no Intelligence …on the cheap
  • 42. Autoruns • There are lots of places to look on hosts for oddities and outliers • Bad guys love to stick around on a box – persistence • Makes it harder to get rid of an infection • So, we’ll focus our zero intelligence hunting on Autoruns • Where are the autoruns? • Registry run keys • Services • Drivers • Browser add-ons • Tons of other crafty stuff • Over 100 locations – thanks Windows! • Thankfully, free tools can help you out 42
  • 43. Does this really work • Yup • Autoruns should be relatively consistent across the network • Assuming network is somewhat homogenous and locked down • Anomalous autoruns could indicate badness 43
  • 44. Sysinternals autoruns • Awesome tool from Microsoft • Pulls most autorun items on a Windows system • Hashes them for you • Can submit them to VirusTotal for you 44
  • 45. Hash Autorun Items to find Known Malware Leverage Powershell to remotely execute Sysinternals “Autorunsc.exe” to collect autorun items via the command line, submit to VT • Transfer Autoruns binary and required DLL to target machine w/ native Windows functionality PS> copy autorunsc.exe TARGET-HOSTC$TEMPautorunsc.exe PS> copy msvcr100.dll TARGET-HOSTC$TEMPmsvcr100.dll • Execute program w/ Invoke-Command (w/ optional output) PS> Invoke-Command -ComputerName TARGET -ScriptBlock { c:TEMPautorunsc.exe –a (??) –h (>> c:TEMPautoruns-output.txt) } -credential USER • Collect output PS> copy TARGET-HOSTC$TEMPautoruns-output.txt c:directory 45
  • 46. Hash Autorun Items to find Known Malware (2) • Submit all autorun hashes to VirusTotal • Anything that returns a positive malware hit in VT should be investigated • This can be done inline with the Sysinternals Autoruns tool • Or you can build something yourself easily with the VirusTotal API 46
  • 47. • Pull hashes of all autorun items (see previous) • Map autorun hashes as HOST:HASH $ cat hash-map.txt 10.54.23.4:0dbca2da61a0a46e41095b92434d16974351f92ae0268eafae67a8a2d26c4449 10.54.23.4:fcaee53875a28ed570d4e1b12610ec9503cfcca26c7964df304390e04e368264 10.54.23.4:0dbca2da61a0a46e41095b92434d16974351f92ae0268eafae67a8a2d26c4449 10.54.23.4:eb0ed2b57db1fee056526e065af4d874b8f2dfec0fad14defbb61184ce32d4cf 10.54.23.4:873e697cc9f3a0d85346befd537905c8642654a8be836d9b3fa41826a2ef729f 10.54.23.4:111655197188bbfe1d7b914d367281002795033638cfce67635dd597f8c31772 10.54.23.4:57359b3f029a3590905d81a3c99d4a7e784fdc33b4f052c95b4d24c41f390312 10.54.23.4:7ca6c3b0cc309f6e0a7ceabec98eb97874e649b155493b52aee90cd06f1acf46 10.54.23.5:111655197188bbfe1d7b914d367281002795033638cfce67635dd597f8c31772 10.54.23.5:eb0ed2b57db1fee056526e065af4d874b8f2dfec0fad14defbb61184ce32d4cf 10.54.23.5:57359b3f029a3590905d81a3c99d4a7e784fdc33b4f052c95b4d24c41f390312 10.54.23.5:7ca6c3b0cc309f6e0a7ceabec98eb97874e649b155493b52aee90cd06f1acf46 ... Stack the Data to Identify Anomalies 47
  • 48. • Delineate output by colon (:) # cat hash-map.txt | cut -d’:’-f2 > hashes.txt • Reduce by amount of occurrences $ cat hashes.txt | sort | uniq -c | sort -n | tac 42 fcaee53875a28ed570d4e1b12610ec9503cfcca26c7964df304390e04e368264 42 eb0ed2b57db1fee056526e065af4d874b8f2dfec0fad14defbb61184ce32d4cf 42 873e697cc9f3a0d85346befd537905c8642654a8be836d9b3fa41826a2ef729f 42 7d0398d3cdd1de1e004fb26811107ed168e54803c4b9fd6cdd248c84081c9b49 42 7ca6c3b0cc309f6e0a7ceabec98eb97874e649b155493b52aee90cd06f1acf46 42 62b0f613fc4fb0754494bc0d035a0a3162c0ae8a81f0279ccfcf5c69048716ce 42 57359b3f029a3590905d81a3c99d4a7e784fdc33b4f052c95b4d24c41f390312 42 18b553d24823abc903c16993a2072cefe4768f8e9d14a5b4781f1b58e0c9b667 42 111655197188bbfe1d7b914d367281002795033638cfce67635dd597f8c31772 42 0dbca2da61a0a46e41095b92434d16974351f92ae0268eafae67a8a2d26c4449 42 0b85a8f2e728ff357e3e5058e18203dd355af15956a991327d3746e2b5c5fc95 1 9f7537bf60aa99f7654b8278ed7b2ab0051c1ee3268d56536846a46a333b87cd 1 20d550d4bd3fd45e1788847574fa1cc340f2bf910094b75de4f237bb643477f6 Stack the data to identify anomalies (2) 48
  • 49. • Reference the hash map from initial collection $ grep "20d550d4bd3fd45e1788847574fa1cc340f2bf910094b75de4f237bb643477f6" hash-map.txt 10.54.23.77: 20d550d4bd3fd45e1788847574fa1cc340f2bf910094b75de4f237bb643477f6 Backdoor’ed version of Vmware tools Stack the data to identify anomalies (2) 49
  • 50. Extra Credit • Dump all of the autoruns from the entire organization into an Elasticsearch cluster • Collect data periodically • Analyze changes over time 50
  • 51. Conclusion • Understand your network and adversary tactics • Reach out and check for badness on the network • Look at host anomalies to identify badness on your hosts • Once you find badness, kick it to your remediation process • You can do all this very cheap • No signatures • No IOCs • JUST PURE HUNTING GOODNESS 51
  • 52. Endgame Hunt Cycle  Recon of internal network  Identification of assets to protect  Gather data  Implement mitigation techniques  Prevent adversary techniques  Protect uncompromised systems  Respond intelligently with surgical actions  Act at scale to evict the adversary  Report on the hunt  Analyze collected data for outliers  Discover new indicators of compromise  Pivot to determine the full extent of the breach 4
  • 53. Thank You. 4 Lunch and Learn, Wednesday April 12 at 12:05 Think Offense: Hunt Smarter, Live Low Mike Nichols, Principal Product manager

Notas del editor

  1. Whitelisting comes with a caveat – popular domains can be compromised too, specially via advertising.
  2. Firstly, need to identify domains that don’t own or control the content they host. Dynamic DNS providers can’t be blindly whitelisted Domains with large number of sub-domains and together they all resolve to diverse set of IP
  3. Used to beat IP based block lists. Domains with large number of A records that are diverse in term of their geo and ownership. How does it look -
  4. Update the Last line to animate
  5. Talk about how powershell is installed on Win7+ by default
  6. Volatility on a memory dump