SlideShare ist ein Scribd-Unternehmen logo

Cyber Threat hunting workshop

A
Arpan Raval

Delivered 1 - day Practical Threat Hunting workshop at sacon.io in Bangalore,India balancing on developing the threat hunting program in organization, how and where to start from as well threat hunting demos as it would look on the ground with hands on labs for 100+ participants.

Daten & Analysen
1 von 54
Downloaden Sie, um offline zu lesen
SACON SACON International 2020 India | Bangalore | February 21 - 22 | Taj Yeshwantpur PRACTICAL THREAT HUNTING: DEVELOPING AND RUNNING A SUCCESSFUL THREAT HUNTING PROGRAM #SACON #THREATHUNTING WASIM HALANI Network Intelligence (NII) HEAD R&D @washalsec ARPAN RAVAL Optiv Inc Senior Threat Analyst @arpanrvl
PRACTICAL THREAT HUNTING: Developing and Running a Successful Threat Hunting Program By Wasim Halani and Arpan Raval
WHOAMI ❖Wasim Halani ❖Head R&D @Network Intelligence (NII) ❖~12 years in InfoSec ❖Speaker at SACON, OWASP, BSides, Malcon, SecurityBytes ❖Twitter @washalsec ❖https://in.linkedin.com/in/wasimhalani
WHOAMI ❖Arpan Raval ❖Senior Threat Analyst @Optiv Inc ❖DFIR and Threat Hunting ❖Twitter @arpanrvl ❖https://www.linkedin.com/in/arpanraval
DEFINE THREAT HUNTING WHY & WHAT?
PROBLEM OF “DWELL TIME” 6 ❖In 2011 Global Median dwell time mentioned was 416 days! ❖For 2018, Fire Eye M Trends reports average dwell time mentioned is 101 days! ❖For 2019, Fire Eye M Trends Reports average dwell time mentioned is 78 days! https://www.fireeye.com/blog/executive-perspective/2019/03/mtrends-2019-celebrating-ten-years-of-incident-response-reporting.html
IoC vs TTP 7 IoC TTP
PYRAMID OF PAIN I n t r o d u c e d b y D a v i d J B i a n c o HASH VALUES IP ADDRESS DOMAIN NAMES NW/HOST ARTIFACTS TOOLS TTP Trivial Easy Simple Annoying Challenging Tough!
What is Threat Hunting? 9 “Threat Hunting is a human driven proactive approach to discover malicious activities that have evaded existing security control.”
What is Threat Hunting? 10 Detecting the Undetected
PURPOSE OF THREAT HUNTING 11 ❖Reduce the Dwell Time ❖Identify Gaps in Visibility ❖Identify Gaps in Detection ❖Design New Detection Mechanism and Analytics techniques ❖Uncover New Threat and TTPs (Producing Threat Intelligence).
What is NOT Threat Hunting? 12 ▪Triaging Alerts ▪IoC sweeps from Intel Feeds to Incoming telemetry ▪Process with guaranteed result. ▪A replacement for penetration testing or red teaming.
What is NOT Threat Hunting? 13 “Autonomous discovery of malicious activity by tools.”
Characteristics of Threat Hunting 14 ▪Human Driven ▪Human Centric ▪Proactive ▪Assume Breach ▪Detect Unknown ▪Iterative ▪Data dependent ▪Hypothesis Driven
Threat Hunting in Security Operations 15 Security Monitoring Threat Hunting Incident Response Search Queries, CTI Guided Detections Retrohunts Incident Detection Event Analysis Detector Creation
MITRE ATT&CK FRAMEWORK
MITRE ATT&CK MATRICES Techniques/Numbers PRE-ATT&CK 174 Enterprise Windows macOS Linux Cloud AWS GCP Azure Office 365 Azure AD SaaS 266 Mobile Android iOS 79 ICS 81 APT Groups 94 Software 414 ▪Attack Library ▪Knowledge base of adversary’s TTPs collected based on real world observations and attacks ▪Describes and Categorize adversarial behavioral in different phases of attack cycle.
MITRE Explained: Tactic 18 ▪Answers Why? for adversary’s actions. ▪Adversary’s objective behind an action ▪Represented by Columns in MITRE ATT&CK Matrix Enterprise Mobile ICS Initial Access Initial Access Collection Execution Persistence Command and Control Persistence Privilege Escalation Discovery Privilege Escalation Defense Evasion Evasion Defense Evasion Credential Access Execution Credential Access Discovery Impact Discovery Lateral Movement Impair Process Control Lateral Movement Impact Inhibit Response Function Collection Collection Initial Access Command and Control Exfiltration Lateral Movement Exfiltration Command and Control Persistence Impact Network Effects Remote Service Effects Matrix Tactic Enterprise 12 Mobile 13 ICS 11 Example An adversary want to achieve credential access.
MITRE Explained: Tactic 19 ATT&CK TACTIC EXPLAINATION OBJECTIVE Initial Access Get into your environment Gain access Credential Access Steal logins and passwords Gain access Privilege Escalation Gain higher level permissions Gain (more) access Persistence Maintain foothold Keep access Defense Evasion Avoid detection Keep access Discovery Figure out your environment Explore Lateral Movement Move through your environment Explore Execution Run malicious code Follow through Collection Gather data Follow through Exfiltration Steal data Follow through Command and Control Contact controlled systems Contact controlled systems Impact Break things Follow through Source: Helping Your Non-Security Executives Understand ATT&CK in 10 Minutes or Less (Elly Searle, CrowdStrike)
MITRE Explained: Technique 20 ▪Answers how? for adversary’s objective achievement. ▪Adversary used a technique to achieve an objective ▪Represented by individual cell in MITRE ATT&CK Matrix Matrix Technique PRE-ATT&CK 174 Enterprise 266 Mobile 79 ICS 81 Example Example: an adversary may dump credentials to achieve credential access.
MITRE Explained: Technique-Metainfo 21 ❖Tactic: Related MITRE Tactic ❖Platform: Required platform for a technique to work in. ❖Permissions Required: Lowest permission for an adversary to implement the technique ❖Effective Permissions: Permission an adversary achieves after successful implementation of the technique ❖Data Sources: Recommended data to be collection for detection of the technique
MITRE Explained: Enumeration 22 Tactic Example Technique Obtaining Persistence via Windows Service Creation Privilege Escalation via Legitimate Credentials Reuse Defense Evasion via Office-Based Malware Credential Access via Memory Credential Dumping Discovery via Built-In Windows Tools Lateral Movement via Share Service Accounts Execution via PowerShell Execution Collection via Network Share Identification Exfiltration via Plaintext Exfiltration Impact via Data Encryption
MITRE Explained: Procedure 23 ▪Answers what? for adversary’s technique usage. ▪Actual implementation of each technique. ▪Individual technique has a page for description, examples, sources, references. Example A procedure could be an adversary using PowerShell to inject into lsass.exe to dump credentials by scraping LSASS memory on a victim.
MITRE ATTACK MAPPING HANDS ON 1
PRIORITIZED MITRE ATT&CK SUBSETS 29 Let’s create our own prioritized MITRE ATT&CK Subset based adversarial TTPs based derived from any of these: ❖ Threat Intelligence ❖ Whitepapers ❖ Data Sources ❖ Ad-Hoc Requests Note: Matrix in upcoming slides is example matrix with dummy data for example which is not necessarily is true or to promote any tool/technology.
MITRE DETECTION MAPPING 30 MITRE Enumeration Initial Access Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control External Remote Services DLL Search order Hijacking WDATP Brute Force Elastic Account Discovery Elastic Windows Remote Management TBD Automated Collection UEBA Automated Exfiltration ZScaler Commonly Used Port ZScaler Valid Accounts UEBA Credential Dumping WDATP Application Window Discovery ZScaler COM and DCOM Elastic Clipboard Data WDATP Data Compressed ZScaler Communicatio n Through Removable Media Symantec DLP Spearphishing Attachment TBD Accessibility Features TBD Indicator Removal on Host WDATP Application Deployment Software Elastic Command Line WDATP Data Staged UEBA Data Encrypted Symantec DLP Spearphishing Link TBD AppInit DLLS WDATP Masquerading WDATP Credential Manipulation UEBA File and Directory Discovery UEBA Execution through API TBD Data from Local System UEBA Data Transfer Size Limits TBD Custom Command and Control Protocol Symantec DLPAppCert DLLs WDATP Decode File or Info TBD Pass the Ticket WDATP Graphic User Interface TBD Data from Network Shared Drive ZScaler Exfiltration Over Alternative Protocol ZScalerApplication Shimming TBD DLL Side- Loading WDATP Credentials in Files UEBA WDATP Process Discovery Elastic InstallUtil WDATP Custom Cryptographic Protocol ZScalerNew Service TBD Disabling Security Tools Elastic Input Capture WDATP Remote Desktop Protocol Elastic PowerShell WDATP No detection Detected, No validation Detected Key
DATA SOURCE MAPPING 31 MITRE Enumeration Data does not exist Data exists, not monitored Data exists analyzed and monitoredKey Initial Access Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control External Remote Services DLL Search order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port Valid Accounts Credential Dumping Application Window Discovery COM and DCOM Clipboard Data Data Compressed Communicatio n Through Removable MediaSpearphishing Accessibility Features Indicator Removal on Host Application Deployment Software Command Line Data Staged Data Encrypted Spearphishing Link AppInit DLLS Masquerading Credential Manipulation File and Directory Discovery Execution through API Data from Local System Data Transfer Size Limits Custom Command and Control ProtocolAppCert DLLs Decode File or Info Pass the Ticket Graphic User Interface Data from Network Shared Drive Exfiltration Over Alternative Protocol Application Shimming DLL Side- Loading Credentials in Files Process Discovery InstallUtil Custom Cryptographic Protocol New Service Disabling Security Tools Input Capture Remote Desktop Protocol PowerShell
32 MITRE Enumeration Key
DETECTION MATURITY HEATMAP 33 MITRE Enumeration Limited Initial Stable Current InnovativeMaturity Key Initial Access Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control External Remote Services DLL Search order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port Valid Accounts Credential Dumping Application Window Discovery COM and DCOM Clipboard Data Data Compressed Communication Through Removable MediaSpearphishing Attachment Accessibility Features Indicator Removal on Host Application Deployment Software Command Line Data Staged Data Encrypted Spearphishing Link AppInit DLLs Masquerading Credential Manipulation File and Directory Discovery Execution through API Data from Local System Data Transfer Size Limits Custom Command and Control Protocol AppCert DLLs Decode File or Info Pass the Ticket Graphic User Interface Data from Network Shared Drive Exfiltration Over Alternative Protocol Application Shimming DLL Side- Loading Credentials in Files Process Discovery InstallUtil Custom Cryptographic Protocol New Service Disabling Security Tools Input Capture Remote Desktop Protocol PowerShell
THREAT HUNTING METHODOLOGY TYPES, PROCESS AND CYCLE
Threat Hunting Approaches 35 ▪Long Term ▪Ad-hoc ▪Short Term
Threat Hunting Types 36 ▪Structured Hunting ▪Unstructured Hunting ▪Intel Guided Hunting ------------------------------------- ▪Host Based ▪Network Based ▪Business Use Case Based
Hunting Type: Intel Guided Hunting 37 ▪Guided by Threat Intelligence Inputs ▪Threat Intel Reports ▪Threat White Papers ▪MITRE APT Groups
Hunting Type: Structured Hunting 38 ▪Hypothesis Based ▪Well Scoped ▪TTP driven or Entity Driven ▪Other Synonyms in industry: ▪ATT&CK Drive
HANDS ON LAB 2 STRUCTURED HYPOTHESIS – BITS, ACCESSIBILITY FEATURES
BITS Jobs Defense Evasion, Persistence 40 MITRE ID T1197 MITRE Tactic Defense Evasion, Persistence MITRE Technique BITS Jobs Platform Windows Required Privilege User, Administrator, SYSTEM Data Sources API monitoring, Packet capture,Windows event logs
BITS Jobs Defense Evasion, Persistence 41 Description Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. Implementation Bitsadmin.exe Powershell.exe Start-BitsTransfer
BITS Jobs Defense Evasion, Persistence 42 Source Event ID Event Field Details Windows Security Event Logs 4688 New Process Name *bitsadmin.exe Windows Security Event Logs 4688 Process Command Line *create* Proxy-Logs userAgent Microsoft BITS/*
Hunting Type: Unstructured Hunting 43 ▪Data Driven ▪Anomaly/Outlier based ▪Other synonym in industry: ▪Data Driven Hunting ▪Free Style Hunting
HANDS ON LAB 3 PROCESS ANOMALY
HYPOTHESIS GENRATION PROCESS Assume Breach Scope Hypothesis Execute Validate Document
Accessibility Features Persistence, Privilege Escalation 48 MITRE ID T1015 MITRE Tactic Persistence Privilege Escalation MITRE Technique Accessibility Features Platform Windows Required Privilege Administrator Data Sources Windows Registry, File monitoring, Process monitoring
Accessibility Features Persistence, Privilege Escalation 49 Description Windows contains accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. Implementation Binary Replacement OR Registry Value Change Limitations Depending on Windows versions The replaced binary needs to be digitally signed for x64 systems, The binary must reside in %systemdir% It must be protected by Windows File or Resource Protection (WFP/WRP)
Accessibility Features Persistence, Privilege Escalation 50 Attack Emulation: Set the Debugger value for the desired accessibility feature application
Accessibility Features Persistence, Privilege Escalation 51
Accessibility Features Persistence, Privilege Escalation 52
Accessibility Features Persistence, Privilege Escalation 53 Source Event ID Event Field Details Sysmon 12, 13 TargetObject *SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options<AFU>Debugger AFU=sethc.exe, utilman.exe, osk.exe, Magnify.exe, Narrator.exe, DisplaySwitch.exe, AtBroker.exe Windows Security Event Logs 4657 Object Name sethc.exe, utilman.exe, osk.exe, Magnify.exe, Narrator.exe, DisplaySwitch.exe, AtBroker.exe Windows Security Event Logs 4657 Object Value Name Debugger
THE THREAT HUNTING CYCLE HUNT ONCE 03 OUTLIER/ANOMALY IDENTIFICATION 05 DETECTOR CREATION 04 INCIDENT VALIDATION 02HUNT EXECUTION 01 HYPOTHESIS CREATION
POST HUNT ACTIVITIES
POST HUNT ACTIVITY Execution Completed Hunt Ended with Hits Hunts Without Hits Need Enabler EscalatetoCorrectTeam CollectMetrics RequestNewLogSource NeedMoreAccess CollectMetrics UpdateBaseline DocumentHunt
PROGRAM METRICS
❖Hunt Hypothesis ❖Total time spent hunting (hours) ❖Total dwell time (hours) ❖incidents found ❖use cases updated ❖vulnerabilities found Check out Magma Framework for awesome Metrics and Charts in resources link
References and Awesome Resources 60 ▪ http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html ▪ https://github.com/hunters-forge ▪ https://github.com/ThreatHuntingProject/ThreatHunting/tree/master/hunts ▪ https://www.threathunting.net/ ▪ https://github.com/clong/DetectionLab ▪ https://www.betaalvereniging.nl/veiligheid/publiek-private-samenwerking/magma/ ▪ https://www.betaalvereniging.nl/wp-content/uploads/DEF-TaHiTI-Threat-Hunting- Methodology.pdf ▪ https://mitre-attack.github.io/attack-navigator/enterprise/ ▪ https://github.com/Cyb3rWard0g/HELK
THANK YOU

Empfohlen

Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
Morane Decriem
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
Arpan Raval
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
Bhushan Gurav
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 

Empfohlen

Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
Morane Decriem
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
Arpan Raval
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
Bhushan Gurav
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
Infosec
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
Michael Gough
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE - ATT&CKcon
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
Akash Sarode
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
Splunk
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
Katie Nickels
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
SKMohamedKasim
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
OWASP Delhi
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
Panda Security
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturity
DNIF
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
Shawn Croswell
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK Framework
MITRE - ATT&CKcon
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
Building an InfoSec RedTeam
Building an InfoSec RedTeamBuilding an InfoSec RedTeam
Building an InfoSec RedTeam
Dan Vasile
 
(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...
(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...
(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...
Priyanka Aash
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Adam Pennington
 

Weitere ähnliche Inhalte

Was ist angesagt?

Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
Infosec
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE - ATT&CKcon
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
Shawn Croswell
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK Framework
MITRE - ATT&CKcon
 

Was ist angesagt? (20)

Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturity
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK Framework
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Building an InfoSec RedTeam
Building an InfoSec RedTeamBuilding an InfoSec RedTeam
Building an InfoSec RedTeam
 

Ähnlich wie Cyber Threat hunting workshop

Ethical Hacking Interview Questions and Answers.pdf
Ethical Hacking Interview Questions and Answers.pdfEthical Hacking Interview Questions and Answers.pdf
Ethical Hacking Interview Questions and Answers.pdf
ShivamSharma909
 

Ähnlich wie Cyber Threat hunting workshop (20)

(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...
(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...
(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpCon
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
 
MITRE_ATTACK_Enterprise_11x17.pdf
MITRE_ATTACK_Enterprise_11x17.pdfMITRE_ATTACK_Enterprise_11x17.pdf
MITRE_ATTACK_Enterprise_11x17.pdf
 
Machine learning in Cyber Security
Machine learning in Cyber SecurityMachine learning in Cyber Security
Machine learning in Cyber Security
 
RED-TEAM_Conclave
RED-TEAM_ConclaveRED-TEAM_Conclave
RED-TEAM_Conclave
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
 
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENTUNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
 
The artificial reality of cyber defense
The artificial reality of cyber defenseThe artificial reality of cyber defense
The artificial reality of cyber defense
 
Ethical Hacking Interview Questions and Answers.pdf
Ethical Hacking Interview Questions and Answers.pdfEthical Hacking Interview Questions and Answers.pdf
Ethical Hacking Interview Questions and Answers.pdf
 
Irene Michlin. Old Pareto had a chart: getting 80% benefits of threat modelli...
Irene Michlin. Old Pareto had a chart: getting 80% benefits of threat modelli...Irene Michlin. Old Pareto had a chart: getting 80% benefits of threat modelli...
Irene Michlin. Old Pareto had a chart: getting 80% benefits of threat modelli...
 
Threat Detection Algorithms Make Big Data into Better Data
Threat Detection Algorithms Make Big Data into Better Data Threat Detection Algorithms Make Big Data into Better Data
Threat Detection Algorithms Make Big Data into Better Data
 
Be the Hunter
Be the Hunter Be the Hunter
Be the Hunter
 
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
 

Kürzlich hochgeladen

Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 night
Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 nightCheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 night
Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 night
Delhi Call girls
 
Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...
Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...
Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...
amitlee9823
 
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al BarshaAl Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
AroojKhan71
 
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
ZurliaSoop
 
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night StandCall Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Stand
amitlee9823
 
Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...
only4webmaster01
 
Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...
Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...
Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...
amitlee9823
 
Predicting Loan Approval: A Data Science Project
Predicting Loan Approval: A Data Science ProjectPredicting Loan Approval: A Data Science Project
Predicting Loan Approval: A Data Science Project
Boston Institute of Analytics
 
FESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdfFESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdf
MarinCaroMartnezBerg
 
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort ServiceBDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
Delhi Call girls
 
➥🔝 7737669865 🔝▻ Bangalore Call-girls in Women Seeking Men 🔝Bangalore🔝 Esc...
➥🔝 7737669865 🔝▻ Bangalore Call-girls in Women Seeking Men 🔝Bangalore🔝 Esc...➥🔝 7737669865 🔝▻ Bangalore Call-girls in Women Seeking Men 🔝Bangalore🔝 Esc...
➥🔝 7737669865 🔝▻ Bangalore Call-girls in Women Seeking Men 🔝Bangalore🔝 Esc...
amitlee9823
 
Vip Mumbai Call Girls Marol Naka Call On 9920725232 With Body to body massage...
Vip Mumbai Call Girls Marol Naka Call On 9920725232 With Body to body massage...Vip Mumbai Call Girls Marol Naka Call On 9920725232 With Body to body massage...
Vip Mumbai Call Girls Marol Naka Call On 9920725232 With Body to body massage...
amitlee9823
 
Call Girls In Hsr Layout ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Hsr Layout ☎ 7737669865 🥵 Book Your One night StandCall Girls In Hsr Layout ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Hsr Layout ☎ 7737669865 🥵 Book Your One night Stand
amitlee9823
 

Kürzlich hochgeladen (20)

BigBuy dropshipping via API with DroFx.pptx
BigBuy dropshipping via API with DroFx.pptxBigBuy dropshipping via API with DroFx.pptx
BigBuy dropshipping via API with DroFx.pptx
 
Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 night
Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 nightCheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 night
Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 night
 
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...
 
Anomaly detection and data imputation within time series
Anomaly detection and data imputation within time seriesAnomaly detection and data imputation within time series
Anomaly detection and data imputation within time series
 
Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...
Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...
Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...
 
Sampling (random) method and Non random.ppt
Sampling (random) method and Non random.pptSampling (random) method and Non random.ppt
Sampling (random) method and Non random.ppt
 
Halmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFxHalmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFx
 
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% Secure
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% SecureCall me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% Secure
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% Secure
 
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al BarshaAl Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
 
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night StandCall Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Stand
 
Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...
 
Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...
Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...
Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...
 
Predicting Loan Approval: A Data Science Project
Predicting Loan Approval: A Data Science ProjectPredicting Loan Approval: A Data Science Project
Predicting Loan Approval: A Data Science Project
 
FESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdfFESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdf
 
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort ServiceBDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
 
➥🔝 7737669865 🔝▻ Bangalore Call-girls in Women Seeking Men 🔝Bangalore🔝 Esc...
➥🔝 7737669865 🔝▻ Bangalore Call-girls in Women Seeking Men 🔝Bangalore🔝 Esc...➥🔝 7737669865 🔝▻ Bangalore Call-girls in Women Seeking Men 🔝Bangalore🔝 Esc...
➥🔝 7737669865 🔝▻ Bangalore Call-girls in Women Seeking Men 🔝Bangalore🔝 Esc...
 
Vip Mumbai Call Girls Marol Naka Call On 9920725232 With Body to body massage...
Vip Mumbai Call Girls Marol Naka Call On 9920725232 With Body to body massage...Vip Mumbai Call Girls Marol Naka Call On 9920725232 With Body to body massage...
Vip Mumbai Call Girls Marol Naka Call On 9920725232 With Body to body massage...
 
April 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's AnalysisApril 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's Analysis
 
Call Girls In Hsr Layout ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Hsr Layout ☎ 7737669865 🥵 Book Your One night StandCall Girls In Hsr Layout ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Hsr Layout ☎ 7737669865 🥵 Book Your One night Stand
 

Cyber Threat hunting workshop

  • 1. SACON SACON International 2020 India | Bangalore | February 21 - 22 | Taj Yeshwantpur PRACTICAL THREAT HUNTING: DEVELOPING AND RUNNING A SUCCESSFUL THREAT HUNTING PROGRAM #SACON #THREATHUNTING WASIM HALANI Network Intelligence (NII) HEAD R&D @washalsec ARPAN RAVAL Optiv Inc Senior Threat Analyst @arpanrvl
  • 2. PRACTICAL THREAT HUNTING: Developing and Running a Successful Threat Hunting Program By Wasim Halani and Arpan Raval
  • 3. WHOAMI ❖Wasim Halani ❖Head R&D @Network Intelligence (NII) ❖~12 years in InfoSec ❖Speaker at SACON, OWASP, BSides, Malcon, SecurityBytes ❖Twitter @washalsec ❖https://in.linkedin.com/in/wasimhalani
  • 4. WHOAMI ❖Arpan Raval ❖Senior Threat Analyst @Optiv Inc ❖DFIR and Threat Hunting ❖Twitter @arpanrvl ❖https://www.linkedin.com/in/arpanraval
  • 6. PROBLEM OF “DWELL TIME” 6 ❖In 2011 Global Median dwell time mentioned was 416 days! ❖For 2018, Fire Eye M Trends reports average dwell time mentioned is 101 days! ❖For 2019, Fire Eye M Trends Reports average dwell time mentioned is 78 days! https://www.fireeye.com/blog/executive-perspective/2019/03/mtrends-2019-celebrating-ten-years-of-incident-response-reporting.html
  • 8. PYRAMID OF PAIN I n t r o d u c e d b y D a v i d J B i a n c o HASH VALUES IP ADDRESS DOMAIN NAMES NW/HOST ARTIFACTS TOOLS TTP Trivial Easy Simple Annoying Challenging Tough!
  • 9. What is Threat Hunting? 9 “Threat Hunting is a human driven proactive approach to discover malicious activities that have evaded existing security control.”
  • 10. What is Threat Hunting? 10 Detecting the Undetected
  • 11. PURPOSE OF THREAT HUNTING 11 ❖Reduce the Dwell Time ❖Identify Gaps in Visibility ❖Identify Gaps in Detection ❖Design New Detection Mechanism and Analytics techniques ❖Uncover New Threat and TTPs (Producing Threat Intelligence).
  • 12. What is NOT Threat Hunting? 12 ▪Triaging Alerts ▪IoC sweeps from Intel Feeds to Incoming telemetry ▪Process with guaranteed result. ▪A replacement for penetration testing or red teaming.
  • 13. What is NOT Threat Hunting? 13 “Autonomous discovery of malicious activity by tools.”
  • 14. Characteristics of Threat Hunting 14 ▪Human Driven ▪Human Centric ▪Proactive ▪Assume Breach ▪Detect Unknown ▪Iterative ▪Data dependent ▪Hypothesis Driven
  • 15. Threat Hunting in Security Operations 15 Security Monitoring Threat Hunting Incident Response Search Queries, CTI Guided Detections Retrohunts Incident Detection Event Analysis Detector Creation
  • 17. MITRE ATT&CK MATRICES Techniques/Numbers PRE-ATT&CK 174 Enterprise Windows macOS Linux Cloud AWS GCP Azure Office 365 Azure AD SaaS 266 Mobile Android iOS 79 ICS 81 APT Groups 94 Software 414 ▪Attack Library ▪Knowledge base of adversary’s TTPs collected based on real world observations and attacks ▪Describes and Categorize adversarial behavioral in different phases of attack cycle.
  • 18. MITRE Explained: Tactic 18 ▪Answers Why? for adversary’s actions. ▪Adversary’s objective behind an action ▪Represented by Columns in MITRE ATT&CK Matrix Enterprise Mobile ICS Initial Access Initial Access Collection Execution Persistence Command and Control Persistence Privilege Escalation Discovery Privilege Escalation Defense Evasion Evasion Defense Evasion Credential Access Execution Credential Access Discovery Impact Discovery Lateral Movement Impair Process Control Lateral Movement Impact Inhibit Response Function Collection Collection Initial Access Command and Control Exfiltration Lateral Movement Exfiltration Command and Control Persistence Impact Network Effects Remote Service Effects Matrix Tactic Enterprise 12 Mobile 13 ICS 11 Example An adversary want to achieve credential access.
  • 19. MITRE Explained: Tactic 19 ATT&CK TACTIC EXPLAINATION OBJECTIVE Initial Access Get into your environment Gain access Credential Access Steal logins and passwords Gain access Privilege Escalation Gain higher level permissions Gain (more) access Persistence Maintain foothold Keep access Defense Evasion Avoid detection Keep access Discovery Figure out your environment Explore Lateral Movement Move through your environment Explore Execution Run malicious code Follow through Collection Gather data Follow through Exfiltration Steal data Follow through Command and Control Contact controlled systems Contact controlled systems Impact Break things Follow through Source: Helping Your Non-Security Executives Understand ATT&CK in 10 Minutes or Less (Elly Searle, CrowdStrike)
  • 20. MITRE Explained: Technique 20 ▪Answers how? for adversary’s objective achievement. ▪Adversary used a technique to achieve an objective ▪Represented by individual cell in MITRE ATT&CK Matrix Matrix Technique PRE-ATT&CK 174 Enterprise 266 Mobile 79 ICS 81 Example Example: an adversary may dump credentials to achieve credential access.
  • 21. MITRE Explained: Technique-Metainfo 21 ❖Tactic: Related MITRE Tactic ❖Platform: Required platform for a technique to work in. ❖Permissions Required: Lowest permission for an adversary to implement the technique ❖Effective Permissions: Permission an adversary achieves after successful implementation of the technique ❖Data Sources: Recommended data to be collection for detection of the technique
  • 22. MITRE Explained: Enumeration 22 Tactic Example Technique Obtaining Persistence via Windows Service Creation Privilege Escalation via Legitimate Credentials Reuse Defense Evasion via Office-Based Malware Credential Access via Memory Credential Dumping Discovery via Built-In Windows Tools Lateral Movement via Share Service Accounts Execution via PowerShell Execution Collection via Network Share Identification Exfiltration via Plaintext Exfiltration Impact via Data Encryption
  • 23. MITRE Explained: Procedure 23 ▪Answers what? for adversary’s technique usage. ▪Actual implementation of each technique. ▪Individual technique has a page for description, examples, sources, references. Example A procedure could be an adversary using PowerShell to inject into lsass.exe to dump credentials by scraping LSASS memory on a victim.
  • 25. PRIORITIZED MITRE ATT&CK SUBSETS 29 Let’s create our own prioritized MITRE ATT&CK Subset based adversarial TTPs based derived from any of these: ❖ Threat Intelligence ❖ Whitepapers ❖ Data Sources ❖ Ad-Hoc Requests Note: Matrix in upcoming slides is example matrix with dummy data for example which is not necessarily is true or to promote any tool/technology.
  • 26. MITRE DETECTION MAPPING 30 MITRE Enumeration Initial Access Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control External Remote Services DLL Search order Hijacking WDATP Brute Force Elastic Account Discovery Elastic Windows Remote Management TBD Automated Collection UEBA Automated Exfiltration ZScaler Commonly Used Port ZScaler Valid Accounts UEBA Credential Dumping WDATP Application Window Discovery ZScaler COM and DCOM Elastic Clipboard Data WDATP Data Compressed ZScaler Communicatio n Through Removable Media Symantec DLP Spearphishing Attachment TBD Accessibility Features TBD Indicator Removal on Host WDATP Application Deployment Software Elastic Command Line WDATP Data Staged UEBA Data Encrypted Symantec DLP Spearphishing Link TBD AppInit DLLS WDATP Masquerading WDATP Credential Manipulation UEBA File and Directory Discovery UEBA Execution through API TBD Data from Local System UEBA Data Transfer Size Limits TBD Custom Command and Control Protocol Symantec DLPAppCert DLLs WDATP Decode File or Info TBD Pass the Ticket WDATP Graphic User Interface TBD Data from Network Shared Drive ZScaler Exfiltration Over Alternative Protocol ZScalerApplication Shimming TBD DLL Side- Loading WDATP Credentials in Files UEBA WDATP Process Discovery Elastic InstallUtil WDATP Custom Cryptographic Protocol ZScalerNew Service TBD Disabling Security Tools Elastic Input Capture WDATP Remote Desktop Protocol Elastic PowerShell WDATP No detection Detected, No validation Detected Key
  • 27. DATA SOURCE MAPPING 31 MITRE Enumeration Data does not exist Data exists, not monitored Data exists analyzed and monitoredKey Initial Access Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control External Remote Services DLL Search order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port Valid Accounts Credential Dumping Application Window Discovery COM and DCOM Clipboard Data Data Compressed Communicatio n Through Removable MediaSpearphishing Accessibility Features Indicator Removal on Host Application Deployment Software Command Line Data Staged Data Encrypted Spearphishing Link AppInit DLLS Masquerading Credential Manipulation File and Directory Discovery Execution through API Data from Local System Data Transfer Size Limits Custom Command and Control ProtocolAppCert DLLs Decode File or Info Pass the Ticket Graphic User Interface Data from Network Shared Drive Exfiltration Over Alternative Protocol Application Shimming DLL Side- Loading Credentials in Files Process Discovery InstallUtil Custom Cryptographic Protocol New Service Disabling Security Tools Input Capture Remote Desktop Protocol PowerShell
  • 29. DETECTION MATURITY HEATMAP 33 MITRE Enumeration Limited Initial Stable Current InnovativeMaturity Key Initial Access Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control External Remote Services DLL Search order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port Valid Accounts Credential Dumping Application Window Discovery COM and DCOM Clipboard Data Data Compressed Communication Through Removable MediaSpearphishing Attachment Accessibility Features Indicator Removal on Host Application Deployment Software Command Line Data Staged Data Encrypted Spearphishing Link AppInit DLLs Masquerading Credential Manipulation File and Directory Discovery Execution through API Data from Local System Data Transfer Size Limits Custom Command and Control Protocol AppCert DLLs Decode File or Info Pass the Ticket Graphic User Interface Data from Network Shared Drive Exfiltration Over Alternative Protocol Application Shimming DLL Side- Loading Credentials in Files Process Discovery InstallUtil Custom Cryptographic Protocol New Service Disabling Security Tools Input Capture Remote Desktop Protocol PowerShell
  • 31. Threat Hunting Approaches 35 ▪Long Term ▪Ad-hoc ▪Short Term
  • 32. Threat Hunting Types 36 ▪Structured Hunting ▪Unstructured Hunting ▪Intel Guided Hunting ------------------------------------- ▪Host Based ▪Network Based ▪Business Use Case Based
  • 33. Hunting Type: Intel Guided Hunting 37 ▪Guided by Threat Intelligence Inputs ▪Threat Intel Reports ▪Threat White Papers ▪MITRE APT Groups
  • 34. Hunting Type: Structured Hunting 38 ▪Hypothesis Based ▪Well Scoped ▪TTP driven or Entity Driven ▪Other Synonyms in industry: ▪ATT&CK Drive
  • 35. HANDS ON LAB 2 STRUCTURED HYPOTHESIS – BITS, ACCESSIBILITY FEATURES
  • 36. BITS Jobs Defense Evasion, Persistence 40 MITRE ID T1197 MITRE Tactic Defense Evasion, Persistence MITRE Technique BITS Jobs Platform Windows Required Privilege User, Administrator, SYSTEM Data Sources API monitoring, Packet capture,Windows event logs
  • 37. BITS Jobs Defense Evasion, Persistence 41 Description Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. Implementation Bitsadmin.exe Powershell.exe Start-BitsTransfer
  • 38. BITS Jobs Defense Evasion, Persistence 42 Source Event ID Event Field Details Windows Security Event Logs 4688 New Process Name *bitsadmin.exe Windows Security Event Logs 4688 Process Command Line *create* Proxy-Logs userAgent Microsoft BITS/*
  • 39. Hunting Type: Unstructured Hunting 43 ▪Data Driven ▪Anomaly/Outlier based ▪Other synonym in industry: ▪Data Driven Hunting ▪Free Style Hunting
  • 40. HANDS ON LAB 3 PROCESS ANOMALY
  • 41. HYPOTHESIS GENRATION PROCESS Assume Breach Scope Hypothesis Execute Validate Document
  • 42. Accessibility Features Persistence, Privilege Escalation 48 MITRE ID T1015 MITRE Tactic Persistence Privilege Escalation MITRE Technique Accessibility Features Platform Windows Required Privilege Administrator Data Sources Windows Registry, File monitoring, Process monitoring
  • 43. Accessibility Features Persistence, Privilege Escalation 49 Description Windows contains accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. Implementation Binary Replacement OR Registry Value Change Limitations Depending on Windows versions The replaced binary needs to be digitally signed for x64 systems, The binary must reside in %systemdir% It must be protected by Windows File or Resource Protection (WFP/WRP)
  • 44. Accessibility Features Persistence, Privilege Escalation 50 Attack Emulation: Set the Debugger value for the desired accessibility feature application
  • 47. Accessibility Features Persistence, Privilege Escalation 53 Source Event ID Event Field Details Sysmon 12, 13 TargetObject *SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options<AFU>Debugger AFU=sethc.exe, utilman.exe, osk.exe, Magnify.exe, Narrator.exe, DisplaySwitch.exe, AtBroker.exe Windows Security Event Logs 4657 Object Name sethc.exe, utilman.exe, osk.exe, Magnify.exe, Narrator.exe, DisplaySwitch.exe, AtBroker.exe Windows Security Event Logs 4657 Object Value Name Debugger
  • 48. THE THREAT HUNTING CYCLE HUNT ONCE 03 OUTLIER/ANOMALY IDENTIFICATION 05 DETECTOR CREATION 04 INCIDENT VALIDATION 02HUNT EXECUTION 01 HYPOTHESIS CREATION
  • 50. POST HUNT ACTIVITY Execution Completed Hunt Ended with Hits Hunts Without Hits Need Enabler EscalatetoCorrectTeam CollectMetrics RequestNewLogSource NeedMoreAccess CollectMetrics UpdateBaseline DocumentHunt
  • 52. ❖Hunt Hypothesis ❖Total time spent hunting (hours) ❖Total dwell time (hours) ❖incidents found ❖use cases updated ❖vulnerabilities found Check out Magma Framework for awesome Metrics and Charts in resources link
  • 53. References and Awesome Resources 60 ▪ http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html ▪ https://github.com/hunters-forge ▪ https://github.com/ThreatHuntingProject/ThreatHunting/tree/master/hunts ▪ https://www.threathunting.net/ ▪ https://github.com/clong/DetectionLab ▪ https://www.betaalvereniging.nl/veiligheid/publiek-private-samenwerking/magma/ ▪ https://www.betaalvereniging.nl/wp-content/uploads/DEF-TaHiTI-Threat-Hunting- Methodology.pdf ▪ https://mitre-attack.github.io/attack-navigator/enterprise/ ▪ https://github.com/Cyb3rWard0g/HELK