Threat hunting involves proactively searching for attacks and security threats within an organization's infrastructure. It is a human-driven process that helps discover breaches early in the attack lifecycle. Effective threat hunting requires collecting various types of endpoint, network, and security data from across the infrastructure and using tools to analyze that data. The threat hunting process involves generating hypotheses based on intelligence, situational awareness, and domain expertise and then systematically testing those hypotheses through the data to identify malicious activity. Key tactics like internal reconnaissance, persistence, command and control, lateral movement, and exfiltration are important for threat hunters to understand how adversaries operate. Formal methods, integrating people and technology, and balancing automated and manual techniques are important
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Hunt down the evil of your infrastructure
1. Hunt Down the Evil
of your Infrastructure
A. S. M. Shamim Reza
Deputy Manager
Network Operation Center
Link3 Technologies Ltd.
2. Overview
What is Threat Hunting ?
Why it is Important ?
Myths of Threat Hunting ?
The Process
The Practical Guide
Important Things to Remember
3. What is Threat Hunting?
It is a proactive way of finding attacks
Its a Human driven process
It is not a technology
Its a Journey not a destiny
4. Why Threat Hunt is so important ?
Helps discover breaches / anomalous activity
Catch adversaries/evil early in the attack life-cycle
Can save the targeted organization with financial damage
5. Myths about Threat Hunting
Hunting can be fully automated
It requires vast amount of data and
advanced set of tools
Hunting is only for elite analytics
8. Questions to ask before start
What data to collect ?
Why collect all those data ?
Which tools to be used ?
Where to stored the data ?
9. What data sources ?
End point data Network Data Security Data
Process execution
metadata
Network session data Threat Intelligence
Registry access data Bro logs Alerts
File data Proxy logs Friendly Intelligence
Network data DNS Logs
File prevalence Firewall Logs
Network Device Logs
10. Useful Tools to Start
NetFlow Analyzer
- nfsen
Network based IDS
– Bro
Central Log System
– Graylog
Security
Information & Event
Management
– OSSIM
12. Hypothesis - The Core of Hunting
The Hunter -
Who will do the hypothesis ?
What would he/she like to be ?
What does he/she has to know ?
Do you have your network diagram ?
Do you have a central place to store all the log & Analysis ?
Does the hunter knows about the data ?
Does the hunter knows how the infrastructure works ?
14. Intelligence-Driven Hypotheses
Example –
“I know that HUE JAGUAR tends to send its phishing
messages from infrastructure hosted in Maxico. Therefore, if it
is phishing any my users, I should be able to examine my
incoming email logs to find messages where the geolocation
of the sender’s IP is in Maxico.”
15. Situational Awareness
Example –
An analyst decides to look past the tactical level of intelligence by considering strategic
challenges in the organization. To do this he first looks at non-technical influences on the
organization. The analyst receives information that the company is going to acquire a new
company. The new company is located in a different part of the world, and its infrastructure will
become connected to the new parent company’s networks. The analyst knows that the parent
company will also inherit the acquired company’s assets, data and vulnerabilities.
The hunter generates the hypothesis that the connection points between these two companies’
networks will be abused by threat actors that have, potentially, already compromised the
acquired company. In an effort to test this hypothesis, the analyst sets up additional monitoring
to treat the data flowing in and out of the new network connections as suspect.
16. Domain Expertise
Example –
“A threat hunter knows how BGP are intended to work and has
previously seen threat actors manipulate these Internet backbone
protocols. This leads the analyst to generate the hypothesis that national-
level adversaries/evil may be manipulating Internet routing to steal
proprietary information from his organization without having to compromise
the organization’s network.”
18. Tactics, Techniques and
Procedures (TTPs)
Internal Reconnaissance - How attackers determine where they’re
going
Network enumeration
Host enumeration
Persistence - How attackers survive a reboot and simple remediation's
Scheduled Task Execution
19. Command & Control - How attackers utilize their tools
Common Protocol, Common Port
Uncommon Protocol, Uncommon port
Lateral Movement - How attackers move around in your network
Pass the Hash (PtH)
Remote Desktop Protocol
Shared Webroot
Path Interception
20. Lateral Movement - How attackers move around in your network
Pass the Hash (PtH)
Remote Desktop Protocol
Shared Webroot
Path Interception
Exfiltration - How attackers steal your data
DNS Tunneling
SFTP/SCP Exfiltration
21. Need to Keep in MIND
Use formal methods of threat hunting
Integrate people, processes and technology
Balance automated and manual methods of threat hunting
Look for known and never-before-seen malicious activity to drive
the threat hunting program