This document summarizes a presentation on threat hunting. It discusses how adversaries leave traces in various log files and data sources. While automated alerting is useful, it cannot find unknown threats. The document defines threat hunting as techniques to detect security incidents that were missed by automated systems. It emphasizes the importance of having a threat hunting strategy and process. Specific strategies discussed include making the most of existing data and following the kill chain model. The threat hunting process involves developing hypotheses, collecting relevant data, analyzing it using various techniques, and developing additional hypotheses to further the investigation.

1. SACON
SACON International 2017
Chandra Prakash Suryawanshi
Aujas Network Pvt Ltd
SVP
chander80
India | Bangalore | November 10 – 11 | Hotel Lalit Ashok
Threat Hunting

2. SACON 2017
Adversaries leave trails everywhere
Email logs
Endpoint
process
accounting
HTTP proxy
logs
Authentication
records
Filesystem
metadata
Network
session data
Database
query logs

3. SACON 2017
Alerting only gets you so far
Automated systems are great, but some have flaws
Good For
Easy to create
new rules.
Automation
decreases dwell
time.
Bad At
Can’t find things
you don’t already
know how to
find!

4. SACON 2017
What is “hunting”?
The collective name for any manual or
machine-assisted techniques used to detect
security incidents
that your automated solutions missed.

5. SACON 2017
Threat Hunting Platform Drivers
A unified environment for:
Collecting and managing big security data
Detecting and analyzing advanced threats
Visually investigating attack TTPs and patterns
Automating hunt techniques
Collaborating amongst security analyst teams

6. SACON 2017
Hunting Styles
Complexity
Value
Indicators
Artifact Analysis
Tactic & Technique
Analysis
Anomaly Detection

7. SACON 2017
The Hunting Maturity Model (HMM)

8. SACON 2017
HUNTING STRATEGY

9. SACON 2017
Strategy enables results
Where
do I
start?
What
should I
look for?
What’s
my path
to
improve?
Your strategy determines the quality of your
results.
Choose a strategy that supports your
detection goals.
Don’t underestimate the importance of good
planning!

10. SACON 2017
Strategy #1
Make the most of what you already collect
Advantages
You probably already collect at least
some data.
Someone is already familiar with its
contents.
You may already have some idea of the
key questions you want answered.
Disadvantages
Your ability to ask questions is limited by
the available data.
External forces have more influence
over your results.
May confuse “easy” with “effective”.

11. SACON 2017
The three data domains
Keep as much as you can comfortably store
Network
• Authentication
• Session data
• Proxy Logs
• File transfers
• DNS resolution
Host
• Authentication
• Audit logs
• Process creation
Application
• Authentication
• DB queries
• Audit & transaction logs
• Security alerts
• Threat intel

12. SACON 2017
Aim for data diversity
Leverage different types of data to…
Reveal
Relationships
Clarify the
Situation
Highlight
Inconsistencies
Tell a Complete
Story

13. SACON 2017
Also look for toolset diversity
Different techniques, different perspectives

14. SACON 2017
Strategy #2
Follow the Kill Chain
Source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Hutchins, Cloppert, Amin,
http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf (Last checked April 29th, 2015)
Reconnaissance Weaponization Delivery Exploitation Installation
Command &
Control (C2)
Actions on
Objectives

15. SACON 2017
Strategy #2
Follow the Kill Chain
Source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Hutchins, Cloppert, Amin,
http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf (Last checked April 29th, 2015)
Reconnaissance Weaponization Delivery Exploitation Installation
Command &
Control (C2)
Actions on
Objectives
Find incidents already
occurring

16. SACON 2017
Strategy #2
Follow the Kill Chain
Source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Hutchins, Cloppert, Amin,
http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf (Last checked April 29th, 2015)
Reconnaissance Weaponization Delivery Exploitation Installation
Command &
Control (C2)
Actions on
Objectives
Find incidents already
occurring
Expand the stories
you are able to tell

17. SACON 2017
Strategy #2
Follow the Kill Chain
Source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Hutchins, Cloppert, Amin,
http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf (Last checked April 29th, 2015)
Reconnaissance Weaponization Delivery Exploitation Installation
Command &
Control (C2)
Actions on
Objectives
Find incidents already
occurring
Expand the stories
you are able to tellPredict incidents
before they happen

18. SACON 2017
THE HUNTING PROCESS

19. SACON 2017
The Hunting Process
Successful hunting requires many
iterations through this cycle.
The faster your analysts get
through this loop, the better.

20. SACON 2017
Most hunts start with questions
What data do I have
and what does it
“look like”?
Is there any lateral
movement going on?
Is there any data
exfiltration going on
in my network?
Are there any
unauthorized users
on my VPN?
Is anyone misusing
their database
credentials?
Have my users been
spearphished?

21. SACON 2017
Questions become hypotheses
“If this activity is going on, it
might look like…”
That’s your hypothesis!
If at first you don’t succeed,
recraft it.

22. SACON 2017
Hypotheses Can Be Driven By…
Threat Intelligence
• Both IOC searches and TTP
analysis
• "d8e8fc[…]ba249 is a known-bad
file hash. Let's see if it's on any of
our critical systems."
Situational Awareness
• Based on friendly intel,
knowledge of business processes,
Crown Jewels Analysis or other
knowledge of your own
environment
• "Engineering users should never
access the Finance file server.
Let's see if they're doing that."
Domain Expertise
• A combination of intel- and
awareness-based
• "I know (China|Russia|Iran)
threat actors TTPs. Are they in
our network?"

23. SACON 2017
Data Type and Location
Data types for your hunt are usually dictated by your hypothesis.
• Command & Control: Network session records, HTTP proxy logs
• Lateral Movement: Windows authentication logs (or whatever your OS is)
Location from which the data is collected can also be a major factor:
• Command & Control: Internet connection points
• Lateral Movement: Internet-facing services, critical assets, endpoints, servers
Document a collection plan for each hunt, including type & location, as well as
other relevant filters (turn Big Data into Smaller Data if you can).

24. SACON 2017
Analytic Technique
Image credit: fatmonk8,
https://www.reddit.com/r/pics/comments/2gi309/coworker_said_i_had_the_most_organized_toolbox_in/

25. SACON 2017
A wise owl once said…

26. SACON 2017
HUNTING IN SQRRL

27. SACON 2017
Create hypotheses
Start with guided hunts using the Sqrrl Detections

28. SACON 2017
Create hypotheses
Get more advanced using the hunt reports

29. SACON 2017
Investigate via Tools and Techniques
This is very similar to Incident Investigation – again, you will want to ask the same
six questions:
1. Was the activity actually an incident?
2. Was the adversary successful?
3. What other resources were involved?
4. What activities did the adversary conduct?
5. What resources were compromised?
6. What should the next steps be?

30. SACON 2017
Additional hypotheses
Think about what your data will show

31. SACON 2017
Was the beacon an incident?
How long did it occur for? (Is it still occurring?)
Look at the endpoints (click on them in the detection profile to bring up their
profiles), starting with the destination
What do you know about it?
Is it a known service?
What domain is it associated with?
May need to explore and expand to DNSDomains
What URIs is it associated with?
May need to explore and expand to URIs
Could also use the activity log with web proxy logs to find this
Are the endpoints associated with other malicious activity?
May need to explore and expand to Alert
May need to drill down into the activity

32. SACON 2017
Was the LatMov an incident?
Look at the patterns:
Is this consistent with an adversary exploring a network?
Are the failure patterns consistent?
Look at the Hostname entities:
Are any of them known jump servers?
Look at the Accounts:
Are any of them admins who are expected to use this type of activity?
Are any of the accounts linked to the same User, especially a regular and an admin
account for the same person?
Look at the Relationships:
Is the timing consistent with this type of activity?
Is there other activity occurring before or after to indicate it is normal?

33. SACON 2017
Was the staging an incident?
Look at the volume:
Is this really data being staged or just a statistical outlier?
Look at the Hostnames:
Were they involved in Lateral Movements or other risky
behaviors?
Look at the Accounts:
Explore from the IPAddresses and expand to Accounts
Is this activity being conducted by the same person?
Look at the Relationships:
Is the timing consistent with this type of activity?
Is there other activity occurring before or after to indicate it
is normal?

34. SACON 2017
Was the exfil an incident?
Look at the volume:
Is this really data being exfilled or just a statistical outlier?
Look at the IPAddresses:
Were the internal ones involved in staging or other risky behaviors?
Were the external ones associated with suspicious domains or URIs?
May need to explore and expand to find this
Look at the Accounts:
Explore from the internal IPAddress and expand to Accounts
Who appears to be conducting the activity and should they be?
Look at the Relationships:
Is the timing consistent with this type of activity?
Is there other activity occurring before or after to indicate it is normal?

35. SACON 2017
At this point, you are investigating an incident
The steps you follow for the following are the same as for
Incident Investigation:
3. What other resources were involved?
4. What activities did the adversary conduct?
5. What resources were compromised?
6. What should the next steps be?
Keep the rest of the Hunting Process Cycle in mind as you
answer these questions, they will be used for the following steps

36. SACON 2017
Piece together the incident
Answering the questions requires a complete picture

37. SACON 2017
THANK YOU