2. Who I am
Falgun Rathod
• Managing Director at Cyber Octet Pvt. Ltd.
• 10+ Years Experience in Cyber Security
• Served 120+ Clients
• Consultant to Government Agencies
• Threat Hunter | Ethical Hacker
• Penetration Tester
• Core Subjects – Industrial Control Systems, Social Engineering, GRC.
3. Covered Today
• Threat Hunting Defined
• Why Threat Hunting
• Skills required
• Threat Detection VS Threat Hunting
• What to Hunt
• Techniques
• Practical
• Conclusion
4. Breaches are Expensive!
• Average cost of a breach in the US is $7.9M
• Average cost of a breach globally is $3.8M
• Takes an average of 197 days to identify a breach
• Average span of 69 days to contain a breach
5. Threat Hunting Defined
Objectives
* Identify compromised systems and accounts
* Improve security monitoring detection rules
* Perform forensics at scale
Hunt Strategies
* Threat Intelligence – Sweep for known bad
* Anomaly – Configurations with the least frequency of occurrence
* Behavioral – Attacker tools, tactics, and techniques
Risks Mitigated
* “Pre-existing conditions” – historic compromises
* Blind spots – limited security monitoring visibility
* Secondary compromises – attackers move off patient 0
6. Why Threat Hunting
• Attacks leave behind valuable traces
• Failed attacks
• Probes
• Discover weaknesses
• Find activity before it becomes a disaster
7. People Involve & Skillset
• Team Lead
• Provides oversight and direction for hunters
• Communicates with internal & external stakeholders
• Developer
• Integrates threat hunting toolsets and processes
• Ability to develop custom scripts
• Incident Responder
• Identify system configuration anomalies
• Develop new or modify rulesets based on findings
9. IOC & IOA
1. Unusual Outbound Network Traffc
2. Anomalies In Privileged User Account Activity
3. Geographical Irregularities
4. Log-in Irregularities and Failures
5. Swells In Database Read Volume
6. HTML Response Sizes
7. Large Numbers Of Requests For The Same File
8. Mismatched Port-Application Traffc
9. Suspicious Registry Or System File Changes
10. DNS Request Anomalies
10. Determining What to Hunt For and How Often
Here’s an example list of potential attacker activities and techniques you might identify:
• Malware Beaconing
• DLL Injection
• Pass the Hash (PtH)
• Shared Webroot
• DNS Tunneling
11. Data Sources
• Endpoint Logs:
* Winaudit
* EPS – Endpoint Protection System
* Windows Event Forwarding
* SIEM Collectors
* EDR – Endpoint Detection & Response Tools
• Network Logs:
* DNS
* Firewall
* IDPS
* Wireshark
• Account Logs:
* Active Directory
* VPN’s
If you’re capturing any of these logs, you can start hunting for
malicious activity – you’ve already got the data!
13. You need to be able to prove the Incidents
Tracking
* Who did what when?
* What systems?
* What user accounts?
* When did activities occur?
* What data is being accessed?
Organization
* Visibility into team member activity
* Project status tracking at every stage
* Quantify metrics
15. Case Study
An expert threat hunter analyzes the family, studies
the characteristics and discovers that:
• It is a worm written in JavaScript / VBScript
• It is spread by removable drives (pen drives, hard drives, etc.) by creating
LNKs
• It is placed in the startup of the system
• The C & C server updates its code
• Anti-debug / anti-vm / anti-emulation measures
• Highly obfuscated in the latest versions
• Very difficult to detect statically / firm
• It spreads throughout the network very quickly
• Very difficult to disinfect after spreading through the network
16. Conclusion
Attackers are evolving and adapting to tools and services.
Malwares are not only the Concern but the Malware Writers are.
Breaches are happening every now and then,
Continuous analysis and threat hunting is the solution !
Hunt Hackers Now Before They Hunt You..
17. Thank you
Cyber Octet Team - खतरों के खखलाड़ी
info@cyberoctet.com
+91- 98244 35293
https://www.cyberoctet.com