Top 10 Interactive Website Design Trends in 2024.pptx
Hunting the Evil of your Infrastructure
1. Hunting the Evil
of your Infrastructure
A Hypothesis Driven Practice
A. S. M. Shamim Reza
Deputy Manager
Network Operation Center
Link3 Technologies Ltd.
2. [~]$ whoami
Linux Geek
Open Source Software Enthusiast
EC-Council Certified Security Analyst
ASMShamimReza
ShamimRezaSohag
sohag.shamim@gmail.com
3. Overview
What is Threat Hunting
Myths of Threat Hunting
The Process
Hypothesis – the core of hunting
Important Things to Remember
4. What is Threat Hunting?
“Threat hunting is the process of proactively and iteratively
searching through networks to detect and isolate advanced
threats that evade existing security solutions”
- sqrrl
5. Myths about Threat Hunting
Hunting can be fully automated
It requires vast amount of data and
advanced set of tools
Hunting is only for elite analytics
7. Questions to ask before start
What data to collect ?
Why collect all those data ?
Which tools to be used ?
Where to store the data ?
8. What data sources ?
End point data Network Data Security Data
Process execution
metadata
Network session data Threat Intelligence
Registry access data Bro logs Alerts
File data Proxy logs Friendly Intelligence
Network data DNS Logs
File prevalence Firewall Logs
Network Device Logs
Source – sqrrl
9. Useful Tools to Start
NetFlow Analyzer
- nfsen
Network based IDS
– Bro, Snort, Suricata
Central Log Analysis
System
– ELK Stack
Security Information &
Event Management
– OSSIM
12. Who will do the hypothesis ?
What would he/she like to be ?
What does he/she have to know ?
Do you have updated network diagram ?
Do you have a central place to store logs ?
Do you have necessary tools to analysis the data ?
Does the hunter knows about the OS, application & critical data ?
Does the hunter knows how the network infrastructure work ?
Hunter’s Thinking
14. Case Studies - Intelligence-Driven Hypotheses
Phishing Email
We have received an email, With the Subject “U.S Bank Message”
It passed Central Spam Filter Firewall
Mail properties is 17.4KB
Found two separate domain
One is from sender email ID
Another one from the Link hidden inside the mail body
18. What we have done
Checked both the domain at http://www.malwaredomainlist.com
Not IN-listed
Checked both the domain at http://whois.domaintools.com
stjamesmac.com - St. James Catholic Church (Valid domain & Site)
lmperfumes.com - does not have SEO Score
19. Outcome
It was a preliminary attempt
We have blocked anything from “lmperfumes.com” at Spam Firewall
Informed the concern person of “stjamesmac.com” about the fishing activities
20. Situational Awareness
Example –
An analyst decides to look past the tactical level of intelligence by considering strategic
challenges in the organization. To do this he first looks at non-technical influences on the
organization. The analyst receives information that the company is going to acquire a new
company. The new company is located in a different part of the world, and its infrastructure will
become connected to the new parent company’s networks. The analyst knows that the parent
company will also inherit the acquired company’s assets, data and vulnerabilities.
21. The hunter generates the hypothesis that the connection points between
these two companies’ networks will be abused by threat actors that have,
potentially, already compromised the acquired company. In an effort to test
this hypothesis, the analyst sets up additional monitoring to treat the data
flowing in and out of the new network connections as suspect.
22. Domain Expertise
Example –
“A threat hunter knows how BGP are intended to work and has previously seen
threat actors manipulate these Internet backbone protocols. This leads the analyst
to generate the hypothesis that national-level adversaries/evil may be manipulating
Internet routing to steal proprietary information from his organization without
having to compromise the organization’s network.”
23. Need to Keep in MIND
Start with formal methods of threat hunting
Integrate people, processes and technology
Balance automated and manual activity of threat hunting
Look for known/normal and never-seen-before malicious/abnormal activity