SlideShare ist ein Scribd-Unternehmen logo

How to Hunt for Lateral Movement on Your Network

Sqrrl
Sqrrl

The document discusses threat hunting for lateral movement. It begins with an overview of lateral movement, describing it as techniques attackers use to access and control systems within a network. It then covers the lateral movement process, including initial compromise, reconnaissance, credential theft, and lateral movement events. The document demonstrates Sqrrl's lateral movement detectors, which use data science techniques like graph analysis and machine learning to detect lateral movement in network data. It discusses building a lateral movement detector by aligning it with TTPs, using classifiers to rank events, and implementing it at scale in Spark.

Technologie
1 von 48
Downloaden Sie, um offline zu lesen
Threat Hunting for Lateral Movement Presented by: Ryan Nolette – Security Technologist Adam Fuchs – CTO
© 2017 Sqrrl Data, Inc. All rights reserved. 2 Your Presenters Adam Fuchs Sqrrl CTO Ryan Nolette Sqrrl Security Technologist 2  
© 2017 Sqrrl Data, Inc. All rights reserved. 3 Agenda   Lateral Movement Overview   What is it?   Common Techniques   The Lateral Movement Process   Compromise   Reconnaissance   Credential Theft   The Lateral Movement event Sqrrl Lateral Movement Detectors   Demo   Q&A
© 2017 Sqrrl Data, Inc. All rights reserved. 4   Techniques that enable attackers to access and control systems within your network   Leveraged for:   Access to specific information or files   Remote execution of tools   Pivoting to additional systems   Access to additional credentials   Movement across a network from one system to another may be necessary to achieve goals   Often key to an attacker’s capabilities and a piece of a larger set of dependencies What am I referring to when I say Lateral Movement?
© 2017 Sqrrl Data, Inc. All rights reserved. 5 Application Deployment Software Exploitation of VulnerabilityLogon Scripts Pass the Hash Remote Desktop Protocol Remote File Copy Remote ServicesReplication Through Removable Media Shared Webroot Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Different Types of Lateral Movement
BAD Patient 0: original Infection Successful Lateral Movement Failed Data access from compromised host after lateral movement Failed Data access from Patient 0 Successful Lateral Movement Successful Data access from compromised host after lateral movement Company’s Customer Financial Records Lateral Movement
© 2017 Sqrrl Data, Inc. All rights reserved. 7 Login to new system •  psexec - shell •  RDP – GUI •  Profit LateralMovement Tools •  Mimikatz •  Pwdump •  Generic memory dump Goal •  To gather either plaintext credential to use for generic system authentication •  Password hash to pass to a system in place of a password •  Ultimately elevate your privileges from the current compromised user to an administrative user CredentialTheft Human Attacker starts running system commands to gather intelligence Examples of recon: •  Network •  netstat – see active network connections •  Nmap – network scanner •  Net use – access to resources •  System •  Net user – manage local/domain accounts •  Task list – what processes are running on system Reconnaissance Stages •  Infected system checks in with command and control server/s •  Human Attacker gives command to infected system to allow access •  remote shell •  GUI interface options •  Human attacker starts reconnaissance Compromise Infection to Lateral Movement Process Infection Techniques •  Phishing email •  Drive by •  Exploit kit •  Flash drive Infection Rinse and Repeat for each system as needed or wanted
© 2017 Sqrrl Data, Inc. All rights reserved. 8   Communication with the compromised systems and C&C (command and control) servers is established   Threat actors need to sustain persistent access across the network   They move laterally within the network and gain higher privileges through the use of different tools Windows  Reverse  Shell   Compromise
© 2017 Sqrrl Data, Inc. All rights reserved. 9   To move laterally within a breached network and maintain persistence, attackers obtain information like network hierarchy, services used in the servers and operating systems   Attackers check the host naming conventions to easily identify specific assets to target   Attackers utilize this info to map the network and acquire intelligence about their next move Recon Local Accounts Recon Domain Accounts Reconnaissance
© 2017 Sqrrl Data, Inc. All rights reserved. 10   Once threat actors identify other “territories” they need to access, the next step is to gather login credentials   Cracking and Stealing Passwords   Pass the Hash: involves the use of a hash instead of a plaintext password in order to authenticate and gain higher access   Brute force attack: simply guessing passwords through a predefined set of passwords   Using gathered information, threat actors move to new territories within the network and widen their control Running Mimikatz in memory via powershell Credential Theft   These activities are often unnoticed by IT administrators, since they only check failed logins without tracking the successful ones  
© 2017 Sqrrl Data, Inc. All rights reserved. 11   Attackers can now remotely access desktops   Accessing desktops in this manner is not unusual for IT support staff   Remote access will therefore not be readily associated with an ongoing attack   Attackers may also gather domain credentials to log into systems, servers, and switches   Remote control tools enable attackers to access other desktops in the network and perform actions like executing programs, scheduling tasks, and managing data collection on other systems Lateral Movement – Using Stolen Credentials   Tools and techniques used for this purpose include remote desktop tools, PsExec, and Windows Management Instrumentation (WMI)   Note that these tools are not the only mechanisms used by threat actors in lateral movement  
© 2017 Sqrrl Data, Inc. All rights reserved. 12 https://xkcd.com/1831/
DETECTING LATERAL MOVEMENT WITH DATA SCIENCE
© 2017 Sqrrl Data, Inc. All rights reserved. 14   LM evidence comes from:   Windows Events   Syslog   VPN   Endpoint sensors   Primary fields:   Source   Destination   User   Time   Extra Information: Data
© 2017 Sqrrl Data, Inc. All rights reserved. 15 Target Specific Techniques •  e.g. Pass The Hash detection •  Very specific means low false positives •  May miss new techniques Search for General Graph Patterns •  Hard to hide from •  May pick up unrelated similar patterns Specialized Generic Abstraction Spectrum Trade-Off
© 2017 Sqrrl Data, Inc. All rights reserved. 16 (3)  Rarely-­‐Seen  Logins   (4)  Fan-­‐outs,  including  failed  logins     (2) Overall Timeframe in expected range (1) Expected Inter-login Time Distribution (5) Not too big, Not too small LM Graph Pattern Characteristics
© 2017 Sqrrl Data, Inc. All rights reserved. 17 Lateral Movement Strategy   Rank individual logins   Train: learn common user login patterns from the data   Predict: assign rank (logLikelihoodRatio) to every login. Rank high those that are unusual   Construct time-ordered connected sequences of logins   Predict: find top N sequences of logins with the highest combined rank
© 2017 Sqrrl Data, Inc. All rights reserved. 18   Used to determine base risk for logins   Extensible feature vectors mix numerical, categorical, and text features TDigests for numerical   Bag of words for text Vectorized categorical statistics   Learns “normal” in-situ   Priors out-of-the-box   Every network is different   Scalable spark implementations Generalized “Rarity” Classifier
© 2017 Sqrrl Data, Inc. All rights reserved. 19 Multi-Hop Predict 192.168.1.101   192.168.1.104   192.168.1.78   192.168.1.83  
© 2017 Sqrrl Data, Inc. All rights reserved. 20 Multi-Hop Predict: Combinatorics   General Problem: Subgraph Isomorphism   5 edges è 25 = 32 subgraphs   10 edges è 210 = 1024 subgraphs   20 edges è 220 = 1,048,576 subgraphs   We run with billions of edges...   Solution: grow small subgraphs in parallel   Prune early and often Aglomerative clustering   Message passing 192.168.1.101   192.168.1.104   192.168.1.78   192.168.1.83  
© 2017 Sqrrl Data, Inc. All rights reserved. 21 Multi-Hop Predict: Message Passing
© 2017 Sqrrl Data, Inc. All rights reserved. 22 Multi-Hop Predict: Message Passing
© 2017 Sqrrl Data, Inc. All rights reserved. 23 Multi-Hop Predict: Message Passing
© 2017 Sqrrl Data, Inc. All rights reserved. 24 Scalable Implementation   Large scale, parallel implementation   Multiple Independent Variable Bayesian Classifier (MIVB)   Spark extension for graph processing   High performance message passing implementation   Used for agglomerative clustering / detection of LM structures
© 2017 Sqrrl Data, Inc. All rights reserved. 25 Processing Workflow Sqrrl Auth/Login Sources Spark / GraphX Classifier Training Single-Hop Predict Multi-Hop Predict Evidence Tables Sqrrl CounterOps Model Trained Classifier
© 2017 Sqrrl Data, Inc. All rights reserved. 26 False Positive Reduction 1.  Rank: 2.  Normalize: •  Smooth out discontinuities in ranking function •  Apply historical context to determine probability of seeing a given rank •  Convert to risk score based on likelihood * impact 3.  Threshold: •  Analysts usually care about LMs over risk X Base risk factor Time risk factor Size risk factor
© 2017 Sqrrl Data, Inc. All rights reserved. 27 Building the LM Detector TTP Alignment Threat Hunters Behavior and Structural Decomposition High-Risk Classifier (Subgraphs) Data Scientists Log-Likelihood Ranking Normality Classifier (MIVB) Scalable Implementation (Spark, GraphX) Computer Scientists Deployable Workflow with In-Situ Training Rank Statistics Normalization Security Analyst Contextual Exploration and Visualization
REAL WORLD THREAT HUNTING FOR LATERAL MOVEMENT
© 2017 Sqrrl Data, Inc. All rights reserved. 29 Lateral Movement
© 2017 Sqrrl Data, Inc. All rights reserved. 30 Lateral Movement
© 2017 Sqrrl Data, Inc. All rights reserved. 31 Lateral Movement
© 2017 Sqrrl Data, Inc. All rights reserved. 32 Lateral Movement
© 2017 Sqrrl Data, Inc. All rights reserved. 33 Lateral Movement
© 2017 Sqrrl Data, Inc. All rights reserved. 34 Lateral Movement
© 2017 Sqrrl Data, Inc. All rights reserved. 35 Lateral Movement
© 2017 Sqrrl Data, Inc. All rights reserved. 36 Lateral Movement
© 2017 Sqrrl Data, Inc. All rights reserved. 37 Lateral Movement
© 2017 Sqrrl Data, Inc. All rights reserved. 38 Lateral Movement
© 2017 Sqrrl Data, Inc. All rights reserved. 39 Lateral Movement
© 2017 Sqrrl Data, Inc. All rights reserved. 40 Lateral Movement
© 2017 Sqrrl Data, Inc. All rights reserved. 41 Lateral Movement
© 2017 Sqrrl Data, Inc. All rights reserved. 42 Lateral Movement
© 2017 Sqrrl Data, Inc. All rights reserved. 43 Lateral Movement
© 2017 Sqrrl Data, Inc. All rights reserved. 44 Lateral Movement
© 2017 Sqrrl Data, Inc. All rights reserved. 45 Lateral Movement
© 2017 Sqrrl Data, Inc. All rights reserved. 46 Lateral Movement
© 2017 Sqrrl Data, Inc. All rights reserved. 47 Thank you! threathunting.org For hunting eCourses, papers and other resources & threathunting.net For a repository of hunting techniques
Q & A

Empfohlen

Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 

Empfohlen

Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
Sunny Neo
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
Arpan Raval
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
Infosec
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
Teymur Kheirkhabarov
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Hunting
n|u - The Open Security Community
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
OWASP Delhi
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE - ATT&CKcon
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
MITRE ATT&CK
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE - ATT&CKcon
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
MITRE ATT&CK
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
MITRE ATT&CK
 
Kaspersky managed protection
Kaspersky managed protectionKaspersky managed protection
Kaspersky managed protection
Sergey Soldatov
 
Generalized Elias Schemes for Truly Random Bits
Generalized Elias Schemes for Truly Random BitsGeneralized Elias Schemes for Truly Random Bits
Generalized Elias Schemes for Truly Random Bits
Riccardo Bernardini
 

Weitere ähnliche Inhalte

Was ist angesagt?

Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
Infosec
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
MITRE ATT&CK
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE - ATT&CKcon
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
MITRE ATT&CK
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
MITRE ATT&CK
 

Was ist angesagt? (20)

Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Hunting
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
 

Andere mochten auch

Generalized Elias Schemes for Truly Random Bits
Generalized Elias Schemes for Truly Random BitsGeneralized Elias Schemes for Truly Random Bits
Generalized Elias Schemes for Truly Random Bits
Riccardo Bernardini
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of Dreams
Greg Foss
 
A Very Stable Diode-Based Physically Unclonable Constant
A Very Stable Diode-Based Physically Unclonable ConstantA Very Stable Diode-Based Physically Unclonable Constant
A Very Stable Diode-Based Physically Unclonable Constant
Riccardo Bernardini
 
Physically Unclonable Random Permutations
Physically Unclonable Random PermutationsPhysically Unclonable Random Permutations
Physically Unclonable Random Permutations
Riccardo Bernardini
 
Two-fet based PUF
Two-fet based PUFTwo-fet based PUF
Two-fet based PUF
Riccardo Bernardini
 
Very stable PUF based on two mosfet
Very stable PUF based on two mosfetVery stable PUF based on two mosfet
Very stable PUF based on two mosfet
Riccardo Bernardini
 

Andere mochten auch (20)

Kaspersky managed protection
Kaspersky managed protectionKaspersky managed protection
Kaspersky managed protection
 
Generalized Elias Schemes for Truly Random Bits
Generalized Elias Schemes for Truly Random BitsGeneralized Elias Schemes for Truly Random Bits
Generalized Elias Schemes for Truly Random Bits
 
Terra Bruciata: an open source initiative for software correctness
Terra Bruciata: an open source initiative for software correctnessTerra Bruciata: an open source initiative for software correctness
Terra Bruciata: an open source initiative for software correctness
 
Deploying Privileged Access Workstations (PAWs)
Deploying Privileged Access Workstations (PAWs)Deploying Privileged Access Workstations (PAWs)
Deploying Privileged Access Workstations (PAWs)
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of Dreams
 
Rtos ameba
Rtos amebaRtos ameba
Rtos ameba
 
Io t security-ameba-ppt
Io t security-ameba-pptIo t security-ameba-ppt
Io t security-ameba-ppt
 
PHDays '14 Cracking java pseudo random sequences by egorov & soldatov
PHDays '14 Cracking java pseudo random sequences by egorov & soldatovPHDays '14 Cracking java pseudo random sequences by egorov & soldatov
PHDays '14 Cracking java pseudo random sequences by egorov & soldatov
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
 
RTOS on ARM cortex-M platform -draft
RTOS on ARM cortex-M platform -draftRTOS on ARM cortex-M platform -draft
RTOS on ARM cortex-M platform -draft
 
Active Directory - Real Defense For Domain Admins
Active Directory - Real Defense For Domain AdminsActive Directory - Real Defense For Domain Admins
Active Directory - Real Defense For Domain Admins
 
A Very Stable Diode-Based Physically Unclonable Constant
A Very Stable Diode-Based Physically Unclonable ConstantA Very Stable Diode-Based Physically Unclonable Constant
A Very Stable Diode-Based Physically Unclonable Constant
 
Whitewood entropy and random numbers - owasp - austin - jan 2017
Whitewood entropy and random numbers - owasp - austin - jan 2017Whitewood entropy and random numbers - owasp - austin - jan 2017
Whitewood entropy and random numbers - owasp - austin - jan 2017
 
Physically Unclonable Random Permutations
Physically Unclonable Random PermutationsPhysically Unclonable Random Permutations
Physically Unclonable Random Permutations
 
Threat hunting as SOC process
Threat hunting as SOC processThreat hunting as SOC process
Threat hunting as SOC process
 
Two-fet based PUF
Two-fet based PUFTwo-fet based PUF
Two-fet based PUF
 
Трудовые будни охотника на угрозы
Трудовые будни охотника на угрозыТрудовые будни охотника на угрозы
Трудовые будни охотника на угрозы
 
Very stable PUF based on two mosfet
Very stable PUF based on two mosfetVery stable PUF based on two mosfet
Very stable PUF based on two mosfet
 
Dakotacon 2017
Dakotacon 2017Dakotacon 2017
Dakotacon 2017
 
Ubuntu 16.04 LTS Security Features
Ubuntu 16.04 LTS Security FeaturesUbuntu 16.04 LTS Security Features
Ubuntu 16.04 LTS Security Features
 

Ähnlich wie How to Hunt for Lateral Movement on Your Network

Building the High Speed Cybersecurity Data Pipeline Using Apache NiFi
Building the High Speed Cybersecurity Data Pipeline Using Apache NiFiBuilding the High Speed Cybersecurity Data Pipeline Using Apache NiFi
Building the High Speed Cybersecurity Data Pipeline Using Apache NiFi
DataWorks Summit
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
Alert Logic
 
Applying Provenance in APT Monitoring and Analysis Practical Challenges for S...
Applying Provenance in APT Monitoring and Analysis Practical Challenges for S...Applying Provenance in APT Monitoring and Analysis Practical Challenges for S...
Applying Provenance in APT Monitoring and Analysis Practical Challenges for S...
Graeme Jenkinson
 
IDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleIDS+Honeypots Making Security Simple
IDS+Honeypots Making Security Simple
Gregory Hanis
 
Network security monitoring elastic webinar - 16 june 2021
Network security monitoring elastic webinar - 16 june 2021Network security monitoring elastic webinar - 16 june 2021
Network security monitoring elastic webinar - 16 june 2021
Mouaz Alnouri
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access Management
BeyondTrust
 

Ähnlich wie How to Hunt for Lateral Movement on Your Network (20)

Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introduction
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
 
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
 
Cisco Connect 2018 Thailand - Telco service provider network analytics
Cisco Connect 2018 Thailand - Telco service provider network analytics Cisco Connect 2018 Thailand - Telco service provider network analytics
Cisco Connect 2018 Thailand - Telco service provider network analytics
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14
 
Building the High Speed Cybersecurity Data Pipeline Using Apache NiFi
Building the High Speed Cybersecurity Data Pipeline Using Apache NiFiBuilding the High Speed Cybersecurity Data Pipeline Using Apache NiFi
Building the High Speed Cybersecurity Data Pipeline Using Apache NiFi
 
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
Testbed For Ids
Testbed For IdsTestbed For Ids
Testbed For Ids
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
 
Applying Provenance in APT Monitoring and Analysis Practical Challenges for S...
Applying Provenance in APT Monitoring and Analysis Practical Challenges for S...Applying Provenance in APT Monitoring and Analysis Practical Challenges for S...
Applying Provenance in APT Monitoring and Analysis Practical Challenges for S...
 
Seucrity in a nutshell
Seucrity in a nutshellSeucrity in a nutshell
Seucrity in a nutshell
 
IDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleIDS+Honeypots Making Security Simple
IDS+Honeypots Making Security Simple
 
Understanding Intrusion Detection & Prevention Systems (1).pptx
Understanding Intrusion Detection & Prevention Systems (1).pptxUnderstanding Intrusion Detection & Prevention Systems (1).pptx
Understanding Intrusion Detection & Prevention Systems (1).pptx
 
Key Elements of a Security Delivery Platform
Key Elements of a Security Delivery PlatformKey Elements of a Security Delivery Platform
Key Elements of a Security Delivery Platform
 
Network security monitoring elastic webinar - 16 june 2021
Network security monitoring elastic webinar - 16 june 2021Network security monitoring elastic webinar - 16 june 2021
Network security monitoring elastic webinar - 16 june 2021
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access Management
 
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth takingTop 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
 
Cyber Kill Chain.pptx
Cyber Kill Chain.pptxCyber Kill Chain.pptx
Cyber Kill Chain.pptx
 

Mehr von Sqrrl

The Art and Science of Alert Triage
The Art and Science of Alert TriageThe Art and Science of Alert Triage
The Art and Science of Alert Triage
Sqrrl
 

Mehr von Sqrrl (20)

Transitioning Government Technology
Transitioning Government TechnologyTransitioning Government Technology
Transitioning Government Technology
 
Leveraging Threat Intelligence to Guide Your Hunts
Leveraging Threat Intelligence to Guide Your HuntsLeveraging Threat Intelligence to Guide Your Hunts
Leveraging Threat Intelligence to Guide Your Hunts
 
Machine Learning for Incident Detection: Getting Started
Machine Learning for Incident Detection: Getting StartedMachine Learning for Incident Detection: Getting Started
Machine Learning for Incident Detection: Getting Started
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
User and Entity Behavior Analytics using the Sqrrl Behavior Graph
User and Entity Behavior Analytics using the Sqrrl Behavior GraphUser and Entity Behavior Analytics using the Sqrrl Behavior Graph
User and Entity Behavior Analytics using the Sqrrl Behavior Graph
 
Threat Hunting Platforms (Collaboration with SANS Institute)
Threat Hunting Platforms (Collaboration with SANS Institute)Threat Hunting Platforms (Collaboration with SANS Institute)
Threat Hunting Platforms (Collaboration with SANS Institute)
 
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar Users
 
Threat Hunting for Command and Control Activity
Threat Hunting for Command and Control ActivityThreat Hunting for Command and Control Activity
Threat Hunting for Command and Control Activity
 
Modernizing Your SOC: A CISO-led Training
Modernizing Your SOC: A CISO-led TrainingModernizing Your SOC: A CISO-led Training
Modernizing Your SOC: A CISO-led Training
 
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
 
Leveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker ActivityLeveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker Activity
 
The Art and Science of Alert Triage
The Art and Science of Alert TriageThe Art and Science of Alert Triage
The Art and Science of Alert Triage
 
Reducing Mean Time to Know
Reducing Mean Time to KnowReducing Mean Time to Know
Reducing Mean Time to Know
 
Sqrrl Enterprise: Big Data Security Analytics Use Case
Sqrrl Enterprise: Big Data Security Analytics Use CaseSqrrl Enterprise: Big Data Security Analytics Use Case
Sqrrl Enterprise: Big Data Security Analytics Use Case
 
The Linked Data Advantage
The Linked Data AdvantageThe Linked Data Advantage
The Linked Data Advantage
 
Sqrrl Enterprise: Integrate, Explore, Analyze
Sqrrl Enterprise: Integrate, Explore, AnalyzeSqrrl Enterprise: Integrate, Explore, Analyze
Sqrrl Enterprise: Integrate, Explore, Analyze
 
Sqrrl Datasheet: Cyber Hunting
Sqrrl Datasheet: Cyber HuntingSqrrl Datasheet: Cyber Hunting
Sqrrl Datasheet: Cyber Hunting
 
Benchmarking The Apache Accumulo Distributed Key–Value Store
Benchmarking The Apache Accumulo Distributed Key–Value StoreBenchmarking The Apache Accumulo Distributed Key–Value Store
Benchmarking The Apache Accumulo Distributed Key–Value Store
 
Scalable Graph Clustering with Pregel
Scalable Graph Clustering with PregelScalable Graph Clustering with Pregel
Scalable Graph Clustering with Pregel
 
What's Next for Google's BigTable
What's Next for Google's BigTableWhat's Next for Google's BigTable
What's Next for Google's BigTable
 

Kürzlich hochgeladen

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Kürzlich hochgeladen (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 

How to Hunt for Lateral Movement on Your Network

  • 1. Threat Hunting for Lateral Movement Presented by: Ryan Nolette – Security Technologist Adam Fuchs – CTO
  • 2. © 2017 Sqrrl Data, Inc. All rights reserved. 2 Your Presenters Adam Fuchs Sqrrl CTO Ryan Nolette Sqrrl Security Technologist 2  
  • 3. © 2017 Sqrrl Data, Inc. All rights reserved. 3 Agenda   Lateral Movement Overview   What is it?   Common Techniques   The Lateral Movement Process   Compromise   Reconnaissance   Credential Theft   The Lateral Movement event Sqrrl Lateral Movement Detectors   Demo   Q&A
  • 4. © 2017 Sqrrl Data, Inc. All rights reserved. 4   Techniques that enable attackers to access and control systems within your network   Leveraged for:   Access to specific information or files   Remote execution of tools   Pivoting to additional systems   Access to additional credentials   Movement across a network from one system to another may be necessary to achieve goals   Often key to an attacker’s capabilities and a piece of a larger set of dependencies What am I referring to when I say Lateral Movement?
  • 5. © 2017 Sqrrl Data, Inc. All rights reserved. 5 Application Deployment Software Exploitation of VulnerabilityLogon Scripts Pass the Hash Remote Desktop Protocol Remote File Copy Remote ServicesReplication Through Removable Media Shared Webroot Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Different Types of Lateral Movement
  • 6. BAD Patient 0: original Infection Successful Lateral Movement Failed Data access from compromised host after lateral movement Failed Data access from Patient 0 Successful Lateral Movement Successful Data access from compromised host after lateral movement Company’s Customer Financial Records Lateral Movement
  • 7. © 2017 Sqrrl Data, Inc. All rights reserved. 7 Login to new system •  psexec - shell •  RDP – GUI •  Profit LateralMovement Tools •  Mimikatz •  Pwdump •  Generic memory dump Goal •  To gather either plaintext credential to use for generic system authentication •  Password hash to pass to a system in place of a password •  Ultimately elevate your privileges from the current compromised user to an administrative user CredentialTheft Human Attacker starts running system commands to gather intelligence Examples of recon: •  Network •  netstat – see active network connections •  Nmap – network scanner •  Net use – access to resources •  System •  Net user – manage local/domain accounts •  Task list – what processes are running on system Reconnaissance Stages •  Infected system checks in with command and control server/s •  Human Attacker gives command to infected system to allow access •  remote shell •  GUI interface options •  Human attacker starts reconnaissance Compromise Infection to Lateral Movement Process Infection Techniques •  Phishing email •  Drive by •  Exploit kit •  Flash drive Infection Rinse and Repeat for each system as needed or wanted
  • 8. © 2017 Sqrrl Data, Inc. All rights reserved. 8   Communication with the compromised systems and C&C (command and control) servers is established   Threat actors need to sustain persistent access across the network   They move laterally within the network and gain higher privileges through the use of different tools Windows  Reverse  Shell   Compromise
  • 9. © 2017 Sqrrl Data, Inc. All rights reserved. 9   To move laterally within a breached network and maintain persistence, attackers obtain information like network hierarchy, services used in the servers and operating systems   Attackers check the host naming conventions to easily identify specific assets to target   Attackers utilize this info to map the network and acquire intelligence about their next move Recon Local Accounts Recon Domain Accounts Reconnaissance
  • 10. © 2017 Sqrrl Data, Inc. All rights reserved. 10   Once threat actors identify other “territories” they need to access, the next step is to gather login credentials   Cracking and Stealing Passwords   Pass the Hash: involves the use of a hash instead of a plaintext password in order to authenticate and gain higher access   Brute force attack: simply guessing passwords through a predefined set of passwords   Using gathered information, threat actors move to new territories within the network and widen their control Running Mimikatz in memory via powershell Credential Theft   These activities are often unnoticed by IT administrators, since they only check failed logins without tracking the successful ones  
  • 11. © 2017 Sqrrl Data, Inc. All rights reserved. 11   Attackers can now remotely access desktops   Accessing desktops in this manner is not unusual for IT support staff   Remote access will therefore not be readily associated with an ongoing attack   Attackers may also gather domain credentials to log into systems, servers, and switches   Remote control tools enable attackers to access other desktops in the network and perform actions like executing programs, scheduling tasks, and managing data collection on other systems Lateral Movement – Using Stolen Credentials   Tools and techniques used for this purpose include remote desktop tools, PsExec, and Windows Management Instrumentation (WMI)   Note that these tools are not the only mechanisms used by threat actors in lateral movement  
  • 12. © 2017 Sqrrl Data, Inc. All rights reserved. 12 https://xkcd.com/1831/
  • 14. © 2017 Sqrrl Data, Inc. All rights reserved. 14   LM evidence comes from:   Windows Events   Syslog   VPN   Endpoint sensors   Primary fields:   Source   Destination   User   Time   Extra Information: Data
  • 15. © 2017 Sqrrl Data, Inc. All rights reserved. 15 Target Specific Techniques •  e.g. Pass The Hash detection •  Very specific means low false positives •  May miss new techniques Search for General Graph Patterns •  Hard to hide from •  May pick up unrelated similar patterns Specialized Generic Abstraction Spectrum Trade-Off
  • 16. © 2017 Sqrrl Data, Inc. All rights reserved. 16 (3)  Rarely-­‐Seen  Logins   (4)  Fan-­‐outs,  including  failed  logins     (2) Overall Timeframe in expected range (1) Expected Inter-login Time Distribution (5) Not too big, Not too small LM Graph Pattern Characteristics
  • 17. © 2017 Sqrrl Data, Inc. All rights reserved. 17 Lateral Movement Strategy   Rank individual logins   Train: learn common user login patterns from the data   Predict: assign rank (logLikelihoodRatio) to every login. Rank high those that are unusual   Construct time-ordered connected sequences of logins   Predict: find top N sequences of logins with the highest combined rank
  • 18. © 2017 Sqrrl Data, Inc. All rights reserved. 18   Used to determine base risk for logins   Extensible feature vectors mix numerical, categorical, and text features TDigests for numerical   Bag of words for text Vectorized categorical statistics   Learns “normal” in-situ   Priors out-of-the-box   Every network is different   Scalable spark implementations Generalized “Rarity” Classifier
  • 19. © 2017 Sqrrl Data, Inc. All rights reserved. 19 Multi-Hop Predict 192.168.1.101   192.168.1.104   192.168.1.78   192.168.1.83  
  • 20. © 2017 Sqrrl Data, Inc. All rights reserved. 20 Multi-Hop Predict: Combinatorics   General Problem: Subgraph Isomorphism   5 edges è 25 = 32 subgraphs   10 edges è 210 = 1024 subgraphs   20 edges è 220 = 1,048,576 subgraphs   We run with billions of edges...   Solution: grow small subgraphs in parallel   Prune early and often Aglomerative clustering   Message passing 192.168.1.101   192.168.1.104   192.168.1.78   192.168.1.83  
  • 21. © 2017 Sqrrl Data, Inc. All rights reserved. 21 Multi-Hop Predict: Message Passing
  • 22. © 2017 Sqrrl Data, Inc. All rights reserved. 22 Multi-Hop Predict: Message Passing
  • 23. © 2017 Sqrrl Data, Inc. All rights reserved. 23 Multi-Hop Predict: Message Passing
  • 24. © 2017 Sqrrl Data, Inc. All rights reserved. 24 Scalable Implementation   Large scale, parallel implementation   Multiple Independent Variable Bayesian Classifier (MIVB)   Spark extension for graph processing   High performance message passing implementation   Used for agglomerative clustering / detection of LM structures
  • 25. © 2017 Sqrrl Data, Inc. All rights reserved. 25 Processing Workflow Sqrrl Auth/Login Sources Spark / GraphX Classifier Training Single-Hop Predict Multi-Hop Predict Evidence Tables Sqrrl CounterOps Model Trained Classifier
  • 26. © 2017 Sqrrl Data, Inc. All rights reserved. 26 False Positive Reduction 1.  Rank: 2.  Normalize: •  Smooth out discontinuities in ranking function •  Apply historical context to determine probability of seeing a given rank •  Convert to risk score based on likelihood * impact 3.  Threshold: •  Analysts usually care about LMs over risk X Base risk factor Time risk factor Size risk factor
  • 27. © 2017 Sqrrl Data, Inc. All rights reserved. 27 Building the LM Detector TTP Alignment Threat Hunters Behavior and Structural Decomposition High-Risk Classifier (Subgraphs) Data Scientists Log-Likelihood Ranking Normality Classifier (MIVB) Scalable Implementation (Spark, GraphX) Computer Scientists Deployable Workflow with In-Situ Training Rank Statistics Normalization Security Analyst Contextual Exploration and Visualization
  • 28. REAL WORLD THREAT HUNTING FOR LATERAL MOVEMENT
  • 29. © 2017 Sqrrl Data, Inc. All rights reserved. 29 Lateral Movement
  • 30. © 2017 Sqrrl Data, Inc. All rights reserved. 30 Lateral Movement
  • 31. © 2017 Sqrrl Data, Inc. All rights reserved. 31 Lateral Movement
  • 32. © 2017 Sqrrl Data, Inc. All rights reserved. 32 Lateral Movement
  • 33. © 2017 Sqrrl Data, Inc. All rights reserved. 33 Lateral Movement
  • 34. © 2017 Sqrrl Data, Inc. All rights reserved. 34 Lateral Movement
  • 35. © 2017 Sqrrl Data, Inc. All rights reserved. 35 Lateral Movement
  • 36. © 2017 Sqrrl Data, Inc. All rights reserved. 36 Lateral Movement
  • 37. © 2017 Sqrrl Data, Inc. All rights reserved. 37 Lateral Movement
  • 38. © 2017 Sqrrl Data, Inc. All rights reserved. 38 Lateral Movement
  • 39. © 2017 Sqrrl Data, Inc. All rights reserved. 39 Lateral Movement
  • 40. © 2017 Sqrrl Data, Inc. All rights reserved. 40 Lateral Movement
  • 41. © 2017 Sqrrl Data, Inc. All rights reserved. 41 Lateral Movement
  • 42. © 2017 Sqrrl Data, Inc. All rights reserved. 42 Lateral Movement
  • 43. © 2017 Sqrrl Data, Inc. All rights reserved. 43 Lateral Movement
  • 44. © 2017 Sqrrl Data, Inc. All rights reserved. 44 Lateral Movement
  • 45. © 2017 Sqrrl Data, Inc. All rights reserved. 45 Lateral Movement
  • 46. © 2017 Sqrrl Data, Inc. All rights reserved. 46 Lateral Movement
  • 47. © 2017 Sqrrl Data, Inc. All rights reserved. 47 Thank you! threathunting.org For hunting eCourses, papers and other resources & threathunting.net For a repository of hunting techniques
  • 48. Q & A