Threat hunting is a hot topic spurred on by the thought that it’s not a matter of IF, but WHEN, your organization will be breached. Mature security organizations are shifting in their approach from solely relying on reactive response and black box security tools to proactive hunting. This shift in approach requires large amounts of network and endpoint data to tie together attacker tools, tactics, and procedures. Security teams often have their hands tied due to limited budgets, politics and their ability to affect change with what information gets logged (just try getting a DNS admin to check a box that says “Debug” in prod). Hypothesis driven data acquisition can be used to overcome environmental challenges, provide a specific goal, and reduce analysis paralysis. This presentation will discuss hypothesis driven threat hunting using free and commercial tools for organizations which face common corporate roadblocks.
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Security Risk Advisors - BSides Philadelphia 2017 - Threat Hunting: Defining the Process While Circumventing Corporate Obstacles
1. Threat Hunting Defining the Process While Circumventing
Corporate Obstacles
December 2017
2. Introductions
Our success together is driven
by the trusted relationships
we build. We work closely
with our clients to improve
their strategy and programs,
assess controls and threats,
and implement and operate
the best solutions based on
their unique needs and
business environments.
Matt Schneck
Threat Management Senior Consultant
Focus: Endpoint Engineer & Data Analysis
GIAC Certified Forensic Examiner (GCFE)
Ryan Andress
Threat Management Consultant
Focus: Incident Response & Data Analysis
GIAC Certified Forensic Analyst (GCFA)
Kevin Foster
Threat Management Senior Consultant
Focus: Incident Response & Data Acquisition
GIAC Certified Forensic Analyst (GCFA)
GIAC Certified Reverse Engineering Malware (GREM)
3. What is Threat Hunting?
Preparation & Communication
Threat Hunting Framework
Post Hunt
Agenda
4. Objectives
Identify compromised systems and accounts
Improve security monitoring detection rules
Perform forensics at scale
Hunt Strategies
Threat Intelligence – Sweep for known bad
Anomaly – Configurations with the least frequency of
occurrence
Behavioral – Attacker tools, tactics, and techniques
Risks Mitigated
“Pre-existing conditions” – historic compromises
Blind spots – limited security monitoring visibility
Secondary compromises – attackers move off patient 0
Threat Hunting Defined
Develop a
Hypothesis
Gather Data
Analyze Data
1.Make
Observations
Measure
Progress
5. Threat Hunting Overview
Identify Team
Members
Socialize with
Stakeholders
Hypothesis
& Scope
Data Acquisition Data Analysis
Observation
Documentation
Ruleset
Improvement
Preparation Execution Post
7. Hunt Team Selection
Developer
• Integrates threat
hunting toolsets
and processes
• Ability to develop
custom scripts
Incident Responder
• Identify system
configuration anomalies
• Develop new or modify
rulesets based on findings
Team Lead
• Provides oversight
and direction for
hunters
• Communicates with
internal & external
stakeholders
Identify Team
Members
Socialize with
Stakeholders
Hypothesis
& Scope
Data Acquisition Data Analysis
Observation
Documentation
Ruleset
Improvement
8. Tracking
Who did what when?
What systems?
What user accounts?
When did activities occur?
What data is being accessed?
Organization
IR platform toolset
Visibility into team member activity
Project status tracking at every stage
Quantify metrics
Activity Tracking & Organization You need to be able
to prove:
“We weren’t acquiring
data at that time, we
didn’t take down the
power grid.”
Identify Team
Members
Socialize with
Stakeholders
Hypothesis
& Scope
Data Acquisition Data Analysis
Observation
Documentation
Ruleset
Improvement
9. Measurements of Success
Success!
Hypothesis Topic
and System
Scoping
Establish and
Define a
Repeatable
Threat Hunting
Methodology
Identify and
Reduce
Environment
Attack Surface
Develop
Environment
Baselines
Automation &
Rule Generation
Identify Team
Members
Socialize with
Stakeholders
Hypothesis
& Scope
Data Acquisition Data Analysis
Observation
Documentation
Ruleset
Improvement
10. Speak the language of each stakeholder group:
Execs
Improving the organizations security posture
without capital expenditure
Sys-Admins
We won’t break your stuff
Threat hunting does not necessarily require:
Deploying an agent
Change management approvals
Angering sys-admins
Getting Approval
Identify Team
Members
Socialize with
Stakeholders
Hypothesis
& Scope
Data Acquisition Data Analysis
Observation
Documentation
Ruleset
Improvement
11. MITRE ATT&CK Hypothesis
Selecting a Hypothesis via ATT&CK:
The MITRE ATT&CK Matrix is mapped to attacker tactics and techniques.
Identify Team
Members
Socialize with
Stakeholders
Hypothesis
& Scope
Data Acquisition Data Analysis
Observation
Documentation
Ruleset
Improvement
12. Hypothesis Driven Methodology
Four Steps of Hypothesis Testing:
1. Identify a MITRE ATT&CK tactic technique to test
IE: A malicious modification to a path environment variable
has been made on an in-scope system
2. Formulate an action plan for to identify in-scope
systems and outline data acquisition
3. Execute the action plan and obtain data from in-
scope systems
4. Perform automated data analytics and manual
analysis to accept or reject the hypothesis
Develop a
Hypothesis
Identify Scope
Data Acquisition &
Analysis
1.Make
Observations
Identify Team
Members
Socialize with
Stakeholders
Hypothesis
& Scope
Data Acquisition Data Analysis
Observation
Documentation
Ruleset
Improvement
14. Possible Data Sources
Endpoint Logs:
CimSweep
PowerShell Remoting
Windows Event
Forwarding
SIEM Collectors
EDR Tools
Network Logs:
DNS
Firewall
Bro
Netflow
Account Logs:
Active Directory
VPN’s
If you’re capturing any of these logs, you can start hunting for
malicious activity – you’ve already got the data!
Identify Team
Members
Socialize with
Stakeholders
Hypothesis
& Scope
Data Acquisition Data Analysis
Observation
Documentation
Ruleset
Improvement
15. Network Hunting
Network Driven Use Cases DNS Logs Firewall Logs VPN Logs Bro/NTA Logs
Suspicious Geolocation Login
Port Scanning/Recon
C2 Channels or Beaconing
Data Exfiltration Detection
DNS Tunneling
Suspicious Download Tracking
Most organizations have the network equipment in place currently to perform basic threat
hunting. The table below outlines common hunting use cases based off of network device.
Identify Team
Members
Socialize with
Stakeholders
Hypothesis
& Scope
Data Acquisition Data Analysis
Observation
Documentation
Ruleset
Improvement
16. Crawling with CimSweep
Pros
Backwards compatible through Windows NT 4.0
Allows for scripted mass collection
Cons
Limited in the data that can be collected
Internal firewalls can limit connectivity if using RPC Ports
One-to-one data collection
Pre-Req’s
Collection system requires PowerShell 3.0 or greater
Privileged account – Local Admin rights on remote systems
Author: Matt Graeber - https://github.com/PowerShellMafia/CimSweep
Identify Team
Members
Socialize with
Stakeholders
Hypothesis
& Scope
Data Acquisition Data Analysis
Observation
Documentation
Ruleset
Improvement
17. Walking with PowerShell Remoting
Pros
Provides lots more data than CimSweep
One-to-Many data collection
Lots of interesting work by the community
Able to make full use of Win32 API’s
Cons
Requires PowerShell scripting capabilities
Pre-Req’s
Requires PS Remoting be enabled
Author: Jared Atkinson – https://github.com/Invoke-IR/ACE
Identify Team
Members
Socialize with
Stakeholders
Hypothesis
& Scope
Data Acquisition Data Analysis
Observation
Documentation
Ruleset
Improvement
18. Running with Windows Event Forwarding
Pros
Increase visibility to all of your systems
Many-to-One event data collection
Extremely well documented by MS
Cons
Requires heavy GPO modifications
Pre-Req’s
PowerShell Remoting
A spare server for log collection
Source: Jessica Payne – “Monitoring What Matters” Blog Post on technet
Identify Team
Members
Socialize with
Stakeholders
Hypothesis
& Scope
Data Acquisition Data Analysis
Observation
Documentation
Ruleset
Improvement
19. Endpoint Threat Hunting Maturity
CimSweep
•Runs pretty much everywhere!
•Gives you something when you’ve
otherwise got nothing
•Great way to start demonstrating value
PowerShell
Remoting
• Gives you much more data
• Scales for fast collection
• Will win you friends with other admins
Windows
Event
Forwarding
• Allows for hunting through historic data
• By nature – provides continuous data
collection
• Better enables automated alerting
Identify Team
Members
Socialize with
Stakeholders
Hypothesis
& Scope
Data Acquisition Data Analysis
Observation
Documentation
Ruleset
Improvement
21. MISP – Malware Information Sharing Platform
What is it?
Threat Intel Aggregator
Hosted IOC Database/Repository
App Enrichment
TheHive
Cortex
Threat Intel Providers via API Key
VT, Shodan, etc.
What is the value / why do it?
Bulk IOC Queries
Threat Actor Tracking
SIEM Agnostic - Various Export Formats Supported
Organization Segregation
https://blog.thehive-project.org/2017/06/19/thehive-cortex-and-misp-how-they-all-fit-together/
Identify Team
Members
Socialize with
Stakeholders
Hypothesis
& Scope
Data Acquisition Data Analysis
Observation
Documentation
Ruleset
Improvement
22. ELK – Elasticsearch, Logstash & Kibana
Data Manipulation via Visualization
Custom views via visualizations
Advanced filtering in visualizations
White List / Blacklist File Paths
Least Frequency of Occurrence (LFO)
Process Stacking
Rapid Query Results
Flexible Query Options
String Queries
FilePath: (“appdata” OR “temp”)
Levenshtein/Fuzzy Queries
Logstash Plugin Filters
Unify your data fields across different tools & scripts
ImagePath, path, Path = ExecutablePath
Parse out file extension
Identify Team
Members
Socialize with
Stakeholders
Hypothesis
& Scope
Data Acquisition Data Analysis
Observation
Documentation
Ruleset
Improvement
23. Data Enrichment on Ingestion
Logstash can make rest queries on event ingestion
SANS FTW
Domain Stats
Is it in the Alexa top 1 million?
When was it created
“Freq” Server
Test the “Englishness” of a domain
Virus Total Queries
Identify Team
Members
Socialize with
Stakeholders
Hypothesis
& Scope
Data Acquisition Data Analysis
Observation
Documentation
Ruleset
Improvement
24. Data Enrichment Example
Identify Team
Members
Socialize with
Stakeholders
Hypothesis
& Scope
Data Acquisition Data Analysis
Observation
Documentation
Ruleset
Improvement
25. Data Enrichment Example
Identify Team
Members
Socialize with
Stakeholders
Hypothesis
& Scope
Data Acquisition Data Analysis
Observation
Documentation
Ruleset
Improvement
26. TheHive & Cortex
Threat Hunt Process Tracking
Live stream of team member activity
Project tasks assigned for visibility &
accountability
Observation Tracking
Custom tracking of observables
Statistics based on Type, IOC, & Tags!
Filter observables data
Data Analysis & Automation
Cortex Analyzers
Data Reduction via threat intel correlation
Delegate your work to the machines!
Identify Team
Members
Socialize with
Stakeholders
Hypothesis
& Scope
Data Acquisition Data Analysis
Observation
Documentation
Ruleset
Improvement
27. TheHive & Cortex
Threat Hunt Process Tracking
Live stream of team member activity
Project tasks assigned for visibility &
accountability
Observation Tracking
Custom tracking of observables
Statistics based on Type, IOC, & Tags!
Filter observables data
Data Analysis & Automation
Cortex Analyzers
Data Reduction via threat intel
correlation
Delegate your work to the machines!
Identify Team
Members
Socialize with
Stakeholders
Hypothesis
& Scope
Data Acquisition Data Analysis
Observation
Documentation
Ruleset
Improvement
28. TheHive & Cortex
Threat Hunt Process Tracking
Live stream of team member activity
Project tasks assigned for visibility &
accountability
Observation Tracking
Custom tracking of observables
Statistics based on Type, IOC, & Tags!
Filter observables data
Data Analysis & Automation
Cortex Analyzers
Data Reduction via threat intel
correlation
Delegate your work to the machines!
Identify Team
Members
Socialize with
Stakeholders
Hypothesis
& Scope
Data Acquisition Data Analysis
Observation
Documentation
Ruleset
Improvement
29. TheHive & Cortex
Threat Hunt Process Tracking
Live stream of team member activity
Project tasks assigned for visibility &
accountability
Observation Tracking
Custom tracking of observables
Statistics based on Type, IOC, & Tags!
Filter observables data
Data Analysis & Automation
Cortex Analyzers
Data Reduction via threat intel
correlation
Delegate your work to the machines!
Identify Team
Members
Socialize with
Stakeholders
Hypothesis
& Scope
Data Acquisition Data Analysis
Observation
Documentation
Ruleset
Improvement
30. TheHive & Cortex
Threat Hunt Process Tracking
Live stream of team member activity
Project tasks assigned for visibility &
accountability
Observation Tracking
Custom tracking of observables
Statistics based on Type, IOC, & Tags!
Filter observables data
Data Analysis & Automation
Cortex Analyzers
Data Reduction via threat intel
correlation
Delegate your work to the machines!
Identify Team
Members
Socialize with
Stakeholders
Hypothesis
& Scope
Data Acquisition Data Analysis
Observation
Documentation
Ruleset
Improvement
31. TheHive & Cortex
Threat Hunt Process Tracking
Live stream of team member activity
Project tasks assigned for visibility &
accountability
Observation Tracking
Custom tracking of observables
Statistics based on Type, IOC, & Tags!
Filter observables data
Data Analysis & Automation
Cortex Analyzers
Data Reduction via threat intel
correlation
Delegate your work to the machines!
Identify Team
Members
Socialize with
Stakeholders
Hypothesis
& Scope
Data Acquisition Data Analysis
Observation
Documentation
Ruleset
Improvement
32. Threat Hunt Process Tracking
Live stream of team member activity
Project tasks assigned for visibility & accountability
Observation Tracking
Custom tracking of observables
Statistics based on Type, IOC, & Tags!
Filter observables data
Data Analysis & Automation
Cortex Analyzers
Data Reduction via threat intel correlation
Delegate your work to the machines!
TheHive & Cortex
Identify Team
Members
Socialize with
Stakeholders
Hypothesis
& Scope
Data Acquisition Data Analysis
Observation
Documentation
Ruleset
Improvement
33. Data Analysis / Analytics
Data Reduction
Targeted Threat Hunt Topics
Persistence
Registry Keys
Least Frequency Of Occurrence (LFO)
Stack all the things!
Uniform environment should
be homogenous
Know Normal…Find Evil!
Suspiciously name files
One character .exe, Pseudorandom
Letters/Numbers
Legit filenames operating in
illegitimate file paths
Thanks SANS!
https://www.s ans. o rg/s ecurity - res ources /pos te rs /df ir -f ind-e vil/35/do wnlo ad
Threat Intel Correlation
https://www.sans.org/security-resources/posters/dfir/windows-forensics-evidence-of-75
Identify Team
Members
Socialize with
Stakeholders
Hypothesis
& Scope
Data Acquisition Data Analysis
Observation
Documentation
Ruleset
Improvement
34. Data Analysis / Analytics
Data Reduction
Targeted Threat Hunt Topics
Persistence
Registry Keys
Least Frequency Of Occurrence (LFO)
Stack all the things!
Uniform environment should
be homogenous
Know Normal…Find Evil!
Suspiciously name files
One character .exe, Pseudorandom
Letters/Numbers
Legit filenames operating in
illegitimate file paths
Thanks SANS!
https://www.s ans. o rg/s ecurity - res ources /pos te rs /df ir -f ind-e vil/35/do wnlo ad
Threat Intel Correlation
Identify Team
Members
Socialize with
Stakeholders
Hypothesis
& Scope
Data Acquisition Data Analysis
Observation
Documentation
Ruleset
Improvement
35. Data Analysis / Analytics
Identify Team
Members
Socialize with
Stakeholders
Hypothesis
& Scope
Data Acquisition Data Analysis
Observation
Documentation
Ruleset
Improvement
36. Observation / Result Tracking
Metrics and Tasks and Observables Oh My!
Hosted & concurrent users!
See ya later Excel!!
Tagging: Hash, ip, domain, etc.
Allows metric tracking for reporting
Accountability!
Team member status updates / live streams
Identify Team
Members
Socialize with
Stakeholders
Hypothesis
& Scope
Data Acquisition Data Analysis
Observation
Documentation
Ruleset
Improvement
37. Observation / Result Tracking
Metrics and Tasks and Observables Oh My!
Hosted & concurrent users!
See ya later Excel!!
Tagging: Hash, ip, domain, etc.
Allows metric tracking for reporting
Accountability!
Team member status updates / live streams
Identify Team
Members
Socialize with
Stakeholders
Hypothesis
& Scope
Data Acquisition Data Analysis
Observation
Documentation
Ruleset
Improvement
38. Observation / Result Tracking
Metrics and Tasks and Observables Oh My!
Hosted & concurrent users!
See ya later Excel!!
Tagging: Hash, ip, domain, etc.
Allows metric tracking for reporting
Accountability!
Team member status updates / live streams
Identify Team
Members
Socialize with
Stakeholders
Hypothesis
& Scope
Data Acquisition Data Analysis
Observation
Documentation
Ruleset
Improvement
39. Measurements of Success
Success!
Hypothesis Topic
and System
Scoping
Establish and
Define a
Repeatable
Threat Hunting
Methodology
Identify and
Reduce
Environment
Attack Surface
Develop
Environment
Baselines
Automation &
Rule Generation
Identify Team
Members
Socialize with
Stakeholders
Hypothesis
& Scope
Data Acquisition Data Analysis
Observation
Documentation
Ruleset
Improvement
40.
41. Citations
1. Threat Hunting Definition: https://sqrrl.com/solutions/cyber-threat-hunting/
2. MISP
1. http://www.misp-project.org/
3. TheHive
1. http://thehive-project.org/
4. TheHive How it fits together images: https://blog.thehive-
project.org/2017/06/19/thehive-cortex-and-misp-how-they-all-fit-together/
5. SANS Graphics
1. https://www.sans.org/security-resources/posters/dfir-find-
evil/35/download
2. https://www.sans.org/security-resources/posters/dfir/windows-
forensics-evidence-of-75
Notes de l'éditeur
Interest in threat hunting has grown significantly across all verticals we work with. Asked by clients to execute, develop, or assist with threat hunting in the following verticals
Healthcare
Financial
Technology
Pharmaceutical
Critical Factors for Threat Hunting:
Project Focus
Data availability
Dedicated Team Members*
Varying Skillsets
Hypothesis Topic and System Scoping:
Select a Campaign Topic that is feasible based on the visibility and assessible data for in-scope systems
Establish and Define a Repeatable Threat Hunting Methodology:
Define a process which can be scaled in scope, perform additional hunt campaigns, and reperform within other security toolsets which will enable a more mature & proactive security stance
Identify and Reduce Environment Attack Surface:
Identify, track, and update abnormal system configurations with owners to increase environmental hygiene and secure potential persistence mechanisms attackers utilize
Develop Environment Baselines:
Develop a historical baseline of expected results in order for anomalies to be uncovered during periodic patrolling.
Automation
Automation to detect, alert, and act on anomalies that were previously identified or TTPs that were covered by a previous hunt. Automation can take place via various toolsets like a SIEM, EDR, Firewall, etc.
This follows the scientific method for hypothesis testing
Hypothesis Topic and System Scoping:
Select a Campaign Topic that is feasible based on the visibility and assessible data for in-scope systems
Establish and Define a Repeatable Threat Hunting Methodology:
Define a process which can be scaled in scope, perform additional hunt campaigns, and reperform within other security toolsets which will enable a more mature & proactive security stance
Identify and Reduce Environment Attack Surface:
Identify, track, and update abnormal system configurations with owners to increase environmental hygiene and secure potential persistence mechanisms attackers utilize
Develop Environment Baselines:
Develop a historical baseline of expected results in order for anomalies to be uncovered during periodic patrolling.
Automation
Automation to detect, alert, and act on anomalies that were previously identified or TTPs that were covered by a previous hunt. Automation can take place via various toolsets like a SIEM, EDR, Firewall, etc.