More Related Content Similar to Modernizing Your SOC: A CISO-led Training (20) Modernizing Your SOC: A CISO-led Training2. © 2017 Sqrrl Data, Inc. All rights reserved. 2
Presenters
Edward Amoroso,
David J. Bianco
Sqrrl Security Technologist, Former lead threat hunter at GE
CEO of TAG Cyber, Former CISO for AT&T
3. Dr. Edward G. Amoroso, CEO TAG Cyber eamoroso@tag-cyber.com
Lessons Learned from Past, Present, and Future
Security Operations Centers (SOCs)
8. © 2017 Sqrrl Data, Inc. All rights reserved. 8
The collective name for any manual or
machine-assisted techniques used to detect
security incidents missed by automated
processes.
What Do We Mean by “Threat
Hunting”?
9. © 2017 Sqrrl Data, Inc. All rights reserved. 9
Proactive Iterative
Human-driven Analytical
What is Threat Hunting?
10. © 2017 Sqrrl Data, Inc. All rights reserved. 10
Why Hunt?
The purpose of hunting is not to find new
accidents. The purpose of hunting is to find
new ways of finding incidents.
11. © 2017 Sqrrl Data, Inc. All rights reserved. 11
Detections
IndicatorsFindings
Detections
Detection
Improvements
Hunting
Intel
Automated
Detection
Incident
Response
Detection
Development
Functions of a Modern SOC
Incident Data
12. © 2017 Sqrrl Data, Inc. All rights reserved. 12
Detections
IndicatorsFindings
Detections
Detection
Improvements
Hunting
Intel
Automated
Detection
Incident
Response
Detection
Development
Incident Data
Functions of a Modern SOC
Sqrrl‘s Focus
13. © 2017 Sqrrl Data, Inc. All rights reserved. 13
Fielding a Hunt Team
Ad Hoc • Hunting in “spare” time
• Can get a lot of hunters involved, but lacks strategy and coordination
• Also, if “everyone” hunts, no one hunts
Dedicated • “Go out and find me some bad guys!”
• Enables strategic thinking, but concentrates expertise into the hands of a few
Hybrid • The best of both!
• The hunt function is dedicated, but team members rotate through
• Encourages both strategic planning and broad participation
14. © 2017 Sqrrl Data, Inc. All rights reserved. 14
Team Skillsets: All Members
Communication
Business Knowledge
Collaboration
Critical Thinking
15. © 2017 Sqrrl Data, Inc. All rights reserved. 15
Data Analysis /
Data Science
Network Protocols
OS Internals
Security Logging
Team Skillsets: Specialities
Threat Internal
16. © 2017 Sqrrl Data, Inc. All rights reserved. 16
If possible, establish a core of experienced hunters with a demonstrated track
record of mentorship.
Procedures should encourage and require collaboration between analysts at all skill
levels.
Encourage “active mentorship” within the team:
• Have members participate in creating and implementing a training/development
plan each year, then give them the time and resources necessary to complete it.
• Every team member has something they know more about than anyone else.
Get them to document and share via blogs, brown bag lunch sessions, etc.
• Involvement in the larger security community is great professional development!
Growing Hunters and Hunt Teams
17. © 2017 Sqrrl Data, Inc. All rights reserved. 17
This Company Gets It
Part of an actual job posting for a ”Hunt Team Analyst”.
Skills enhancement is literally the second paragraph in the document.
As a contributor to the team, this role will spend up to 30% of it’s time broadening skills by:
• Participating in one-on-one hands-on mentoring with peers and senior team members
• Researching new techniques for analysis & developing deeper technical analysis skills
• Contributing to the security community through projects and presenting at conferences
While spending 70% or more heads down doing the mission:
• Hands-on hunting, event triage & analysis across NSM sensors & managed endpoints
• Consumption, analysis, and production of tactical threat intelligence
• Development & maintenance of detection scripts, rules, signatures and related logic
• Finding evil, and generally having fun kicking it out of places it shouldn’t be
19. © 2017 Sqrrl Data, Inc. All rights reserved. 19
Reconnaissanc
e
Weaponization Delivery Exploitation Installation
Command &
Control (C2)
Actions on
Objectives
Step 1: Choose Your Favorite Attack
Model
The Lockheed Martin Cyber Kill Chain: Intelligence-Driven Computer Network Defense Informed by
Anwww.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf alysis of
Adversary Campaigns and Intrusion Kill Chains”, Hutchins, Cloppert, Amin, http:// (Last checked January 20, 2017)
MITRE ATT&CK: Adversarial Tactics, Techniques & Common Knowledge, MITRE, http://attack.mitre.org (Last checked January 20,
2017)
20. © 2017 Sqrrl Data, Inc. All rights reserved. 20
Example KC7 Activities
• Lateral Movement
• Data Staging & Exfiltration
• Credential Dumping
• Local Network Discovery
• Disable Endpoint Security
• Webshell Use
• Email Theft
• Malicious Data Encryption
Factor in your own environment and business priorities!
Step 2: Identify Malicious Behaviors
Reconnaissanc
e
Weaponization Delivery Exploitation Installation
Command &
Control (C2)
Actions on
Objectives
21. © 2017 Sqrrl Data, Inc. All rights reserved. 21
Step 3: Align Your Strategy to Your Model
Reconnaissanc
e
Weaponization Delivery Exploitation Installation
Command &
Control (C2)
Actions on
Objectives
Predict
attacks
Expand the stories you
are able to tell
High impact activity
S O M E T I M E S
D O T H I S
R E G U L A R Y
D O T H I S
F R E Q U E N T L Y
D O T H I S
22. © 2017 Sqrrl Data, Inc. All rights reserved. 22
Use this simple assessment to find
out where you fall on the Hunting
Maturity Model and what you can
do to improve your SOC’s
capabilities!
How Mature Are Your Hunt Capabilities?
Editor's Notes If you are big enough to have a SOC, you are big enough to start hunting. All SOCs should have some sort of hunt function. If you are big enough to have a SOC, you are big enough to start hunting. All SOCs should have some sort of hunt function.