Threat Hunting in Modern Networks. David Biser

Similar documents
Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Reducing the Cost of Incident Response

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

INCIDENT RESPONDER'S FIELD GUIDE INCIDENT RESPONDER'S INCIDENT RESPONSE PLAN FIELD GUIDE LESSONS FROM A FORTUNE 100 INCIDENT RESPONSE LEADER

WHITEPAPER ATTIVO NETWORKS DECEPTION TECHNOLOGY FOR MERGERS AND ACQUISITIONS

Hunting Threats In your Enterprise

Managed Endpoint Defense

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

RiskSense Attack Surface Validation for IoT Systems

4/13/2018. Certified Analyst Program Infosheet

Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach

100% Endpoint Protection dank Machine Learning, EDR & Deception?

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

RSA NetWitness Suite Respond in Minutes, Not Months

BOLSTERING DETECTION ABILITIES KENT KNUDSEN JUNE 23, 2016

RiskSense Attack Surface Validation for Web Applications

ATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

Automating the Top 20 CIS Critical Security Controls

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

BREACHES HAPPEN: BE PREPARED. Endpoint Detection & Response

SOLUTION BRIEF ASSESSING DECEPTION TECHNOLOGY FOR A PROACTIVE DEFENSE

Seceon s Open Threat Management software

esendpoint Next-gen endpoint threat detection and response

Building Resilience in a Digital Enterprise

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

Put an end to cyberthreats

CYBER THREAT HUNTING DETECT ADVANCED THREATS HIDING IN YOUR NETWORK. A guide to the most effective methods.

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

STAY ONE STEP AHEAD OF THE CRIMINAL MIND. F-Secure Rapid Detection & Response

CyberArk Privileged Threat Analytics

Sharing What Matters. Accelerating Incident Response and Threat Hunting by Sharing Behavioral Data

CTI Capability Maturity Model Marco Lourenco

Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat

align security instill confidence

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

PULLING OUR SOCS UP VODAFONE GROUP AT RSAC Emma Smith. Andy Talbot. Group Technology Security Director Vodafone Group Plc

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

Catch an Active Cyber Attack in minutes

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

RSA INCIDENT RESPONSE SERVICES

From Managed Security Services to the next evolution of CyberSoc Services

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Security analytics: From data to action Visual and analytical approaches to detecting modern adversaries

ANATOMY OF AN ATTACK!

One Phish, Two Phish, Three! Building an Active Threat Management Framework for Malicious

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

The 2017 State of Endpoint Security Risk

SIEM Solutions from McAfee

ForeScout Extended Module for Splunk

Designing and Building a Cybersecurity Program

10 FOCUS AREAS FOR BREACH PREVENTION

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

SOLUTION BRIEF RSA NETWITNESS PLATFORM ACCELERATED THREAT DETECTION & AUTOMATED RESPONSE FROM THE ENDPOINT TO THE CLOUD

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

THREAT HUNTING REPORT

ATT&CKing for better Defense: An Introduction to the MITRE ATT&CK Framework

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

Beyond Firewalls: The Future Of Network Security

ICS Security Monitoring

RSA INCIDENT RESPONSE SERVICES

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

A Practical Guide to Efficient Security Response

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

BUILDING AND MAINTAINING SOC

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

INCIDENT HANDLING & RESPONSE PROFESSIONAL VERSION 1

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Readiness, Response & Resilence:

Introduction to Threat Deception for Modern Cyber Warfare

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

ENTERPRISE ENDPOINT PROTECTION BUYER S GUIDE

The GenCyber Program. By Chris Ralph

THREAT HUNTING 2017 REPORT PRESENTED BY

Christopher Covert. Principal Product Manager Enterprise Solutions Group. Copyright 2016 Symantec Endpoint Protection Cloud

Resolving Security s Biggest Productivity Killer

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Protecting Your Enterprise Databases from Ransomware

Best Practices for Scoping Infections and Disrupting Breaches

CYBERSECURITY RISK LOWERING CHECKLIST

Emerging Threat Intelligence using IDS/IPS. Chris Arman Kiloyan

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak

Defend Against the Unknown

Speed Up Incident Response with Actionable Forensic Analytics

Power of the Threat Detection Trinity

Transforming Security from Defense in Depth to Comprehensive Security Assurance

DATA SHEET RSA NETWITNESS ENDPOINT DETECT UNKNOWN THREATS. REDUCE DWELL TIME. ACCELERATE RESPONSE.

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

Mastering The Endpoint

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

State of Security Operations

ENDPOINT SECURITY AND THE CLOUD: HOW TO APPLY PREDICTIVE ANALYTICS AND BIG DATA

Prescriptive Security Operations Centers. Leveraging big data capabilities to build next generation SOC

THE CRITICAL COMMUNICATIONS COMPANY CYBER SECURITY AS A SERVICE

Transcription:

Threat Hunting in Modern Networks David Biser

What is Threat Hunting? The act of aggressively pursuing and eliminating cyber adversaries as early as possible in the Cyber Kill Chain.

Why Perform Threat Hunting? Most threats are human based. These adversaries can not be stopped by checking a box or installing a program, it requires hunters who know their tactics, techniques and procedures to stop them! The goal is to prevent and/or minimize damage before it occurs!

Threat Hunting In context, many security personnel believe that they have been hunting for a long before this term emerged. This is partially true! In fact, the term itself is new with the processes beginning to form into an organized and more efficient methodology.

Threat Hunting Threat hunting that is already occurring is usually reported as ad hoc processes. This presents a challenge to integrating more advanced and targeted methods of hunting! This includes having the proper tools, people, processes and buy-in from decision makers.

Maturity Model HMM 0 HMM 1 HMM 2 HMM 3 HMM 4 Initial Minimal Procedural Innovative Leading Relies primarily on automated alerts Little or no routine data collection Incorporates threat intelligence searches Moderate or high level of data collection Follows data analysis procedures created by others High data collection Creates new data analysis procedures High level of data collection Automates majority of successful analysis procedures High level of data collection

Threat Hunting Before instituting a threat hunting program you need to carefully weigh where you as far as your security program stands. If you have no security program then you are not ready to start threat hunting! A careful study needs to be made of your environment before you start the hunt.

Weighing your current state

Where Threat Hunting Fits The act of hunting is contained in the active defense area. It incorporates threat intelligence with your internal data intelligence to provide useful and actionable knowledge. If you have security operations you are already hunting, now you need to create a robust and complete threat hunting program.

Choose your Attack Model

Identify High Risk Activities

How to Hunt

How to Hunt

How to Hunt

How to Hunt

What is a Threat? Security Vendors listed these as threat: Iranian Hackers Chinese Hackers Crimeware exploit toolkits Ransomware Point of Sale Systems Internet of Things Lost or stolen laptops

Definitions The formalization of the data and words used in threat hunting and cyber security is important. The group below as developed a taxonomy of potential threats to aid organizations. http://www.auditscripts.com/freeresources/open-threat-taxonomy/

Example Threat ID Threat Action Name Threat Rating TEC-001 TEC-002 TEC-003 TEC-004 TEC-005 Organizational Fingerprinting via Open Sources System fingerprinting via Open Sources System fingerprinting via scanning System fingerprinting via sniffing Credential Discovery via open sources 2.0 2.0 2.0 2.0 4.0

The Hunter Often times hunters wear multiple hats or titles. But, no matter the position the hunter must be dedicated to actively pursuing adversaries. If your hunters are spreading across multiple venues then they lose focus and thus the ability to hunt.

The Hunter As part of a team, the threat hunter works in conjunction with the network, security and other teams. It is not a competitive relationship, but a cooperative one!

The Hunter They need to be Curious Passionate Skilled with multiple tools Adventurous Knowledge of the ever evolving threat landscape Ability to adapt quickly to changing scenarios

The Tools Sqrrl Data Provides the ability to collect data from multiple sources. Provides some automation and the ability to correlate high data collection. Infocyte Hunt Another data aggregation and automation tool. Utilizes agents on endpoints, which only exist for short periods of time.

The Tools Endgame Can exist in multiple venues (cloud, virtual machine, physical, etc.) Utilizes agents on endpoints to gather information/data. Provides the ability to automate some analysis and allows for interaction with the endpoints.

Measuring Success How do you know if your threat hunting program is successful? This is vital to continued funding and actually performing the correct actions, locating threats and dealing with them!

Measuring Success Number of incidents by severity Tracking the number of incidents, vulnerabilities and suspicious activity provides an excellent metric. Number of compromised hosts This can be measured in several ways Compromise, type of data, business impact Include misconfigured security settings

Measuring Success Dwell time of any incidents discovered Attempt to ascertain how long uncovered threats have been active on your network Helps identify what step of the kill chain is involved and where your focus should be Use the following: Time from infection to detection Time from detection to investigation Time from investigation to remediation

Measuring Success Number of detection gaps filled A high level goal of hunting is to create news methods of detection This can lead to identifying and filling detection gaps, which is part of the hunting mission Logging gaps identified and corrected This helps across multiple security fields and is important for the entire security program

Measuring Success Vulnerabilities identified Vulnerabilities can lead to exploitation and to compromise, so identifying these is extremely important Insecure practices identified and corrected These can lead to compromise and incidents tracking them as they are discovered helps ensure adequate coverage

Example Hypothesis Attackers could be operating on a C2 channel that uses a common port and protocol within your network Look for unique artifacts pertinent to the protocol If HTTP then look for strange domains/urls/user- Agent Strings etc.

Example Datasets to search These can depend on what you are hunting for exactly Netflow or other network flow traffic Firewall logs IDS/IPS Proxy logs, IIS logs DNS resolution logs, and etc.

Example Indicator Search The value of this type of approach will depend on the value of the indicator. Values can be gathered from previous incidents or by threat intelligence teams. Also check IP addresses and ports Search application protocol indicators Domain, URL, Email addresses, etc.

Learn More! https://sqrrl.com/ https://zeltser.com/cheat-sheets/ https://files.sans.org/summit/cti_summit_2017/ http://windowsir.blogspot.com/2015/06/hunting -and-knowing-what-to-huntnot-for.html http://findingbad.blogspot.com/ http://uk.sans.org/readingroom/whitepapers/threathunting https://attack.mitre.org/wiki/main_page

Questions

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback