Threat Hunting in Modern Networks David Biser
What is Threat Hunting? The act of aggressively pursuing and eliminating cyber adversaries as early as possible in the Cyber Kill Chain.
Why Perform Threat Hunting? Most threats are human based. These adversaries can not be stopped by checking a box or installing a program, it requires hunters who know their tactics, techniques and procedures to stop them! The goal is to prevent and/or minimize damage before it occurs!
Threat Hunting In context, many security personnel believe that they have been hunting for a long before this term emerged. This is partially true! In fact, the term itself is new with the processes beginning to form into an organized and more efficient methodology.
Threat Hunting Threat hunting that is already occurring is usually reported as ad hoc processes. This presents a challenge to integrating more advanced and targeted methods of hunting! This includes having the proper tools, people, processes and buy-in from decision makers.
Maturity Model HMM 0 HMM 1 HMM 2 HMM 3 HMM 4 Initial Minimal Procedural Innovative Leading Relies primarily on automated alerts Little or no routine data collection Incorporates threat intelligence searches Moderate or high level of data collection Follows data analysis procedures created by others High data collection Creates new data analysis procedures High level of data collection Automates majority of successful analysis procedures High level of data collection
Threat Hunting Before instituting a threat hunting program you need to carefully weigh where you as far as your security program stands. If you have no security program then you are not ready to start threat hunting! A careful study needs to be made of your environment before you start the hunt.
Weighing your current state
Where Threat Hunting Fits The act of hunting is contained in the active defense area. It incorporates threat intelligence with your internal data intelligence to provide useful and actionable knowledge. If you have security operations you are already hunting, now you need to create a robust and complete threat hunting program.
Choose your Attack Model
Identify High Risk Activities
How to Hunt
How to Hunt
How to Hunt
How to Hunt
What is a Threat? Security Vendors listed these as threat: Iranian Hackers Chinese Hackers Crimeware exploit toolkits Ransomware Point of Sale Systems Internet of Things Lost or stolen laptops
Definitions The formalization of the data and words used in threat hunting and cyber security is important. The group below as developed a taxonomy of potential threats to aid organizations. http://www.auditscripts.com/freeresources/open-threat-taxonomy/
Example Threat ID Threat Action Name Threat Rating TEC-001 TEC-002 TEC-003 TEC-004 TEC-005 Organizational Fingerprinting via Open Sources System fingerprinting via Open Sources System fingerprinting via scanning System fingerprinting via sniffing Credential Discovery via open sources 2.0 2.0 2.0 2.0 4.0
The Hunter Often times hunters wear multiple hats or titles. But, no matter the position the hunter must be dedicated to actively pursuing adversaries. If your hunters are spreading across multiple venues then they lose focus and thus the ability to hunt.
The Hunter As part of a team, the threat hunter works in conjunction with the network, security and other teams. It is not a competitive relationship, but a cooperative one!
The Hunter They need to be Curious Passionate Skilled with multiple tools Adventurous Knowledge of the ever evolving threat landscape Ability to adapt quickly to changing scenarios
The Tools Sqrrl Data Provides the ability to collect data from multiple sources. Provides some automation and the ability to correlate high data collection. Infocyte Hunt Another data aggregation and automation tool. Utilizes agents on endpoints, which only exist for short periods of time.
The Tools Endgame Can exist in multiple venues (cloud, virtual machine, physical, etc.) Utilizes agents on endpoints to gather information/data. Provides the ability to automate some analysis and allows for interaction with the endpoints.
Measuring Success How do you know if your threat hunting program is successful? This is vital to continued funding and actually performing the correct actions, locating threats and dealing with them!
Measuring Success Number of incidents by severity Tracking the number of incidents, vulnerabilities and suspicious activity provides an excellent metric. Number of compromised hosts This can be measured in several ways Compromise, type of data, business impact Include misconfigured security settings
Measuring Success Dwell time of any incidents discovered Attempt to ascertain how long uncovered threats have been active on your network Helps identify what step of the kill chain is involved and where your focus should be Use the following: Time from infection to detection Time from detection to investigation Time from investigation to remediation
Measuring Success Number of detection gaps filled A high level goal of hunting is to create news methods of detection This can lead to identifying and filling detection gaps, which is part of the hunting mission Logging gaps identified and corrected This helps across multiple security fields and is important for the entire security program
Measuring Success Vulnerabilities identified Vulnerabilities can lead to exploitation and to compromise, so identifying these is extremely important Insecure practices identified and corrected These can lead to compromise and incidents tracking them as they are discovered helps ensure adequate coverage
Example Hypothesis Attackers could be operating on a C2 channel that uses a common port and protocol within your network Look for unique artifacts pertinent to the protocol If HTTP then look for strange domains/urls/user- Agent Strings etc.
Example Datasets to search These can depend on what you are hunting for exactly Netflow or other network flow traffic Firewall logs IDS/IPS Proxy logs, IIS logs DNS resolution logs, and etc.
Example Indicator Search The value of this type of approach will depend on the value of the indicator. Values can be gathered from previous incidents or by threat intelligence teams. Also check IP addresses and ports Search application protocol indicators Domain, URL, Email addresses, etc.
Learn More! https://sqrrl.com/ https://zeltser.com/cheat-sheets/ https://files.sans.org/summit/cti_summit_2017/ http://windowsir.blogspot.com/2015/06/hunting -and-knowing-what-to-huntnot-for.html http://findingbad.blogspot.com/ http://uk.sans.org/readingroom/whitepapers/threathunting https://attack.mitre.org/wiki/main_page
Questions