Threat Hunting: Utilizing threat Intelligence to Hunt the Unknown in Your Networks

Transcript

1. Intel Driven Threat Hunting

2. Objectives • Threat Hunting • Who will hunt? • Tools

   to hunt? • Pyramid of Pain • Where do we hunt? • PASTA • Threat Intelligence • Methodically Hunting

3. What is Threat hunting? • Reactively pursuing of abnormal activity

   on devices that may be signs of compromise, intrusion, or exfiltration. • Proactively and iteratively searching through networks to detect advanced threat’s that evade existing security

4. Reactive • Tactical Methodology • Current / Now / “Is”

   or “Has” happened • Driven from present Alerts and Notifications • Incident Response Process

5. Proactive • Strategic Methodology • Deep Analysis utilizing Threat Modeling

   • Efficiently mature and develop for the long-term results • Utilizes knowledge of • Indicators of Attack • Tactics • Techniques • Procedures • Early warning with actively developing Threat Intelligence

6. Where do we begin?

7. Who will hunt? • Critical and Creative thinking (Think like

   a bad guy) • Objective • Analytical Mindset • Diverse (Jack of all trade) • Network Architecture • OS Architecture • Network Forensics • Understand Attack Lifecycle • Offline Investigative Skills • Perspective (Open Minded)

8. What tool to use? https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html TTP-Based Detection Manual search’s and

   hunting Tool-Based Detection AV/EDR Detections, Yara, tool Specific detectors such as Fireeye IOC-Based Detection Automatic matching of indicators from intel feeds developed into a product

9. PASTA: What is PASTA? • Process for Attack Simulation and

   Threat Analysis • Authored by Tony UcedaVélez (VerSprite CEO) in 2015 • Provides organizations a guide to assess realistic threats.

10. PASTA: How does PASTA work? • Organizations establish threats to

    important assets • Organizational Profile: • Important processes • Important hardware and software • Important data • Important roles (of employees) • Important safeguards • Important suppliers • Important proprietaries

11. PASTA: How does PASTA work? • Map assets onto business

    objectives • Two ways: • Importance of processes • Importance of product or service • Ask: what do the processes, product, or service provide?

12. PASTA: How does PASTA work? • Build a Threat Library

    • Or, an understanding of possible security threats similar organizations face. • Key word: ‘similar’ • Update your threat library, often.

13. PASTA: How does PASTA work? • Vulnerability Analysis • Key

    Question: what infrastructural (physical and technical) or computer- based exploits in our organization? • Purpose: to catalogue institutional and system-based weaknesses • Such as: points of entry or escalation

14. PASTA: How does PASTA work? • Assess findings • What

    attacks worked? • What else could be compromised? • Which suspicious activities should be prioritized? • Which suspicious should not? • Does organizational playbook need to change? • Implement findings
15. None

16. PASTA: Main Purpose: Helps businesses identify and prioritize safeguards for

    organizational assets threat actors may seek to target.

17. What are Threat Models? • Process maps of how threat

    actors could compromise or disrupt and organization. • Purpose: Elucidates possible attack methods threat actors could enact against an organization. By creating maps of possible: •points of entry or escalation threat actors can leverage •informational technology or cybersecurity weaknesses within an organization.
18. None

19. How does PASTA and Threat Models Relate? • PASTA provides

    a framework for prioritizing discovered vulnerabilities. • Function of Threat Models remains constant: purpose changes. • Purpose of Threat Models, now, business centric. • PASTA is innovative and state-of-the-art tool-kit. • Can change processes, outcomes, and goals within an organization • High-level: Frameworks, like PASTA, can alter the purpose and significance of Threat Models.

20. Benefits of Implementing PASTA into Threat Models • New concept:

    Organizational Threat Models • Realistic: data, trends, and outcomes • Sophisticated: planned, organized, tried and true.

21. Why Threat Hunting utilizing a Threat Library? • Technology advances

    and changes daily • Signature and Heuristic detection methods cannot keep up with evolving trends. • Utilizing Threat Modeling allows us to evolve hunting around a baseline that can be updated and adapted easily, without waiting for movements of a threat to be documented and adapt to current detection methods. • View the organization from the outside in – As a threat actor or hacker

22. Threat Intelligence In today’s age, Threat Intelligence is marketed as

    a reaction, its developed to be utilized after an event. Threat Intel should be developed for your Threat Library by: • Developed thru ANALYSIS of intelligence feeds– Not purchased • Knowing your surroundings – Both Digitally, Geographically, and Target Markets. • World Events • History • Offline (News – Meet ups – Local Interaction)

23. Threat Library Development Organization Threat Model • Technology • Business

    Initiatives • Geographical Location • Target Market • Competitors • Suppliers • INDIVIDUALS *** Threat Intel • Technology • Economics • Business • Military • Diplomatic • Infrastructure • Cultural/Professional • Religious Developed Baseline to drive hunts and architecture!

24. How to hunt?

25. How do we bring this all together? Create Hypotheses Investigate

    VIA Tools & Techniques Uncover New Patterns and TTPS Inform and Enrich Analytics Threat Hunting Loop

26. Reactive vs Proactive Hypothesis Hunting Malware Forensics Threat Intelligence Alert

    IR Analysis

27. Hypothesis Every hunt begins with a hypotheses, but what do

    we hunt for? • Analyze threat library • Apply threat intelligence to the library • Formulate hypothesis of from events associated with the library

28. Investigation Target • Host Analysis Capability • Adversary Toolkits Infrastructure

    • Log Analysis Adversary • TTPS • Toolkit

29. Uncover Discover new Patterns and TTPs from Threat Hunt •

    Intrusion Discovery and Response • Attack Tree Analysis

30. Inform & Enrich • Produce Threat Intelligence from discovery •

    Develop Hunting Techniques • Enhance Security Posture • Update Threat Library

31. Recap • Threat Hutning • Who is hunting? • Tools

    • What are we hunting? • Threat Hunt Model