Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Threat Hunting: What's On Your Network?

VerSprite, Inc
September 27, 2018

Threat Hunting: What's On Your Network?

Threat hunting is a collection of techniques that attempts to determine if malicious activities are taking place in an organization’s computing environment. Threat hunting often takes place after a known or suspected compromise and is used to confirm the incident and determine its extent.

Many organizations use threat hunting to assess the capabilities of their security infrastructure as the techniques in threat hunting provide a ‘check and balance’ against traditional security technology. Recently many organizations have expanded their use of threat hunting to supplement their merger and acquisition efforts.

Ray Strubinger, VerSprite’s Managing Consultant for Digital Forensics & Incident Response, has lead threat hunting efforts many scenarios and will share his experiences and the lessons learned from assessing diverse environments.

This presentation will provide an adaptive, heuristic approach that has been successfully used to identify compromised assets, rogue accounts, unauthorized software, organizational policy violations and poor security practices. Learn how VerSprite can help your organization combine business knowledge with technical skill to create solutions that achieve balance among risk, security and the needs of the business.

To learn more about our DFIR services, visit VerSprite at https://versprite.com/security-offerings/dfir/.

VerSprite, Inc

September 27, 2018
Tweet

More Decks by VerSprite, Inc

Other Decks in Technology

Transcript

  1. Today’s Goals • Develop a basic understanding of the concept

    and methods of threat hunting. • Understand how threat hunting may be used to identify security events before they evolve into security incidents.
  2. Our Approach • Feel free to ask questions • Slides

    are available at www.versprite.com/2018ISSA
  3. Your Speaker – Ray Strubinger • Managing Consultant, Digital Forensics

    & Incident Response at VerSprite • Background in IT & Information Security Operations • Industry experience in financial services, software development, government, higher education, healthcare, and consulting • Certifications in forensics, auditing and incident management • Led or participated in over 100 cases • Hacking, fraud & assorted white collar crimes • Large & small organizations
  4. Let’s Talk about Threats • What is a threat? •

    NIST FIPS200 & ISO27005 • “potential to harm assets such as information, processes and systems” • Term “Threat Hunting” is relatively young – 2012 • Term is new, the work is not • Building a team – challenges recruiters
  5. What is Threat Hunting? • Process that actively seeks &

    identifies suspicious files, activities or behaviors in the computing environment • Files – malicious or “dual purpose” content found on a system or in flight (network transfer, email, web activity, etc.) • Activities – connections or interactions with suspicious or unexpected sites, countries or regions • Behaviors – patterns such as transfers or beacons that take place in or out of the environment • Threat Hunting is fundamentally: • Analysis of deviations from a baseline – reviewing the unusual • Understanding “normal” is powerful
  6. Threat Hunting Foundation • “Kornblum Maxim” • Malware can hide

    but it must run • Originally presented in 2006 paper by Jesse Kornblum, “Exploiting the Rootkit Paradox with Windows Memory Analysis” • Malware operators want to avoid detection • Malware operators need the malware to run • This paradox contributes to the discovery of malware
  7. Who Threat Hunts? • Security Operations Centers (SOCs) or Fusion

    Centers • Usually a very seasoned analyst • Incident Response Teams • Consulting firms • Internal IR team • Specialized TH teams • Often former senior SOC analysts • Tend to self-source intel • Typically found in larger orgs or consulting firms
  8. Who Needs Threat Hunting? • Organizations that may have been

    compromised • Identification – methods may differ from what’s normally in place and potentially known to the attacker • Organizations that have been compromised • Containment/Eradication – see it, manage it • Recovery – monitoring for reinfection • Those that want to minimize the impact of a compromise • Identify threats early in the incident life cycle • Earlier detection = lower recovery costs (maybe) • Combine with red team exercises before a compromise
  9. Who Needs Threat Hunting? • M & A due diligence

    • Identify issues that impact purchasing or integration strategy • Technical pre-acquisition assessments are becoming common • Auditing the existing environment • Identify gaps • Provide assurance • Proper TH is not just “check the box” auditing
  10. Why is Threat Hunting Necessary? • Active approach • Hunt

    - search determinedly for someone or something • Potent countermeasure against emerging & evolving threats & threat actors • Corporate computing environments have changed • What is the shape of your network? • Where is the network’s edge?
  11. Threat Hunting - Human Aspects • A skill to be

    developed • Nearly insatiable curiosity • Checklists only take things so far • Solid research skills • Not limited to traditional internet searches • May need a virtual environment – a “lab” • Understand the technical • Where do applications typically reside & run? • Should this system communicate with another country? • Should tens of gigs of data be flowing over port 8080?
  12. Threat Hunting - Technical Aspects • Gain hypervisibility to the

    endpoints & ideally the network • Push an app (an agent) to every system • Gather metadata about running processes • Collect information about ports and IP addresses • Registry review • Startup locations • Scheduled tasks • Alternatively query the OS for this information
  13. Threat Hunting - Technical Aspects • Collect & aggregate data

    from every system • A SOC, TIC or Fusion Center may do this • Data may be in a SIEM or other appliance • Threat may not be recognized for several reasons • Detection may use signatures instead of behaviors • Talent may not realize what they see • Low quality baseline • Volume of events may drown the signal • Event not actually captured
  14. Threat Hunting - Technical Aspects • Interaction with all systems

    may not be practical • Too much data • Too much effort • Too costly • If interaction with every system is not practical • There’s sampling (that’s a topic of another presentation)
  15. We have data, now what? • Review running applications •

    Note parent/child relationships • Notepad launched an app? • Does the process match a file on the storage media? • Are there hollow processes? • Note the path of running applications • lsass.exe running out of system32? Is that okay? • File hashes – do they check out?
  16. We have data, now what? • Review open ports •

    Port 445 may be open on every system but what about port 22? • Why is zxcybea.exe talking to 178.216.249.71 on port 443? • Validate process to port mappings • Why does notepad have port 21 open? • Why is port 6666 open by zxcybea.exe? • Note the network traffic • Source & destination ports & protocol • Volume of traffic • Destination IP addresses
  17. Threat Hunting Considerations Advantages • Active approach • Behavior vs

    signature Challenges • May only detect active threats • Requires skilled people to be most effective
  18. Final Thought – Where to start - Logs • If

    what we’ve been talking about seems impossible, consider this: • 2009, 2010 & 2012 Verizon DBIR • “…opportunity for detection is there; 66% percent of victims had sufficient evidence available within their logs to discover the breach…“ • “…lack of monitoring active event logs remains a consistent weakness … 84% of victims had evidence of the breach in their event logs.”