Threat Hunting: What's On Your Network?

Transcript

1. Threat Hunting What’s on Your Network? Ray Strubinger DFIR Managing

   Consultant

2. Today’s Goals • Develop a basic understanding of the concept

   and methods of threat hunting. • Understand how threat hunting may be used to identify security events before they evolve into security incidents.

3. Our Approach • Feel free to ask questions • Slides

   are available at www.versprite.com/2018ISSA

4. Your Speaker – Ray Strubinger • Managing Consultant, Digital Forensics

   & Incident Response at VerSprite • Background in IT & Information Security Operations • Industry experience in financial services, software development, government, higher education, healthcare, and consulting • Certifications in forensics, auditing and incident management • Led or participated in over 100 cases • Hacking, fraud & assorted white collar crimes • Large & small organizations

5. Our Focus • General principals • Techniques & concepts •

   Nothing product specific

6. What is Threat Hunting? Who Uses It? Why is it

   Necessary?

7. Let’s Talk about Threats • What is a threat? •

   NIST FIPS200 & ISO27005 • “potential to harm assets such as information, processes and systems” • Term “Threat Hunting” is relatively young – 2012 • Term is new, the work is not • Building a team – challenges recruiters

8. What is Threat Hunting? • Process that actively seeks &

   identifies suspicious files, activities or behaviors in the computing environment • Files – malicious or “dual purpose” content found on a system or in flight (network transfer, email, web activity, etc.) • Activities – connections or interactions with suspicious or unexpected sites, countries or regions • Behaviors – patterns such as transfers or beacons that take place in or out of the environment • Threat Hunting is fundamentally: • Analysis of deviations from a baseline – reviewing the unusual • Understanding “normal” is powerful

9. Threat Hunting Foundation • “Kornblum Maxim” • Malware can hide

   but it must run • Originally presented in 2006 paper by Jesse Kornblum, “Exploiting the Rootkit Paradox with Windows Memory Analysis” • Malware operators want to avoid detection • Malware operators need the malware to run • This paradox contributes to the discovery of malware

10. Who Threat Hunts? • Security Operations Centers (SOCs) or Fusion

    Centers • Usually a very seasoned analyst • Incident Response Teams • Consulting firms • Internal IR team • Specialized TH teams • Often former senior SOC analysts • Tend to self-source intel • Typically found in larger orgs or consulting firms

11. Who Needs Threat Hunting? • Organizations that may have been

    compromised • Identification – methods may differ from what’s normally in place and potentially known to the attacker • Organizations that have been compromised • Containment/Eradication – see it, manage it • Recovery – monitoring for reinfection • Those that want to minimize the impact of a compromise • Identify threats early in the incident life cycle • Earlier detection = lower recovery costs (maybe) • Combine with red team exercises before a compromise

12. Who Needs Threat Hunting? • M & A due diligence

    • Identify issues that impact purchasing or integration strategy • Technical pre-acquisition assessments are becoming common • Auditing the existing environment • Identify gaps • Provide assurance • Proper TH is not just “check the box” auditing

13. Why is Threat Hunting Necessary? • Active approach • Hunt

    - search determinedly for someone or something • Potent countermeasure against emerging & evolving threats & threat actors • Corporate computing environments have changed • What is the shape of your network? • Where is the network’s edge?

14. What’s needed for Threat Hunting? Human & Technical Aspects

15. Threat Hunting - Human Aspects • A skill to be

    developed • Nearly insatiable curiosity • Checklists only take things so far • Solid research skills • Not limited to traditional internet searches • May need a virtual environment – a “lab” • Understand the technical • Where do applications typically reside & run? • Should this system communicate with another country? • Should tens of gigs of data be flowing over port 8080?

16. Threat Hunting - Technical Aspects • Gain hypervisibility to the

    endpoints & ideally the network • Push an app (an agent) to every system • Gather metadata about running processes • Collect information about ports and IP addresses • Registry review • Startup locations • Scheduled tasks • Alternatively query the OS for this information

17. Threat Hunting - Technical Aspects • Collect & aggregate data

    from every system • A SOC, TIC or Fusion Center may do this • Data may be in a SIEM or other appliance • Threat may not be recognized for several reasons • Detection may use signatures instead of behaviors • Talent may not realize what they see • Low quality baseline • Volume of events may drown the signal • Event not actually captured

18. Threat Hunting - Technical Aspects • Interaction with all systems

    may not be practical • Too much data • Too much effort • Too costly • If interaction with every system is not practical • There’s sampling (that’s a topic of another presentation)

19. Bringing It All Together

20. We have data, now what? • Review running applications •

    Note parent/child relationships • Notepad launched an app? • Does the process match a file on the storage media? • Are there hollow processes? • Note the path of running applications • lsass.exe running out of system32? Is that okay? • File hashes – do they check out?

21. We have data, now what? • Review open ports •

    Port 445 may be open on every system but what about port 22? • Why is zxcybea.exe talking to 178.216.249.71 on port 443? • Validate process to port mappings • Why does notepad have port 21 open? • Why is port 6666 open by zxcybea.exe? • Note the network traffic • Source & destination ports & protocol • Volume of traffic • Destination IP addresses

22. Threat Hunting Considerations Advantages • Active approach • Behavior vs

    signature Challenges • May only detect active threats • Requires skilled people to be most effective

23. Final Thought – Where to start - Logs • If

    what we’ve been talking about seems impossible, consider this: • 2009, 2010 & 2012 Verizon DBIR • “…opportunity for detection is there; 66% percent of victims had sufficient evidence available within their logs to discover the breach…“ • “…lack of monitoring active event logs remains a consistent weakness … 84% of victims had evidence of the breach in their event logs.”

24. Thank you Ray Strubinger [email protected] Slides: www.versprite.com/2018ISSA