170509-Introduction to Threat Huntingbibf.com/cybersecurity/wp-content/uploads/2017/05/Day-2...Threat Hunting Defined TheCurrentMalwareReality You may all engage in: • penetration

Introduction to

Threat Hunting

Find the malware that’s hiding – Trust your IT infrastructure again.

Agenda

1.What is threat hunting, really?

2.Past and present of threat hunting

3.Role of hunting in a security program

4.How to start hunting

5.Trends shaping the future

Threat Hunting Defined

The Current Malware Reality

You are likely already breached

• Question is not uninvited people are on your

network.

• But when you will find out, and how.

• And, what you are going to do about it.



Most organizations approach security as a

defensive measure:

Firewall, AV, IDS, IPS, EDR, etc.

All important, but...

Malware still gets through.



You may all engage in:

• penetration tests,

• vulnerability assessments,

• web application assessments,

• code reviews, etc.

These are all useful exercises.

Undetected Malware14 weeks



Undetected MalwareUndisclose Period

Undetected MalwareUndisclosed Period




RETURNS




Undetected Malware4-6 weeks



2.0


Malware Breaches in 2016



• Defensive measures and security tests are

not enough.

• We are still infected by malware and

targeted attacks.

• Let’s start hunting!


What is threat hunting?

The proactive search for threats

hiding within a network you

controlChris Gerritz – Ex-US Air Force Threat Hunting

Pioneer


Reactive

vs

Proactive


Reactive Example

React Bank

• Several layers of defense; firewalls, AV, EDR

• SIEM hosted in the SOC of an MSSP vendor

• SWIFT CSP compliant


React Bank receives notification from

SWIFT about an unusual transfer…

Dashboards are checked, everything

looks fine…


Proactive Example

Al Amin


• Host their own SIEM


• Mature threat hunting process


Proactive Example

Al Amin


• Host their own SIEM


• Mature threat hunting process

2. Past and the present of

Threat Hunting


Past and present of threat hunting

• Military industrial complex – companies

that build jet fighters, defense systems,

nuclear missiles, and other war machines.

• Intelligence circles

• Five Eyes - Australia, Canada, New

Zealand, the UK, the United States.

• Military

Past and present of threat hunting

• In the private sector, large enterprises in

the Five Eyes countries are the early

adopters.

• From there, it is spreading to Europe, Asia,

the GCC and the rest of the world.

• Proper threat hunting is still an unknown

concept to most in the GCC, Asia and Latin

America.

3 .Role of hunting in a security program


Role of hunting in security program

Common Questions

1. Does it remove the need for AV, SIEM, EDR,

or IDS; defensive technologies?

2.Do we wait for signs of compromise before

starting?

3. What’s the right frequency to hunt?

Reconnaissance Exploitation InstallationCommand and

ControlLateral

MovementExfiltration Persist

Real Time Detection Post-Compromise Detection Incident Response

Attack In Progress Breach Detection Gap (169 Days in US, 465 Days in EMEA)

Incident Declared

Threat Prevention and Detection ($$$)

Malware Hunt ($)

Response Services ($$$$$)

Solutions Solutions Solutions

Network IDS/IPSNext Gen Firewalls

Endpoint IDS/IPSEvent Monitoring

Anti-MalwareWhitelisting

Malware Hunt Digital ForensicsNetwork

Forensics

• Primary targets vary industry to industry, but all endpoints and devices are at risk of malware.

• Incidents can be identified earlier if endpoints are treated as inherently untrusted, until it is demonstrated that they can be trusted.

• Only a true malware hunt solution can address the Breach Detection Gap effectively.

• Reliance on outsourced managed security services is inadequate and ineffective without a hunt capability.

Breach Detection Gap


Q. Should it replace AV, EDR, or IDS?

• No, threat hunting does not replace

defensive and real-time technologies

• Threat hunting should be seen as a safety

net to validate that your endpoints can be

trusted

• Not either, or, but and, and


Q. Do we wait for signs of compromise

before starting?

• No

• Waiting for compromise before taking

action is reactive Incident Response and

involves Digital Forensics; DFIR


Q. What’s the right frequency to hunt?

• It mainly depends on your risk appetite.

• How much time do you want to give bad

actors on your network after a breach?

• Better visibility leads to more control and

trust.


Gaps in the SWIFT Customer SecurityControls• Only looks at defensive measures• I prepared a commentary suggesting two

additional controls:1. Define and manage the Breach Detection

Gap2. Compromise assessments


4. How to start

Threat Hunting

How to start huntingFour key principles in designing threat hunting program

1. Accept that malware and APTs continue to breach existing defenses

2. Endpoints should be treated as untrusted until they are validated

3. Any trust established is both limited and temporary

4. Endpoints need to be validated on a regular basis

How to start huntingWhat’s a good approach to start threat hunting?

1. Determine an acceptable Breach Detection

Gap for threats that have passed your

defenses

2. Enforce the BDG by hunting for

compromise within the defined period

How to start hunting

Example 1: Many start on the network

• Suspicious traffic leaving the network

• If persistent malware is not sending out any

suspicious traffic, this is not useful

• Needle in a haystack

How to start hunting

Example 2: Event logs from endpoints

and network devices

• Data-centric approach is limited by

resources and what you are logging

• Analyzing everything is impossible

• A lot of malware will not trigger events

How to start huntingInstead of looking at large amounts of data, we

suggest to evaluate a limited amount of data,

but the right data.

So let’s look directly on the endpoint

using forensic tools, techniques and

procedures.

How to start huntingDoing it right; establish what is normal on the

endpoint

• Processes, drivers, hooks, modules,

persistence mechanisms, and more.

• Document what you find

• For a great start, look at our B-Sides talk on

using PowerShell scripts, or Andrew Case’s

talk on the philosophy of hunting.

How to start huntingDoing it right; learn how to do manual

Incident Response (IR) on endpoints.

• Mark Russinovich has a great talk on this

called Malware Hunting with the

Sysinternals tools.


5. Trends Shaping The Future

Future trends and conclusion

Education is required

• There’s a lot of confusion about what

threat hunting is.

• Sessions like this help people

understand what threat hunting is

and how to start.


Response capabilities being adopted

• As organisations mature, the skills

required for Incident Response are

becoming a general practice.

• EDR technologies are also capable of

doing response and remediation


Compromise assessments are becoming a

more common requirement.

• Some enterprises are satisfied with the

occasional compromise assessment

• Other enterprises will want finer control

and do it themselves, leading to a threat

hunting program.

• Automation is key


Skills are a challenge as it’s a relatively new

field

• Learning curve is too steep to quickly

onboard resources

• Automation and internal development of

skill sets is the best bet

• Using third parties is a good alternative


Conclusion

Threat hunting is:

• … becoming important as risks increase

• … not trivial, but you should start

• … important practice to maintain trust,

control, and avoid being the subject of a

large breach.

Resources to start hunting1. SWIFT CSP Commentary – Ask me or email [email protected]

2. Automated hunting at scale:

1. Powershell-Fu - Hunting on the Endpoint- Chris Gerritz –

Infocyte: https://youtu.be/2MrrOxsJk_M

2. PS Hunt - https://github.com/Infocyte/PSHunt

3. Infocyte HUNT – http://www.infocyte.com

3. Hunting on a single Windows endpoint: Malware Hunting with the

Sysinternals Tools - Mark Russinovich – Microsoft:

https://channel9.msdn.com/Events/TechEd/Europe/2014/CDP-B373

4. Proactive Threat Hunting – Proactive Defense and Threat Hunting-

Andrew Case – Volatility Project: https://youtu.be/751bkSD2Nn8

Thank you

http://www.infocyte.com

Andreas van Leeuwen Flamino

[email protected]

+971 50 2968677

Documents

170509-Introduction to Threat Huntingbibf.com/cybersecurity/wp-content/uploads/2017/05/Day-2...Threat Hunting Defined TheCurrentMalwareReality You may all engage in: • penetration