BUILDING AN EFFECTIVE THREAT HUNTING PROGRAM

Nick Schroeder

AGENDA

• About Me

• Hunting Philosophy

• Hunting vs Detection

• Building a Hunting Catalog

• Closing thoughts

[~]$ WHOAMI

• Recovering IR Consultant

• Adversary Tracker

• Threat Intel Junkie

• RE/Malware Analysis Rookie

• Varsity Threat Bro

• @ab1ff

2018 – Now | <redacted>2017 – 2018 | IR Consultant, Rapid72013 – 2017 | Lead Analyst, Mandiant2010 – 2013 | SOC Analyst (USGov)2008 – 2010 | Network Engineer /Sysadmin

WHAT IS THREAT HUNTING?

“Hunting is the process of applying intelligence and knowledge of attackers and malware to raw data”

Detection via Products/Technology:• Indicator / Signature based• High fidelity• High confidence, less experience and time needed to

validate

Hunting Philosophy: The Three Buckets

Methodology Based Detection:• “Loose indicators” – eg EXE transferred via SMB• Geared more towards behaviors or TTPs• Medium confidence, more skill and time needed to validate

Hunting• Raw data analysis• Experienced analysts – know what to look for / how to find

threats• Lowest confidence / Most impactful

Source: FireEye via https://www.youtube.com/watch?v=yGmqFOEUuk0

Source: David Bianco aka Detect-Respond.blogspot.com

HUNTING VS DETECTION

SCENARIO 1: INTEL NOTIFICATION

“We just received notification/material from $ThreeLetterAgency detailing some adversary information and listing breach indicators. Can we search and scan our environment for this and see if anything from the report shows up?”

DETECTION

SCENARIO 2: LOOSEY GOOSEY

“As an analyst, I’m going to deploy open mechanisms to notify the team anytime there's an executable written to ‘AppData\Temp’ or new Windows services are created on user workstations.”

DETECTION

SCENARIO 3: PROFILE

“Attacker’s frequently use HTTP for malicious network communication”

“If I find a weird looking user-agent string in HTTP traffic, I may have discovered an attacker

“Did any system on my network communicate over HTTP using a suspicious or unknown user-agent?”

“How do I answer that question?”

HUNTING :)

BUILDING A HUNTING CATALOG

Post hypothesis confirmation

CRITERIA TO HUNT

• Techniques must be able to be measured for efficacy

• Techniques must be able to be ran across the entire target base

• Techniques must be repeatable

Everywhere.

EXAMPLE: WINDOWS SERVICES PERSISTENCE

• What is a Windows Service?• In Windows NT operating systems, a Windows

service is a computer program that operates in the background. It is similar in concept to a Unix daemon. A Windows service must conform to the interface rules and protocols of the Service Control Manager, the component responsible for managing Windows services.

^ LOL OK, BBY

“SERVICES” TO MITRE ATT&CK

Get-WmiObject -Class win32_service -computer "." -Namespace "root\cimv2" | Select-Object -Property Name,Description,PathName,SystemName

GET-WMIOBJECT -CLASS WIN32_SERVICE -COMPUTER "." -NAMESPACE "ROOT\CIMV2" | SELECT-OBJECT -PROPERTY NAME,DESCRIPTION,PATHNAME,SYSTEMNAME | EXPORT-

CSV -PATH .\\NETWORKSHARE1\”${ENV:COMPUTERNAME}.CSV -DELIMITER ';' -NOTYPEINFORMATION

GET-CHILDITEM -FILTER *.CSV | SELECT-OBJECT -EXPANDPROPERTY FULLNAME | IMPORT-CSV | EXPORT-CSV .\MERGED\MERGED.CSV -NOTYPEINFORMATION -APPEND

DETECTION EXAMPLE

• FilePath IS ”C:\temp” AND FileName LIKE “[a-zA-Z\d\-]\.[a-zA-Z]{1,3}$”• Matches on single character filenames with any extensions (eg. 1.txt, A.exe)

• FileName IS “SVCHOST.EXE” AND FilePath != “C:\windows\system32\”• Matches any instance of svchost.exe where the filepath is not C:\windows\system32\

Hunt

Detection

Collect

CLOSING THOUGHTS

HUNTING != DETECTION

DETECTION > HUNTING

We should hope to find minimal evil when hunting

QUESTIONS?