Cyber Security and ThreatHunting: What We’ve Learned

1. What Is TH2. TH For Prevention3. TH For Beginners

AGENDA10 years+ in about an hour

DEFINITIONTHret `hən(t)iNG

Pen Testing

Vulnerability Scanning

Help Desk, NOC, SOC

Proactive and iterative process based on the scientific method to search for advanced network threats that are successfully evading emplaced security solutions.

NETWORK

Boundary / Access Control

Insight on what is being blocked / passed

Packet filtering

Predetermined rules

1992 First firewall sold

Malicious File / Activity Control

Signature based -protection time lag

Behaviour based - as good as the algorithm(s)

1985 First AV software sold

Internal Network Traffic Flow Control

Signature / Rule based -production time lag

Behavior based - as good as the algorithm(s)

1980 First IDS, USAF

Central logging for alerting

Rule based - Requires tuning / trained operators

AI / ML - Context based algorithms you pay extra for

2005 coined by Gartner

Approaching TH Capability

Not Doing Threat Hunting

“We have a “... and we havefirewall…” antivirus…”

“...I set up anID/IP system…”

“...and we havea SIEM.”

Proactive and iterative process based on the scientific methodWhat is the TH Process?

Start With and event / anomaly

Create an Hypotheses

Find new patterns / TTPs

Investigate with data tools / TTPs

Inform / Enrich KB

TH Lessons LearnedOverview of our pain

Cyber Defeat Cycle Effective TH is based on procedures and methods with the Cyber Defeat Cycle creating a foundation

Cyber Defeat CycleUnderstanding the Threat

IED Reaction / Investigation

TTPs To Detect IED

Train Lessons Learned

Cyber Defeat CycleUnderstanding the Threat

Cyber Defeat CycleUnderstanding the Threat

Cyber Defeat CycleUnderstanding the Threat

Cyber Defeat CycleUnderstanding the Threat

Cyber Defeat CycleUnderstanding the Threat

Define The Target

Build / Acquire

Tools

Research Target I&E

Gather Resources

Test Tools / Payload

Detection

Deployment

Initial Intrusion

Outbound Connection

Expand Access

Multiple Footholds

Exfiltrate Data

Cover Tracks

Cyber Defeat CycleUnderstanding the Threat

Inform

Provide organizational / community understanding

Assess

Create a hypothesis based on an event, incident, or anomaly

Test

Look for patterns Develop the ThreatTTPs

Threat Hunting Life Cycle

TH Lessons LearnedOverview of our pain

Think Like The Threat: Add Threat Modeling

Threat hunters can help your operations by facilitating threat modeling

TH + TMA winning combo

TMsKnow the environment

Know the threat

Know the tech used

Develop / Design with security from the start

Where Is Your Organization At?TH Maturity Levels

THMM -1Ad-Hoc

Automated Alerting

May incorporateCTI Feeds

Focus is alert resolution

Not TH -Incident Response

THMM -2Undefined

Automated Alertingwith additional datareview

Incorporates CTI Feeds

Conducts some data analysis

EmergingTH

THMM -3Initial

Starting to develop / use THprocedures

Least-frequent alert based analysis

Reliant onTH TTPs created by others

Lots of data collected… ?

Most activeTH programs here

THMM -5Innovative

Automation ofTH tasks

Automation = increased THability to work with data

Excellent threat resistance

THMM -4Mature

TH using multiple data analysisTTPs

Linked DataAnalysis, Data Visualization, ML

TH Team published & contributing to TH community

Few TH programswe all know and love

Preventing BreachesThreat Hunting as Prevention

Scenario: Medical ClinicRansomware Deja Vu

Ransomware First SignIT staff did not realize multiple indicators of breach prior▪ Bungled ResponseForced to use “forensics” company that failed client

▪ Ransomware Part 2Poor incident response led to second outbreak

▪ Prolific Evidence Of BreachHostile Actors in network for months prior

Scenario: Credit CardsBut it says PCI compliant

Ransomware Least Worry

▪ All systems including payment processing encrypted

▪ Canceled Incident Response and paid ransom

▪ Re-infected - same Bitcoin wallet address

▪ Hostile actors spent considerable time in network pre-infection

▪ No PCI controls - payment system was PCI compliant

Compromise IndicatorsThere goes your day

Money Missing

Sudden Software

Internet Issues

Random Popups

Password Not

Working

Antivirus Disabled

Schedule Known

191 Days InsideRansomware is locking the door on the way out

Expand Out:

Pivot to any other vulnerable systems

Exfiltrate Data:

Compress send to drop point

Ransomware:

After anything of value get one more lick in

Dig In

Install back doors and persistent access

Getting StartedThreat Hunting For Beginners

Foundation of THHint: It is about data… LOTS of data

System Log Files produced by every* connected device to varying degrees.

NetFlow who talks to who, how, and what was said.

Other Sensors Honeypots, Application logs, AD/LDAP, Wireless, etc.

Threat Intel Feeds Benefit from other network current events

Can you DIY? “Yes…”Servers and code and shards oh my

What Makes Sense

▪ DIY has higher cost (intangible) and requires specialized skills

▪ DIY gives you as much control as your budget will allow

▪ Once operational ongoing costs (training, CTI feeds, more HDDs)

▪ TH Knowledge Base is limited

Is there a business case that requires it

THRoadmapKeys to TH success

Deploy Data Aggregation

Place to store and analyze collected data

Start With Small Data

Start with dataset you can manage (FW, IDPS)

Go For Quick Win

Show value of TH and TH cost

Achieve C-suite Buy-In

Share your initial success with leaders

Add Another Dataset

Expand collection and analysis scope

Continue To Show Value

Who else can benefit from TH work product?

Add CTI

Add CTI feeds and share quick wins from added capability

Incremental Dataset Add

Add data till edge to endpoint is covered

Join the TH Community

Tap into shared KB to help grow and scale

Become Active

Start sharing with the TH community

Team With ExpertsBetter ROI, Faster Results

▪ Fast To Operational:Facilitate deployment

▪ Broad KB:Been there, Seen that

▪ Reign In Cost:Fixed / tangible costs

▪ Innovation Baked In:Maybe? What are they doing to stay ahead of threats / competition?

TH Starting PointWhere do I start?

THSuccess

TeamWithExperts

Quick Win

Show Value to C Suite

Grow & Scale

Share & Help

Others

Start Small

Questions?

Thank YouEric Ebner

CTO / Co-Founder

linkedin.com/in/ericebner

https://protocol46.com