Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Cyber Security and ThreatHunting: What We’ve Learned
1. What Is TH2. TH For Prevention3. TH For Beginners
AGENDA10 years+ in about an hour
DEFINITIONTHret `hən(t)iNG
Pen Testing
Vulnerability Scanning
Help Desk, NOC, SOC
Proactive and iterative process based on the scientific method to search for advanced network threats that are successfully evading emplaced security solutions.
NETWORK
Boundary / Access Control
Insight on what is being blocked / passed
Packet filtering
Predetermined rules
1992 First firewall sold
Malicious File / Activity Control
Signature based -protection time lag
Behaviour based - as good as the algorithm(s)
1985 First AV software sold
Internal Network Traffic Flow Control
Signature / Rule based -production time lag
Behavior based - as good as the algorithm(s)
1980 First IDS, USAF
Central logging for alerting
Rule based - Requires tuning / trained operators
AI / ML - Context based algorithms you pay extra for
2005 coined by Gartner
Approaching TH Capability
Not Doing Threat Hunting
“We have a “... and we havefirewall…” antivirus…”
“...I set up anID/IP system…”
“...and we havea SIEM.”
Proactive and iterative process based on the scientific methodWhat is the TH Process?
Start With and event / anomaly
Create an Hypotheses
Find new patterns / TTPs
Investigate with data tools / TTPs
Inform / Enrich KB
TH Lessons LearnedOverview of our pain
Cyber Defeat Cycle Effective TH is based on procedures and methods with the Cyber Defeat Cycle creating a foundation
Cyber Defeat CycleUnderstanding the Threat
IED Reaction / Investigation
TTPs To Detect IED
Train Lessons Learned
Cyber Defeat CycleUnderstanding the Threat
Cyber Defeat CycleUnderstanding the Threat
Cyber Defeat CycleUnderstanding the Threat
Cyber Defeat CycleUnderstanding the Threat
Cyber Defeat CycleUnderstanding the Threat
Define The Target
Build / Acquire
Tools
Research Target I&E
Gather Resources
Test Tools / Payload
Detection
Deployment
Initial Intrusion
Outbound Connection
Expand Access
Multiple Footholds
Exfiltrate Data
Cover Tracks
Cyber Defeat CycleUnderstanding the Threat
Inform
Provide organizational / community understanding
Assess
Create a hypothesis based on an event, incident, or anomaly
Test
Look for patterns Develop the ThreatTTPs
Threat Hunting Life Cycle
TH Lessons LearnedOverview of our pain
Think Like The Threat: Add Threat Modeling
Threat hunters can help your operations by facilitating threat modeling
TH + TMA winning combo
TMsKnow the environment
Know the threat
Know the tech used
Develop / Design with security from the start
Where Is Your Organization At?TH Maturity Levels
THMM -1Ad-Hoc
Automated Alerting
May incorporateCTI Feeds
Focus is alert resolution
Not TH -Incident Response
THMM -2Undefined
Automated Alertingwith additional datareview
Incorporates CTI Feeds
Conducts some data analysis
EmergingTH
THMM -3Initial
Starting to develop / use THprocedures
Least-frequent alert based analysis
Reliant onTH TTPs created by others
Lots of data collected… ?
Most activeTH programs here
THMM -5Innovative
Automation ofTH tasks
Automation = increased THability to work with data
Excellent threat resistance
THMM -4Mature
TH using multiple data analysisTTPs
Linked DataAnalysis, Data Visualization, ML
TH Team published & contributing to TH community
Few TH programswe all know and love
Preventing BreachesThreat Hunting as Prevention
Scenario: Medical ClinicRansomware Deja Vu
Ransomware First SignIT staff did not realize multiple indicators of breach prior▪ Bungled ResponseForced to use “forensics” company that failed client
▪ Ransomware Part 2Poor incident response led to second outbreak
▪ Prolific Evidence Of BreachHostile Actors in network for months prior
Scenario: Credit CardsBut it says PCI compliant
Ransomware Least Worry
▪ All systems including payment processing encrypted
▪ Canceled Incident Response and paid ransom
▪ Re-infected - same Bitcoin wallet address
▪ Hostile actors spent considerable time in network pre-infection
▪ No PCI controls - payment system was PCI compliant
Compromise IndicatorsThere goes your day
Money Missing
Sudden Software
Internet Issues
Random Popups
Password Not
Working
Antivirus Disabled
Schedule Known
191 Days InsideRansomware is locking the door on the way out
Expand Out:
Pivot to any other vulnerable systems
Exfiltrate Data:
Compress send to drop point
Ransomware:
After anything of value get one more lick in
Dig In
Install back doors and persistent access
Getting StartedThreat Hunting For Beginners
Foundation of THHint: It is about data… LOTS of data
System Log Files produced by every* connected device to varying degrees.
NetFlow who talks to who, how, and what was said.
Other Sensors Honeypots, Application logs, AD/LDAP, Wireless, etc.
Threat Intel Feeds Benefit from other network current events
Can you DIY? “Yes…”Servers and code and shards oh my
What Makes Sense
▪ DIY has higher cost (intangible) and requires specialized skills
▪ DIY gives you as much control as your budget will allow
▪ Once operational ongoing costs (training, CTI feeds, more HDDs)
▪ TH Knowledge Base is limited
Is there a business case that requires it
THRoadmapKeys to TH success
Deploy Data Aggregation
Place to store and analyze collected data
Start With Small Data
Start with dataset you can manage (FW, IDPS)
Go For Quick Win
Show value of TH and TH cost
Achieve C-suite Buy-In
Share your initial success with leaders
Add Another Dataset
Expand collection and analysis scope
Continue To Show Value
Who else can benefit from TH work product?
Add CTI
Add CTI feeds and share quick wins from added capability
Incremental Dataset Add
Add data till edge to endpoint is covered
Join the TH Community
Tap into shared KB to help grow and scale
Become Active
Start sharing with the TH community
Team With ExpertsBetter ROI, Faster Results
▪ Fast To Operational:Facilitate deployment
▪ Broad KB:Been there, Seen that
▪ Reign In Cost:Fixed / tangible costs
▪ Innovation Baked In:Maybe? What are they doing to stay ahead of threats / competition?
TH Starting PointWhere do I start?
THSuccess
TeamWithExperts
Quick Win
Show Value to C Suite
Grow & Scale
Share & Help
Others
Start Small
Questions?
Thank YouEric Ebner
CTO / Co-Founder
linkedin.com/in/ericebner
https://protocol46.com