Successful Threat Hunting Begins
with Looking at Behaviors
Dean Sapp, CISO
©2018 Braintrace. All rights reserved. 2
Introductions
Dean Sapp, CISO
#dean_braintrace
Braintrace, Inc.
220 S. 200 E. Suite 300
SLC, Utah 84111
801-803-7902
17+ years working in cyber security
Husband, father of five great kids, author,
security researcher, Spartan racer, doer of
hard things and quintessential security nerd.
Security & Privacy Certifications:
CISSP, CISA, CIPP/US, ITILv3, GCCC,
GCIH, GSIP, GPEN, GAWN, GSLC, GCPM,
GWAPT, G2700, GLEG, GSOC
©2018 Braintrace. All rights reserved.
Bad Driving Behaviors
Running red lights
Ignoring stop signs
Driving too fast
Failure to yield to pedestrians
Hitting the gas instead of the brake
Tailgating
And…HSOs
Hitting stationary objects
Image here if car hitting building
©2018 Braintrace. All rights reserved.
Threat Hunting – Jamie Butler
“The purpose of threat
hunting is to reduce the
time between a breach and
its discovery.”
Forward, The Endgame Guide to Threat Hunting
©2018 Braintrace. All rights reserved.
Threat Hunting – FireEye
“Enterprises need to realize that they
should change their ways. They need to go
hunting – threat hunting. This threat
hunting cannot be an ancillary or
optional function that the security team
conducts. Instead, cyber threat hunting
needs to be conducted systematically
and programmatically.”
©2018 Braintrace. All rights reserved.
Threat Hunting – Verizon
"According to [the] 2018 Verizon’s Data Breach
Investigations Report, 68% of breaches aren’t
discovered for months or even years.”
Threat hunting can and should be used by businesses,
small and large, to understand indicators of
compromise (IoCs) and frequent attack methods.
©2018 Braintrace. All rights reserved.
TTPs are Behaviors
Threat hunting is all about the Tools, Techniques/Tactics
and Procedures used by your adversary.
Learn to identify TTPs for “Living off the land!”
©2018 Braintrace. All rights reserved.
What are the Attack Vectors?
8
The most common attacks we provide IR for…
Phishing / Business Email Compromise (BEC)
Account / Password theft
Ransomware (WannaCry / Petya, NotPetya, Petya2, etc.)
Exploitation of missing patches (Equifax example)
Printers and Mobile devices targeted
Internet of Things (IoT) exploitation
Whatever is the easiest way to get in
©2018 Braintrace. All rights reserved. 9
©2018 Braintrace. All rights reserved. 10
©2018 Braintrace. All rights reserved. 11
©2018 Braintrace. All rights reserved. 12
The risk from outside attack was
73% in 2017.
You need to prioritize your Threat
Hunting plan to identify if these
outsiders have gotten inside your
network!
©2018 Braintrace. All rights reserved. 13
Insider breach risk is up from
25% in 2016 to 28% in 2017
You need to have a Threat
Hunting plan for internal breach
risk too!
©2018 Braintrace. All rights reserved.
Where to Hunt? What you have
©2018 Braintrace. All rights reserved.©2018 Braintrace. All rights reserved.
Threat Hunting - Programmatic
1. What to Hunt?
Does the traffic look human generated or computer?
rwyoehbkhdhb.info
Didntmeanto.com
Does it appear to be malicious or harmless?
Malicious? Get host and scan for malware.
Harmless? Talk to user.
2. Anomalies
What appears different?
100 computers – 99 do not perform the action; 1 does
Why does the single computer attempt to go to a suspicious domain?
3. Pivoting
Does all traffic come to a SIEM or Breach detection platform?
If so, what other behavior does other systems show?
If not, go to other systems with data. Review logs.
18
Are you
Systematically
Correlating
events?
How did they authenticate?
DHCP
©2018 Braintrace. All rights reserved.
Intelligent Threat Hunting - Systematic
SIEM
Where was the initial threat observed?
What is that host?What data can it
access?
Central
Auth
Remote
Access
Wireless
AP
WAN /
LAN
What network are they on?
GUEST CORP
Are there anomalies in other layers of
security?IDS/IPS
Breach
DetectionDNS
Next-Gen
Firewall
Others
??Anti-
Virus
©2018 Braintrace. All rights reserved.
Behaviors to Monitor
19
The most common behaviors that indicate it is time to go hunting:
DDoS attacks that are noisy and obvious
Low and slow password Spraying / Brute Force attempts
Changes to Email automatic forwarding rules
Unusual access attempts to the DMS or systems with high value IP
Local workstation failed login attempts
Geographical uncharacteristic access attempts
PowerShell and WMI activity on the network
©2018 Braintrace. All rights reserved.
Behaviors to Monitor - 2
20
Endpoint logs for virus, malware or infection indicators
Web application attacks (WAF or Application Server Logs)
Large data copies or moves (aggregate) over time
Log Sources not receiving data any longer or hosts no longer sending log data
DNS Requests to known blacklisted IP, TOR nodes, spam bots networks and malicious domains
Unauthorized USB attempts
Employees giving notice – Monitoring of events related to terminations
©2018 Braintrace. All rights reserved.
Behaviors to Monitor - 3
21
Inbound / Outbound Encrypted Traffic from unusual sources
Bitsquating, Typosquating, Unicode masqueraded domains
Kerberos Traffic from printers or other IoT or odd devices
Authorized Access to code repos. from unusual sources
Unusual database listener activities and traffic
Uncharacteristic services and processes that deviate from standard builds
Use of network tools (FTP, SSH, etc.) on non-standard ports
©2018 Braintrace. All rights reserved.
Systems to Monitor
22
1. Email
2. Document Management Systems
3. Active Directory
4. Endpoints
5. Accounting Systems
6. Money moving systems (ACH, Wires, SWIFT)
7. Anywhere you have Intellectual Property (IP)
©2018 Braintrace. All rights reserved.
The Role of Deception
23
Deception helps to catch the bad guys in the act…
Open Source, Honeyd or Commercial Products (Eastwind Networks, Attivo)
Old, vulnerably, unpatched and full of valuable data…bingoWindows 2003 Server, running IIS 5.0 and MS SQL 2005
Low Interaction decoys
High Interaction decoys
The more realistic the host the better…but don’t forget to clear the SAM database of real hashes…
©2018 Braintrace. All rights reserved.
PowerShell Examples
24
Powershell ports and activities on the network
Powershell v5 or v6 logging should be turned on
Powershell Events and Ports non-standard (80 or 443)5985 - HTTP
5986 - HTTPS
RC4-HMAC instead of AES
Beware some tools use Powershell in interesting ways…
KACE Inventory Management tool example
©2018 Braintrace. All rights reserved.
A Few Words of Caution
25
False Positives happen (2 Examples)
1. KACE Inventory Management tool example
Most PowerShell activity is not malicious!
2. VIP network with IoT, Disney Circle example
Not all ARP Cache Poisoning is malicious!
©2018 Braintrace. All rights reserved.
Kerberoasting Attacks
26
Ticket Granting Service (TGS) Events
Events to be looking for – ID 4769
These events are quite common so you will need to identify the hosts where this behavior is unexpected.
Events to be looking for – ID 4770
These events are less common…so look for them originating from the same computers over a known period of time.
©2018 Braintrace. All rights reserved.
Where to Start1. Rank prioritize your IT systems and users
2. Ensure logging is turned on for these
3. Start watching the wire…it rarely lies
4. Establish baselines for normal traffic, services, processes and behavior
5. Set up automated alerts when baselines are exceeded
6. Plan to take 30 minutes to an hour a day hunting for breaches
7. Resolve operational issues you find along the way and re-baseline
8. Research new attack methods and build your skills
©2018 Braintrace. All rights reserved.
Go On Hunting Trips
28
Sr. Analysts taking Jr. Analysts on “hunting trips”
Practice with the toolset
Hit the cyber range
Locate IoCs on the real network
Search for Command and Control Servers
Validate encrypted outbound traffic flows
Review the previous list of targets
29
HMM = Hunting Maturity Model
HMM 0 - Initial
Relies primarily on automated alerting
Little or no routine data collection
5 Levels of HMM
©2018 Braintrace. All rights reserved.
HMM 1 - Minimal
Incorporates threat intelligence indicator searches
Moderate or high level of routine data collection
HMM 2 - Procedural
Follows data analysis procedures created
by others
High or very high level of routine data
collection
HMM 3 - Innovative
Creates new data analysis
procedures
High or very high level of routine
data collection
HMM 4 - Leading
Automates the majority of successful
data analysis procedures
Moderate or high level of routine data
collection
Questions?
©2018 Braintrace. All rights reserved.
Threat Hunting Resources1. Incident Response & Computer Forensics, Third Edition, Jason
Luttgens, Matt Pepe and Kevin Mandia
2. Threat Modeling: Designing for Security, Adam Shostack
3. https://www.threathunting.net/ – David Bianco
4. SQRRL, Hunt-O-Pedia https://sqrrl.com/media/huntpedia-web-2.pdfand Hunt Evil
5. The Endgame Guide to Threat Hunting, Paul Ewing & Devon Kerr (https//www.endgame.com/resource/white-paper/endgame-guide-threat-hunting-practitioners-edition)
©2018 Braintrace. All rights reserved.
Threat Hunting Resources6. https://taosecurity.blogspot.com/2017/03/the-origin-of-threat-hunting.html
7. SANS Reading Room; Offensive Intrusion Analysis: Uncovering Insiders with Threat Hunting and Active Defense
8. The US Army, Landcyber White Paper, http://dtic.mil/dtic/tr/fulltext/u2/a592724.pdf
9. https://github.com/0x4D31/awesome-threat-detection
10. https://github.com/meirwah/awesome-incident-response