Upload
priyanka-aash
View
1.555
Download
2
Embed Size (px)
Citation preview
SACON
SACONInternational2017
ChandraPrakashSuryawanshiAujasNetworkPvt Ltd
SVPchander80
India|Bangalore|November10– 11|HotelLalit Ashok
ThreatHunting
SACON 2017
Adversariesleavetrailseverywhere
Emaillogs
Endpointprocessaccounting
HTTPproxylogs
Authenticationrecords
Filesystemmetadata
Networksessiondata
Databasequerylogs
SACON 2017
Alertingonlygetsyousofar
Automatedsystemsaregreat,butsomehaveflaws
GoodFor
Easytocreatenewrules.
Automationdecreasesdwell
time.
BadAt
Can’tfindthingsyoudon’talreadyknowhowto
find!
SACON 2017
Whatis“hunting”?
Thecollectivenameforanymanualormachine-assistedtechniquesusedtodetect
securityincidentsthatyourautomatedsolutionsmissed.
SACON 2017
ThreatHuntingPlatformDrivers
Aunifiedenvironmentfor:Collectingandmanagingbigsecuritydata
Detectingandanalyzingadvancedthreats
VisuallyinvestigatingattackTTPsandpatterns
Automatinghunttechniques
Collaboratingamongstsecurityanalystteams
SACON 2017
HuntingStyles
Complexity
Value
Indicators
ArtifactAnalysis
Tactic&TechniqueAnalysis
AnomalyDetection
SACON 2017
TheHuntingMaturityModel(HMM)
SACON 2017
HUNTINGSTRATEGY
SACON 2017
Strategyenablesresults
WheredoIstart?
WhatshouldIlookfor?
What’smypath
toimprove?
Yourstrategydeterminesthequalityofyourresults.
Chooseastrategythatsupportsyourdetectiongoals.
Don’tunderestimatetheimportanceofgoodplanning!
SACON 2017
Strategy#1
Makethemostofwhatyoualreadycollect
Advantages
Youprobablyalreadycollectatleastsomedata.
Someoneisalreadyfamiliarwithitscontents.
Youmayalreadyhavesomeideaofthekeyquestionsyouwantanswered.
Disadvantages
Yourabilitytoaskquestionsislimitedbytheavailabledata.
Externalforceshavemoreinfluenceoveryourresults.
Mayconfuse“easy”with“effective”.
SACON 2017
Thethreedatadomains
Keepasmuchasyoucancomfortablystore
Network
• Authentication• Sessiondata• ProxyLogs• Filetransfers• DNSresolution
Host
• Authentication• Auditlogs• Processcreation
Application
• Authentication• DBqueries• Audit&transactionlogs• Securityalerts• Threatintel
SACON 2017
Aimfordatadiversity
Leveragedifferenttypesofdatato…
RevealRelationships
ClarifytheSituation
HighlightInconsistencies
TellaCompleteStory
SACON 2017
Alsolookfortoolsetdiversity
Differenttechniques,differentperspectives
SACON 2017
Strategy#2
FollowtheKillChain
Source:Intelligence-DrivenComputerNetworkDefenseInformedbyAnalysisofAdversaryCampaignsandIntrusionKillChains”,Hutchins,Cloppert,Amin,http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf(LastcheckedApril29th,2015)
Reconnaissance Weaponization Delivery Exploitation Installation Command&Control(C2)
ActionsonObjectives
SACON 2017
Strategy#2
FollowtheKillChain
Source:Intelligence-DrivenComputerNetworkDefenseInformedbyAnalysisofAdversaryCampaignsandIntrusionKillChains”,Hutchins,Cloppert,Amin,http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf(LastcheckedApril29th,2015)
Reconnaissance Weaponization Delivery Exploitation Installation Command&Control(C2)
ActionsonObjectives
Findincidentsalreadyoccurring
SACON 2017
Strategy#2
FollowtheKillChain
Source:Intelligence-DrivenComputerNetworkDefenseInformedbyAnalysisofAdversaryCampaignsandIntrusionKillChains”,Hutchins,Cloppert,Amin,http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf(LastcheckedApril29th,2015)
Reconnaissance Weaponization Delivery Exploitation Installation Command&Control(C2)
ActionsonObjectives
Findincidentsalreadyoccurring
Expandthestoriesyouareabletotell
SACON 2017
Strategy#2
FollowtheKillChain
Source:Intelligence-DrivenComputerNetworkDefenseInformedbyAnalysisofAdversaryCampaignsandIntrusionKillChains”,Hutchins,Cloppert,Amin,http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf(LastcheckedApril29th,2015)
Reconnaissance Weaponization Delivery Exploitation Installation Command&Control(C2)
ActionsonObjectives
Findincidentsalreadyoccurring
ExpandthestoriesyouareabletotellPredictincidents
beforetheyhappen
SACON 2017
THEHUNTINGPROCESS
SACON 2017
TheHuntingProcess
Successfulhuntingrequiresmanyiterationsthroughthiscycle.
Thefasteryouranalystsgetthroughthisloop,thebetter.
SACON 2017
Mosthuntsstartwithquestions
WhatdatadoIhaveandwhatdoesit
“looklike”?
Isthereanylateralmovementgoingon?
Isthereanydataexfiltrationgoingoninmynetwork?
Arethereanyunauthorizedusers
onmyVPN?Isanyonemisusingtheirdatabasecredentials?
Havemyusersbeenspearphished?
SACON 2017
Questionsbecomehypotheses
“Ifthisactivityisgoingon,itmightlooklike…”
That’syourhypothesis!
Ifatfirstyoudon’tsucceed,recraft it.
SACON 2017
HypothesesCanBeDrivenBy…
ThreatIntelligence
• BothIOCsearchesandTTPanalysis
• "d8e8fc[…]ba249isaknown-badfilehash.Let's see if it's onany ofour critical systems."
SituationalAwareness
• Basedonfriendlyintel,knowledgeofbusinessprocesses,CrownJewelsAnalysisorotherknowledgeofyourownenvironment
• "EngineeringusersshouldneveraccesstheFinancefileserver.Let'sseeifthey'redoingthat."
DomainExpertise
• Acombinationofintel- andawareness-based
• "Iknow(China|Russia|Iran)threatactorsTTPs.Aretheyinournetwork?"
SACON 2017
DataTypeandLocation
Datatypesforyourhuntareusuallydictatedbyyourhypothesis.• Command&Control:Networksessionrecords,HTTPproxylogs• LateralMovement:Windowsauthenticationlogs(orwhateveryourOSis)
Location fromwhichthedataiscollectedcanalsobeamajorfactor:• Command&Control:Internetconnectionpoints• LateralMovement:Internet-facingservices,criticalassets,endpoints,servers
Documentacollectionplanforeachhunt,includingtype&location,aswellasotherrelevantfilters(turnBigDataintoSmallerDataifyoucan).
SACON 2017
AnalyticTechnique
Imagecredit:fatmonk8,https://www.reddit.com/r/pics/comments/2gi309/coworker_said_i_had_the_most_organized_toolbox_in/
SACON 2017
Awiseowloncesaid…
SACON 2017
HUNTINGINSQRRL
SACON 2017
Createhypotheses
StartwithguidedhuntsusingtheSqrrlDetections
SACON 2017
Createhypotheses
Getmoreadvancedusingthehuntreports
SACON 2017
InvestigateviaToolsandTechniques
ThisisverysimilartoIncidentInvestigation– again,youwillwanttoaskthesamesixquestions:
1. Wastheactivityactuallyanincident?2. Wastheadversarysuccessful?3. Whatotherresourceswereinvolved?4. Whatactivitiesdidtheadversaryconduct?5. Whatresourceswerecompromised?6. Whatshouldthenextstepsbe?
SACON 2017
Additionalhypotheses
Thinkaboutwhatyourdatawillshow
SACON 2017
Wasthebeaconanincident?
Howlongdiditoccurfor?(Isitstilloccurring?)Lookattheendpoints(clickontheminthedetectionprofiletobringuptheirprofiles),startingwiththedestination
Whatdoyouknowaboutit?Isitaknownservice?Whatdomainisitassociatedwith?
MayneedtoexploreandexpandtoDNSDomainsWhatURIsisitassociatedwith?
MayneedtoexploreandexpandtoURIsCouldalsousetheactivitylogwithwebproxylogstofindthis
Aretheendpointsassociatedwithothermaliciousactivity?MayneedtoexploreandexpandtoAlertMayneedtodrilldownintotheactivity
SACON 2017
WastheLatMov anincident?
Lookatthepatterns:Isthisconsistentwithanadversaryexploringanetwork?Arethefailurepatternsconsistent?
LookattheHostnameentities:Areanyofthemknownjumpservers?
LookattheAccounts:Areanyofthemadminswhoareexpectedtousethistypeofactivity?AreanyoftheaccountslinkedtothesameUser,especiallyaregularandanadminaccountforthesameperson?
LookattheRelationships:Isthetimingconsistentwiththistypeofactivity?Isthereotheractivityoccurringbeforeoraftertoindicateitisnormal?
SACON 2017
Wasthestaginganincident?
Lookatthevolume:Isthisreallydatabeingstagedorjustastatisticaloutlier?
LookattheHostnames:WeretheyinvolvedinLateralMovementsorotherriskybehaviors?
LookattheAccounts:ExplorefromtheIPAddresses andexpandtoAccountsIsthisactivitybeingconductedbythesameperson?
LookattheRelationships:Isthetimingconsistentwiththistypeofactivity?Isthereotheractivityoccurringbeforeoraftertoindicateitisnormal?
SACON 2017
Wastheexfil anincident?
Lookatthevolume:Isthisreallydatabeingexfilled orjustastatisticaloutlier?
LookattheIPAddresses:Weretheinternalonesinvolvedinstagingorotherriskybehaviors?WeretheexternalonesassociatedwithsuspiciousdomainsorURIs?Mayneedtoexploreandexpandtofindthis
LookattheAccounts:ExplorefromtheinternalIPAddress andexpandtoAccountsWhoappearstobeconductingtheactivityandshouldtheybe?
LookattheRelationships:Isthetimingconsistentwiththistypeofactivity?Isthereotheractivityoccurringbeforeoraftertoindicateitisnormal?
SACON 2017
Atthispoint,youareinvestigatinganincident
ThestepsyoufollowforthefollowingarethesameasforIncidentInvestigation:
3. Whatotherresourceswereinvolved?4. Whatactivitiesdidtheadversaryconduct?5. Whatresourceswerecompromised?6. Whatshouldthenextstepsbe?
KeeptherestoftheHuntingProcessCycleinmindasyouanswerthesequestions,theywillbeusedforthefollowingsteps
SACON 2017
Piecetogethertheincident
Answeringthequestionsrequiresacompletepicture
SACON 2017
THANKYOU