Abstract Tools for Effective Threat Hunting

transcript

Abstract Tools forEffective Threat Hunting

Chris SandersChattanooga ISSA

Chris Sanders Find Evil @ FireEye Founder @ Rural Tech

Fund PhD Researcher GSE # 64 BBQ Pit Master Author:

Practical Packet Analysis Applied NSM

Rural Technology Fund Accessible Tech

Education Measureable Impact

$20,000 in Scholarships

1500 Repurposed Tech Books

$50,000 in Equipment Donations

Adopted Classroom

40 Students Impacted

FRAMING

Hunting and Expertise Most

practitioners believe that hunting is the pinnacle of security investigation experience. Only the brightest and the best are good hunters.

Tier 1 – Event

AnalystsTier 2 – Incident Respond

Tier 3 - Hunters

The Investigation Process

Question

HypothesisAnswer

Observation

Conclusion

Network Security

MonitoringHunting Incident

ResponseHost

ForensicsMalware Analysis

CURIOSITY

Curiosity and Experience

• Low C

• High E

• Low C• Low E

• High C

• High E

• High C• Low E

Jumpy Excels

Apathetic

Ineffective

Curiosity and Experience

PIVOTS

Basic Pivoting

Flow Data Src/Dst IP PCAP

Data Sources Pivot Fields

Alert Src/Dst IP PCAP

PCAP Domain OSINT

HTTP Proxy Username Windows Log

Realistic Pivoting

Sysmon Process Logs MD5 Hash Bro Files

Conn ID Bro HTTP Logs Domain

DNS Logs

Resp IP

PCAP DomainDNS Logs

OSINTFlow

Scenario: While hunting, you’ve discovered a process whose name leads you to believe it might be malicious. Questions:

Is this file malicious? Where did this file come from?

Data Sources Pivot Fields

AGGREGATIONS

Aggregations

Query flow records for all communication on a network segment Aggregate bytes

per host to produce top talkers list

Query windows service execution logs on a network segment Aggregate unique

process field sorted by least frequent occurrence

Most Occurrences Least Occurrences

OBSERVATION STRATEGY

Observation Strategy

Hunting Observati

Data Driven TTP Driven

Going from 0 to 100 in hunting revolves around making an observation that is worth digging into.

An observation strategy provides a construct to base your hunting on.

Data Driven Observations Can I find

anything in my data that looks like it doesn’t belong?

HTTP Data User Agent Field

Aggregation Least Frequent

Occurence

Choose Data Type

Choose a Specific

Ask – What would be

weird here?

Apply a Data

Transformation

Repeat

TTP Driven Observations Can I find any

evidence of a known TTP on my network?

Suitable for things that aren’t suitable for alerting.

Research an Attack Type

Isolate Artifacts

that aren’t suitable for

Use an Analysis

Technique

Repeat

MISE EN PLACE

Everything in Place - Basic Tenants1. Minimize Movement2. Waste Nothing3. Clean as you Go4. Be Flexible

FRIENDLY INTEL

Friendly Intel H&P A history and physical

is designed to collect baseline information that will help make decisions later

For analysts, the H&P is based on systems and users

The H&P is based on persistent obsevations

Creating a Knowledgebase

INVESTIGATIONTHEORYTHE ANALYST MINDSET

10 Week CourseOn-Demand Video LecturesHands on Investigation Labs1:1 Instructor Feedback

Spring Sessions: January 9th

March 20th http://chrissanders.org/training

Thank You!

Mail: chris@chrissanders.orgTwitter: @chrissanders88

Blog: chrissanders.org