Threat Hunting
© Fidelis Cybersecurity
IntroductionJustin Swisher
Threat Hunter – Fidelis
Previous Jobs:
Threat Intelligence
NSM
USAF Intelligence Analyst
© Fidelis Cybersecurity
Threat Hunting Overview
Hunting with Endpoint
Hunting with Network
Questions
Agenda
© Fidelis Cybersecurity
What is Threat Hunting?
© Fidelis Cybersecurity
Which is Hunting?
DiscoveryDetection
Alerts
Signatures
IOCs
Artifacts
Behaviors
Patterns
TTPs
Anomalies
Outliers
© Fidelis Cybersecurity
Methodology
3 Fundamental Types of Hunting
Workflows
3 Processes for Hunting within the Types
Implementation
Hunting practices vary between individuals
The blending of "art" and "science"
Fidelis Hunting Strategy
© Fidelis Cybersecurity
“Hunting is the discovery of malicious artifacts,
activity, or detection methods not accounted for in
passive monitoring capabilities.”
© Fidelis Cybersecurity
Getting Started
1. Have a Framework
a) MITRE ATT&CK
b) Pyramid of Pain
2. Internal Intelligence
a) Data Sources
b) Tools
3. External Intelligence
a) Threat Research and Reporting
b) Incident Reports
4. Create a Hypothesis
Open Source
Threat Feeds
ThreatResearch
Internal Intel
© Fidelis Cybersecurity
Frameworks
© Fidelis Cybersecurity
Internal Intelligence
© Fidelis Cybersecurity
Internal Intelligence
Investigative Capabilities
Forensics Capabilities
Deployment
Data Retention
Hunting Abilities
Analytic Support
Tools
© Fidelis Cybersecurity
External Intelligence
Threat Intelligence Reports
Leverage TRT blogs and reports
Newly discovered vulnerabilities
CVEs
Proof of Concept code
Incident Response
Newly uncovered artifacts
Potential new patterns of activity
© Fidelis Cybersecurity
Hunting Workflows
Hypothesis Driven Hunting
Starts with a question
"Are adversaries doing X in my environment?"
Intelligence Driven Hunting
Starts with newly reported intelligence
Indicators, Artifacts, or Behaviors
Continuous Operational Hunting
Based on behavioral triggers
Sometimes an outcome of the other two workflows
© Fidelis Cybersecurity
Hypothesis Driven Hunting
Brainstorm Session:
▪ Statistical Analysis
▪ Frequency Analysis
▪ Technique/Kill Chain
Align with environment:
▪ Do we have the right tools?
▪ Do we have the visibility?
Pick 1 Hypothesis:
▪ Backlog the rest for future
hunts
Hunt!
▪ Collect data (queries, scripts, etc.)
▪ Analysis: statistical, data science
models, etc.
Malicious Activity
▪ Report findings
▪ Pass IOCs/Behaviors to
Intelligence
No Malicious Activity
▪ Did we get the right data?
▪ Do we need different data? Find a visibility gap?
▪ Can we run this hunt again at a different time and
expect new results?Purple Team Exercise
© Fidelis Cybersecurity
Benefits of HuntingIdentification of attack methods
Reduced time “Actor” is in environment
Another layer of protection
What was not identified by current security stack
Provides information to build better alert rules and new procedures
© Fidelis Cybersecurity
Finding the UnexpectedMisconfiguration of servers for protocols/certificates
Passwords in the clear
Self-signed and other certificate situations
Circumvention of corporate DNS, Web Proxy, and Email Servers, etc.
Non-compliance with corporate policy
Illegal activity
© Fidelis Cybersecurity
Fidelis: The Threat Hunting Tool
Benefits
One Platform
Metrics
Scanning
Forensics
Real-Time Data Collection
© Fidelis Cybersecurity
Traditional Hunting Network?
Limits visibility only to network traffic
Lack of visibility to identify post-compromised behaviors
Legitimate services controlled by “actor”
Web services
Encrypted communication
This Photo by Unknown Author is licensed under CC BY-SA
© Fidelis Cybersecurity
Network Always Leads to Endpoint!
Hosts Involved/Compromised
Accounts
Objective
TTPs Used
© Fidelis Cybersecurity
Two Potential Tracks to Follow
Credential Access Lateral Movement
© Fidelis Cybersecurity
Credential TheftGolden Ticket
Event ID 4769
Remote Users
Simultaneous Logins
4624
Login type 2,3,9,10 and status success
Deception to enable hunting for credential accessCreate fake admin accounts with no login privileges, alert for login attempts against that user
© Fidelis Cybersecurity
Lateral Movement Remote Log-on (Already Executed)
Event ID 5140
Event ID 4697 and 7045
Event 4688
Event ID 5145
PsExec
Commandline
DCOM – ATT&CK T1175
© Fidelis Cybersecurity
DCOM – ATT&CK T1175Windows Distributed Component Object Model
Uses RPC (Remote Procedure Call) for network communication
Limited to Administrator privileged accounts
Can be used via
Powershell
Office Dynamic Data Exchange
Launch processes or execute shellcodeTarget Machine
cmd used to launch calc
Thank You