25
Systemic Threat Hunting: Using Continuous Detection Improvement to Find Bad Things
Systemic Threat Hunting: Using Continuous Detection Improvement to Find Bad Things
Joe MolesDIRECTOR DETECTION OPERATIONS, RED CANARY
@FLYINGMONKEY127
Jared MyersTHREAT RESEARCHER,CARBON BLACK
@JMYERS36
Presenters
Azeem KhanCUSTOMER@AZEEMNOW
Overview• Defining hunting
• How to use hunting to improve automation
• How to use endpoint telemetry for hunting
• Customer Experience
The Threaty Threats
Actively looking for anomalous activity that has not been identified by your existing
toolsets by searching through various sources of data
“the collective name for any manual or machine-assisted technique used to detect security incidents” – David Bianco
What is Threat Hunting?
The goals of threat hunting:
• Identify solid evidence indicating the presence or residual activity of attackers
within a network or computing environment
• Assess you existing security and network and identifying gaps
• Improve your prevention and detection coverage
What is Threat Hunting?
Threat Hunting 101
Look for Bad Thing
Find Bad Thing
Figure Out How to Find Bad Thing Faster Next Time
But It’s All About How You Get There
Least Efficient Most Efficient
Ad hoc hunting
Newest research report
I have a hunch
When you have the time
Automation
Let your tools do the work
for you (not what you think)
Unite Man AND Machine Together
“Today’s attackers have the upper hand due to the problematic economics of computer security. Attackers have the concrete and inexpensive task of finding a single flaw to break a system. Defenders on the other hand are required to anticipate and deny any possible flaw – a goal both difficult to measure and expensive to achieve. Only automation can upend these economics.”
– Defense Advanced Research Projects Agency
Automation Could Change Economics
“The first rule of any technology used in a business is that automation applied to an
efficient operation will magnify the efficiency.”
“The second is that automation applied to an inefficient operation will magnifythe inefficiency.”
-Bill Gates
Automation Magnifies (In)Efficiencies
TTPs (Tools, Techniques, and Procedures) are the new IOCs (Indicators)
Limited number of actions attackers will take following installation
Need to have a system in place to detect these types of behaviors
IOCs vs. Behaviors
Persistence Privilege Escalation Defense Evasion Credential Access Discovery
Accessibility Features Accessibility Features Exploitation of Vulnerability Brute Force Account Discovery
AppInit DLLs AppInit DLLs Bypass User Account Control Credential DumpingApplication Window
Discovery
Basic Input/Output System Bypass User Account Control Code Signing Credential Manipulation File and Directory Discovery
Bootkit DLL Injection Disabling Security Tools Credentials in FilesLocal Network Configuration
Discovery
Credit: attack.mitre.org
Splits the difference between hunting and signature-based detection
Collect All Endpoint Data
EDR sensor leveraged for raw feed of endpoint telemetry
Establish Hypothesis
• New threat report• Mapping current detection capabilities to Kill Chain, MITRE ATT&CK Matrix• “What does this look like on the endpoint?”
Hunting
Hunt retrospectively within existing customer environments to validate hypothesis
Detector Development
Codify the behavior or component observations
GOAL: Automatically identify this behavior in the future
Threat Detection
Look for suspicious and malicious behaviors in aggregate
Detector = 1 behavior
RC Detection = N +1 behaviors
BAU Triage and Investigation
Red Canary analysts review events and either 1) confirm threat 2) perform one-
time hide3) granularly
suppress events like this moving forward
Red Canary’s Approach to Hunting
Persistence #449: AUTORUN-REG-SHELLModification of known Window registry keys that will trigger application to start at boot or user login by unsigned binaries; http://technet.microsoft.com/en-us/magazine/ee851671.aspx
registry modification of <autorun keys>
+spawns process of known <scripts / shells>
cmd.exewscript.exepowershell.exereg.execscript.exe… and many more
\control\ panel\desktop\scrnsave.exe shellex\contextmenuhandlers
\software\classes\allfilesystemobjects\shellex\contextmenuhandlers
… and many many more
What if I want to detect
process named (or is) ‘powershell.exe’
+makes a remote thread / open thread call to a process named 'lsass.exe’
We want to see PowerShell or any renamed versions of PowerShell
Privileged Escalation #370: CROSSPROC-POWERSHELL-TO-LSASSPossible credential stealing via Mimikatz, Metasploit or similar attack tool.
What if I want to detect
Lateral Movement #587: REMOTE-POWERSHELL-CROSSPROC
Looks for remote PowerShell instance (wsmprovhost.exe) cross process; this would be indicative of a user remotely running certain PowerShell post-exploitation tools. Testing yields very few FPs in the wild.
parent process is 'svchost.exe’
+process name is 'wsmprovhost.exe’
+makes a remote thread / open thread call
What if I want to detect
Proper VisibilityProper visibility is the right combination of people and tools
• You need to equip your personnel with the right tools
Which provide visibility into the different channels
• Tools will augment your analyst not replace them
Adaptive HuntingUnderstand what is normal in your environment
Get into a Collection and Analysis cycle
Then look for anomalies and outliers
Hunt for characteristics of attacks
When hunting don’t just look at IOCs…Look past them as well.
• Shift away from a narrowly focused approach
• Vet your sources
• Extract more from IOCs
• Understand what is relevant to you
Implementing Threat Hunting in the Real World
PRE-DEPLOYMENT STAGE
Visibility Lacked organizational knowledge, limited collection of endpoint data
Detection Notified by an alert or by end users
Triage Ineffective, time-consuming, and lacked enterprise level scalability
Remediation Required physical access, no remote remediation, re-building systems
Retrospection No central database to search and review traces of previous instances
Hardening Difficult to accomplish without knowing the root cause of the compromise
Integration Many different tools but no integration among them
Hunting Reactive, usually in response to an incident, firefighting
DEPLOYMENT OPERATIONAL
Implementing Threat Hunting in the Real World
DEPLOYMENT
Visibility Continuous collection and access to endpoint data, everything recorded
Detection Auto processing of IOCs, helpful in identifying known-bad
Triage Significate capability, quick enterprise-wide search, determine the scope, severity and prioritize
Remediation Ability to remediate remote systems, less re-building
Retrospection Much better awareness of the environment but still not going beyond detection
Hardening Started seeing patterns, help standardize approved applications/tools
Integration Much better than the pre-deployment stage but still needed improvement
Hunting -Under-utilized due to lack of resources, inability to properly consume data, something bad happens - we review Carbon Black: reactive
PRE-DEPLOYMENTSTAGE OPERATIONAL
Implementing Threat Hunting in the Real World
DEPLOYMENT OPERATIONAL
Visibility Still continuous collection but now being reviewed and processed by experts
Detection Provides fast and accurate threat information which has been already investigated by an Red Canary analyst and requires specific action on our end
Triage -Provide complete scope of the incident which significantly reduces the time between identification to remediation
Remediation From guidance received from Red Canary, able to conduct proper remediation
Retrospection -Utilize Red Canary portal to identify trends and measure effectiveness-Take closer look at other existing tools and identify opportunities for tuning
Hardening Continue to review and improve our processes and configurations
Integration Leveraging integration between SIEM and Incident Tracking system
Hunting -Going beyond detection by combining Carbon Black technology and Red Canary expertise; efficient implementation of Threat Hunting - Allows us to identify/close security gaps and better align our priorities and roadmap items
PRE-DEPLOYMENTSTAGE
Tracking Your Hunting SuccessCritical to measure your hunting effectiveness
Quarterly:
• What were the results of your hunts?
• What new understanding do you have of your environment?
• How did you automate parts of previous hunt?
Is your team on the hunt?
Drive your team to improve
• Red team pop quiz
• Threat Bounty
• Schedule time aka Hunting season
Thank You
