Threat Hunting in Windows –

Are You Hunting or Being Hunted?

by Dr. Eric Cole

© 2017 Secure Anchor Consulting.

All rights reserved.

© 2015 The SANS™ Institute – www.sans.org

Threat Landscape

Today, three absolute

facts are relevant when it

comes to security:

1) an organization cannot

prevent all attacks;

2) an organization’s network

is going to be compromised;

3) 100% security does not

exist.

2

Threat hunting is the

act of aggressively

tracking and

eliminating cyber

adversaries from your

network as early as

possible.

© 2015 The SANS™ Institute – www.sans.org

Introduction

If attackers compromised your Windows systems,

how would you know?

3

Threat hunting focuses on:

• Gaining better visibility into the organization’s

weaknesses

• Providing early and accurate detection

• Controlling damage

• Tracking activity and looking for anomalies

• Obtaining better visibility in key activities

© 2016 The SANS™ Institute – www.sans.org 4

Goals of Threat Hunting

• To provide early and accurate detection

• To control and reduce impact and damage with faster response

• To improve defenses to make successful attacks increasingly difficult

• To gain better visibility into the organization’s weaknesses by monitoring Windows activity

© 2015 The SANS™ Institute – www.sans.org

Why We Need to Hunt

Traditional security methods (such as antivirus, network IDSes and

firewalls) can’t catch today’s advanced targeted threats because such

threats work around security controls

5

Threat hunting includes the

following activities:

• Understanding the threats

• Identifying critical data and

business processes utilizing that

data

• Distinguishing good from bad

behavior

• Leveraging threat intelligence for

discovery, detection and analysis

• Analyzing all this data, along

with vulnerability data and other

sources of network/endpoint

behaviors, for anomalies that

are both “known bad” and never

before seen

• Looking for anomalies, learning

abnormal behavior and

understanding the network

© 2015 The SANS™ Institute – www.sans.org

Search and DetectHow Well Do You Know Your Windows System

Understanding activity and profiles is critical to pursuing your adversary via the hunt

cycle. There are two approaches:

• Searching for known threats by gathering existing IoCs or other tactical details,

such as the signature of an attack. Implement techniques to harvest data from

your critical assets (e.g., search for a specific malicious binary hash or for a

command and control URL in a network flow database).

• Detecting unknown threats. This type of advanced hunting is challenging due

to a lack of intelligence to spark the investigation. Confirm baselines of normal

activity over time so you know what deviations from the norm look like. If you do

not have a set of baselines, look for deviations from known or historic behavior.

6

© 2015 The SANS™ Institute – www.sans.org

Metrics of the Hunt

Organizations need to report in clear metrics a measurable reduction in

risk that ties to their preparation, response and follow-up in the threat

hunt cycle.

7

• Fewer actual breaches

• Reduced attack surface/system hardening improvements

• Shorter dwell time (the time between when an attacker first gains unauthorized access and

when the bad actor is removed from the network)

• Minimization and reduction of unauthorized lateral movement between internal systems

• Reduction of exposure by finding and stopping threats before they gain a foothold

• Fewer actual breaches

© 2015 The SANS™ Institute – www.sans.org

Keys to a Successful Hunt

In many large organizations, hunting for breaches is like

looking for a needle in a haystack.

8

The basic methodology of a successful hunting program includes the

following:

• Augmenting humans with tools and automation across all areas of the hunt

chain

• Segmenting and de-scoping the area of analysis

• Having focused goals

• Limiting the search (deeper is better than narrow)

• Recording metrics that demonstrate business-relevant gains, such as

reduced time to contain and mitigate

© 2015 The SANS™ Institute – www.sans.org

Evolving the Hunt

9

Because adversaries continue to change their patterns, the hunting process

must do the following:

• Adapt to changes in behaviors and learn how the adversary works.

• Watch all behaviors of the adversary, including known good, known bad and unknown

or unclassified behaviors. Looking for anomalies that deviate from normal behavior

can help detect unknown or previously unseen hostile activity.

• Identify adverse activity, track it, and alert administrators to the suspicious activity.

• Contain and control the damage by identifying attackers’ lateral movements and

removing infected systems from the network.

© 2015 The SANS™ Institute – www.sans.org

Conclusion

Properly automated threat hunting could have kept many of the

organizations that suffered widely publicized breaches out of the news

by minimizing their exposure time.

10

A typical checklist that organizations can use to start an ongoing hunt includes

the following:

• Identifying the data or information most critical to your organization

• Determining which business processes utilize or access this information

• Identifying all of the systems and networks that support key business processes

• Acquiring tools that can help with the correlation and analysis required for proper

hunting

• Gathering information about the traffic flowing to the key systems and networks

• Gathering information about the operations of servers

• Utilizing threat intelligence to understand the threats and exposures to the

organization

• Utilizing tools to perform automated analysis of normal behavior and attack behavior

• Filtering the output of the tools

• Responding appropriately to high-risk alerts

Thank You for Your Time!

DR. Eric ColeTwitter: drericcole

ecole@secureanchor.com

eric@sans.org

www.securityhaven.com

PowerBroker for

Windows

Least Privilege and Application Control

for Windows Servers and Desktops

Summary: Why PowerBroker for Windows?

• Asset discovery, application control, risk compliance, Windows event log monitoring included

• Optional: Session monitoring, file integrity monitoringDeep capability

• U.S. Patent (No. 8,850,549) for the methods and systems employed for controlling access to resources and privileges per process

Mature, patented leader

• Tightly integrated with vulnerability management

• Deep reporting and analytics insights for compliance and operations

Centralized reporting,

analytics and management

• Privilege and session management on Unix, Linux and Windows

• Privileged password and session management

• Integrate Linux, Unix, and Mac OS X with Microsoft AD

• Real-time auditing of AD, File System, Exchange & SQL

Part of a broad solution familyV

alid

ate

d b

y c

usto

me

rs a

nd

an

aly

sts

alik

e

Your solution should:

• Elevate privileges to applications, not users, on an as-needed basis without

exposing passwords

• Enforce least-privilege access based on an application’s known vulnerabilities

• Track and control applications with known vulnerabilities or malware to further

protect endpoints

• Monitor event logs and file integrity for unauthorized changes to key files and

directories

• Capture keystrokes and screens when rules are triggered with searchable

playback

Product Demonstration

Poll

Thank you for attending

today’s webinar!