Date post: | 08-Feb-2017 |
Category: |
Software |
Upload: | beyondtrust |
View: | 452 times |
Download: | 0 times |
Threat Hunting in Windows –
Are You Hunting or Being Hunted?
by Dr. Eric Cole
© 2017 Secure Anchor Consulting.
All rights reserved.
© 2015 The SANS™ Institute – www.sans.org
Threat Landscape
Today, three absolute
facts are relevant when it
comes to security:
1) an organization cannot
prevent all attacks;
2) an organization’s network
is going to be compromised;
3) 100% security does not
exist.
2
Threat hunting is the
act of aggressively
tracking and
eliminating cyber
adversaries from your
network as early as
possible.
© 2015 The SANS™ Institute – www.sans.org
Introduction
If attackers compromised your Windows systems,
how would you know?
3
Threat hunting focuses on:
• Gaining better visibility into the organization’s
weaknesses
• Providing early and accurate detection
• Controlling damage
• Tracking activity and looking for anomalies
• Obtaining better visibility in key activities
© 2016 The SANS™ Institute – www.sans.org 4
Goals of Threat Hunting
• To provide early and accurate detection
• To control and reduce impact and damage with faster response
• To improve defenses to make successful attacks increasingly difficult
• To gain better visibility into the organization’s weaknesses by monitoring Windows activity
© 2015 The SANS™ Institute – www.sans.org
Why We Need to Hunt
Traditional security methods (such as antivirus, network IDSes and
firewalls) can’t catch today’s advanced targeted threats because such
threats work around security controls
5
Threat hunting includes the
following activities:
• Understanding the threats
• Identifying critical data and
business processes utilizing that
data
• Distinguishing good from bad
behavior
• Leveraging threat intelligence for
discovery, detection and analysis
• Analyzing all this data, along
with vulnerability data and other
sources of network/endpoint
behaviors, for anomalies that
are both “known bad” and never
before seen
• Looking for anomalies, learning
abnormal behavior and
understanding the network
© 2015 The SANS™ Institute – www.sans.org
Search and DetectHow Well Do You Know Your Windows System
Understanding activity and profiles is critical to pursuing your adversary via the hunt
cycle. There are two approaches:
• Searching for known threats by gathering existing IoCs or other tactical details,
such as the signature of an attack. Implement techniques to harvest data from
your critical assets (e.g., search for a specific malicious binary hash or for a
command and control URL in a network flow database).
• Detecting unknown threats. This type of advanced hunting is challenging due
to a lack of intelligence to spark the investigation. Confirm baselines of normal
activity over time so you know what deviations from the norm look like. If you do
not have a set of baselines, look for deviations from known or historic behavior.
6
© 2015 The SANS™ Institute – www.sans.org
Metrics of the Hunt
Organizations need to report in clear metrics a measurable reduction in
risk that ties to their preparation, response and follow-up in the threat
hunt cycle.
7
• Fewer actual breaches
• Reduced attack surface/system hardening improvements
• Shorter dwell time (the time between when an attacker first gains unauthorized access and
when the bad actor is removed from the network)
• Minimization and reduction of unauthorized lateral movement between internal systems
• Reduction of exposure by finding and stopping threats before they gain a foothold
• Fewer actual breaches
© 2015 The SANS™ Institute – www.sans.org
Keys to a Successful Hunt
In many large organizations, hunting for breaches is like
looking for a needle in a haystack.
8
The basic methodology of a successful hunting program includes the
following:
• Augmenting humans with tools and automation across all areas of the hunt
chain
• Segmenting and de-scoping the area of analysis
• Having focused goals
• Limiting the search (deeper is better than narrow)
• Recording metrics that demonstrate business-relevant gains, such as
reduced time to contain and mitigate
© 2015 The SANS™ Institute – www.sans.org
Evolving the Hunt
9
Because adversaries continue to change their patterns, the hunting process
must do the following:
• Adapt to changes in behaviors and learn how the adversary works.
• Watch all behaviors of the adversary, including known good, known bad and unknown
or unclassified behaviors. Looking for anomalies that deviate from normal behavior
can help detect unknown or previously unseen hostile activity.
• Identify adverse activity, track it, and alert administrators to the suspicious activity.
• Contain and control the damage by identifying attackers’ lateral movements and
removing infected systems from the network.
© 2015 The SANS™ Institute – www.sans.org
Conclusion
Properly automated threat hunting could have kept many of the
organizations that suffered widely publicized breaches out of the news
by minimizing their exposure time.
10
A typical checklist that organizations can use to start an ongoing hunt includes
the following:
• Identifying the data or information most critical to your organization
• Determining which business processes utilize or access this information
• Identifying all of the systems and networks that support key business processes
• Acquiring tools that can help with the correlation and analysis required for proper
hunting
• Gathering information about the traffic flowing to the key systems and networks
• Gathering information about the operations of servers
• Utilizing threat intelligence to understand the threats and exposures to the
organization
• Utilizing tools to perform automated analysis of normal behavior and attack behavior
• Filtering the output of the tools
• Responding appropriately to high-risk alerts
Thank You for Your Time!
DR. Eric ColeTwitter: drericcole
www.securityhaven.com
PowerBroker for
Windows
Least Privilege and Application Control
for Windows Servers and Desktops
Summary: Why PowerBroker for Windows?
• Asset discovery, application control, risk compliance, Windows event log monitoring included
• Optional: Session monitoring, file integrity monitoringDeep capability
• U.S. Patent (No. 8,850,549) for the methods and systems employed for controlling access to resources and privileges per process
Mature, patented leader
• Tightly integrated with vulnerability management
• Deep reporting and analytics insights for compliance and operations
Centralized reporting,
analytics and management
• Privilege and session management on Unix, Linux and Windows
• Privileged password and session management
• Integrate Linux, Unix, and Mac OS X with Microsoft AD
• Real-time auditing of AD, File System, Exchange & SQL
Part of a broad solution familyV
alid
ate
d b
y c
usto
me
rs a
nd
an
aly
sts
alik
e
Your solution should:
• Elevate privileges to applications, not users, on an as-needed basis without
exposing passwords
• Enforce least-privilege access based on an application’s known vulnerabilities
• Track and control applications with known vulnerabilities or malware to further
protect endpoints
• Monitor event logs and file integrity for unauthorized changes to key files and
directories
• Capture keystrokes and screens when rules are triggered with searchable
playback
Product Demonstration
Poll
Thank you for attending
today’s webinar!