This is about what is threat hunting and how to perform it in cyberworld. Our traditional detection systems are being bypassed and we need modern approach to detect & respond to modern day threats.
Entire demo of the same is available on youtube - https://www.youtube.com/playlist?list=PL2iM-fIRjbTCQVI4tR7U2I5IdwLb2QSi_
2. AKASH SARODE @AKKY2892
Threat Hunter
Security researcher
Twitter - @Akky2892
Blog – https://akkysanj.wordpress.com
Github - https://github.com/akky2892
Creator of NoMoreMalware and HuntIT.
Author of multiple whitepapers – Machine learning- Learning cybersecurity, Threat hunting –
Hunter or Hunted, Analysis Using Analytics In Cybersecurity.
Previous Training – Machine learning : The Future.
3. COURSE DESCRIPTION
Introduction to Threat Hunting
Threat Hunting Terminology
Threat Intelligence and IOC
Hunting methodology
Threat hunting - Network, Endpoint level
Operationalizing & Automating Threat hunting
Use case of Real-time Threat Hunting
Research & Resources
Further study and Road Ahead
4. COURSE INDEX
1. Introduction to Threat Hunting
• Threat hunting in Cyberworld
• Why to perform threat hunting
2. Terminologies in hunting
3. Introducing Threat Intelligence
• Threat Intelligence and Threat Hunting = Intelligent hunting
• Indicators of Compromise IOC
4. Threat Hunting methodology
• Threat hunting process & Threat Hunting loop
• Threat Hunting techniques
• Pyramid of pain
• Hunting Maturity model
5. COURSE INDEX
5. Network hunting and Endpoint hunting
• Hunting Webshells
• Hunting malware
• Network traffic hunting
6. Using MITRE ATT&CK framework
• Sigma rules for threat hunting
7. Threat Hunting using SIEM
8. Examples of Threat hunting hunts
9. Real World Hunting Process
10. Machine Learning & Threat Hunting – Advanced hunting
11. Threat Hunting Resources
12. Conclusion
• Red Teamer cyber kill chain vs Blue teamer defense chain
6. INTRODUCTION TO THREAT HUNTING
The process of proactively and iteratively searching through networks to detect and isolate
advanced threats that evade existing security solutions.
My definition – Finding stuff.
Threat Hunting is not a Technology but Approach.
Data- driven approach rather than traditional alert-driven approach.
Applying our knowledge in an effective way to look out for any anomalies in the environment.
Two ways to perform hunting –
Manual
Automated/Machine-assisted
7.
8. THREAT HUNTING IN CYBERWORLD
In Cyberworld, attackers are getting intelligent day-by-day.
Modern-day attacks cannot be prevented/detected by alerts generated from SIEM.
Need of hour – Next generation detection system.
Hunting – not tool dependent, its people dependent.
Machine Learning can help to certain extent but manual intervention in triage is always
required.
Instead of reacting to attacks, lets start proactively looking for threats before attack happens.
9. WHY TO PERFORM THREAT HUNTING
Alert driven approach is not sufficient.
Hypothesis driven approach will be the future.
Dependency on tools should be eradicated.
Hunting can be performed on any tool.
Benefit - Continuous improvement in detection capabilites, find unknown malicious activity
10. TERMINOLOGIES IN THREAT HUNTING
SIEM – Security Information & Event management
IOC- Indicators of Compromise
TTP – Tools, Techniques & procedures
IR- Incident response
EDR – Endpoint detection and response
UEBA – User entity and behavior analytics
BIOC – Behavior indicators of compromise
11. THREAT INTELLIGENCE
Threat Intelligence are feeds which are received in the form of urls, files, domains, etc.
Can be used to perform intelligent hunting.
IOC’s of attack/threat are generated by various research companies.
Sources –
articles,
security news,
new APT public report,
Twitter
12. THREAT INTELLIGENCE
BIOC – Behavioral Indicators.
Threat Hunting is effective by proper intels.
Threat Intel team proposes new intel, CIRT team builds hypothesis and create detection based on
intel, Threat hunting team hunts with or without intel.
Various vendors are in market- Cisco Talos, Palo alto Unit 42, Cylance, AlienVault OTX, MISP,
Yara rules.
Threat Intelligence + Threat Hunting = Intelligent
Hunting
13. THREAT HUNTING METHODOLOGY
Different methods to perform threat hunting.
We will be explaining the following –
Threat Hunting process
Threat Hunting loop
Pyramid of pain
Hunting Maturity model
ATT&CK for hunts
Hunt or be Hunted
14. THREAT HUNTING PROCESS
Ways of hunting –
Manual – Analyst need to continuously looking for anything that could be
evidence/indicator of intrusion.
Important for the threat hunter to keep current on the latest security research.
Automated/Machine-assisted – Analyst uses software that leverages “Machine Learning”
and “UEBA” to inform analyst about potential risks.
• It helps in providing Predictive and Prescriptive analytics.
15. THREAT HUNTING PROCESS
Hypothesis driven approach
What is Hypotheses ?
Assumption on attack behavior.
Actionable use case based on observations, intelligence, and experience
Three types of hypotheses:
Analytics-Driven: "Machine-learning and UEBA, used to develop aggregated risk scores
that can also serve as hunting hypotheses"[5]
Situational-Awareness Driven: "Crown Jewel analysis, enterprise risk assessments,
company- or employee-level trends"[5]
Intelligence-Driven: "Threat intelligence reports, threat intelligence feeds, malware
analysis, vulnerability scans"[
Hypothesis can be developed using any public APT report, twitter, security news, articles etc.
18. THREAT HUNTING TECHNIQUES
Searching - use of specialized queries that return results and artifacts.
Clustering - machine learning model that uses advanced AI search techniques to make
correlations within advanced and vast arrays of data.
Grouping – grouping artifacts together to identify any anomalies
Stack counting - stacking is how many times each unique value of column has occurred, like
least commonly accessed file, rarity is suspicious.
21. MITRE ATT&CK FRAMEWORK
MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and
techniques based on real-world observations.
It consists of TTP’s – Tactics, Techniques and procedures.
MITRE has also came up with a project name “CAR” Cyber Analytics Repository.
The Mitre team has listed down all those adversary behaviors and attack vectors carries out
by an adversary on a victim machine.
It uses TTP’s Tactics, Techniques and Procedures and maps it to Cyber Kill chain.
23. SIGMA RULES FOR THREAT HUNTING
Sigma is Generic Signature Format for SIEM Systems written by Florian Roth @Neo23x0 and
Thomas Patzke.
Sigma is a generic and open signature format that allows you to describe relevant log events
in a straight forward manner.
Sigma is for log files what Snort is for network traffic and YARA is for files.
Sigma rules contains mapping of all ATT&CK techniques.
Using sigma for threat hunting in siem, refer Sigma-to project:-
https://github.com/akky2892/Sigma-to
24. HUNTING WEBSHELLS
A web shell is a script written in the supported language of a target web server to be uploaded
to enable remote access of the machine.
Mostly written in php or Asp
Multiple attack techniques can be used to upload webshell on webserver – XSS, SQL
injection, RFI, LFI & many more…
Popular webshells – C99, R57, etc.
Let’s Hunt it!
25. HUNTING WEBSHELLS - KEYWORDS
First way for hunting webshells – Look out for reference to suspicious keywords within files on
webserver - eval() or cmd.exe
For linux –
Under var/www/html directory, we can search for any php files with suspicious commands
find . –type ‘*.php’ | xargs egrep –l “(fsockopen|mail|exec|eval|system|base64_decode)”
For Windows –
Use Powershell to search in similar way
Get-childitem –recurse –include “*.php” | select-string
“(fsockopen|mail|exec|eval|system|base64_decode)” | %{“$($._filename)”}
26. HUNTING WEBSHELLS - TOOLS
Multiple tools can be used to hunt for webshells in your environment. These tools are integrated
with IOC’s , YARA rules to identify maliciousness.
LOKI IOC Scanner
PHP-Malware Finder
unPHP
Linux Malware detect
Invoke-ExchangeWebShellHunter
etc…
In addition to these techniques, we can also use baselines deviation and file stacking technique to
hunt for webshell.
27. ENDPOINT HUNTING
Endpoint is where the malware behavior is more prevalent.
Most of the post-exploitation techniques can be hunted using Endpoint logs.
File activity, Registry activity, Process activity can be used to hunt out for any malicious
behavior.
Multiple attack techniques such as DLL injection, hook injection, fuzzy hashing can be hunted
down using endpoint logs.
ATT&CK MITRE is the best way to utilize the efforts and use these to hunt out for threats.
28. DLL HIJACKING
Post exploitation technique
Monitoring of Windows API calls, monitoring of windows registry path for any changes.
VirtualAllocEx reserves or changes a region of memory
WriteProcessMemory writes data to an area of memory in a specified process
CreateRemoteThread creates a thread in the address space of another process
29. APPININT DLLS
Powershell contains powersploit which can be used for code injection.
Monitoring malicous DLL loads - AppInit DLLs//// DLLs that are specified in the AppInit_DLLs
value in the Registry key HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
NTCurrentVersionWindows are loaded by user32.dll into every process that loads user32.dll.
30. NETWORK HUNTING
Network Traffic hunting requires network traffic logs.
Multiple tools can be used to analyze suspicious network traffic.
In addition to packet capturing, malicious traffic analysis features in Next Generation Firewall,
UTM, IDS/IPS, we also need to hunt for traffic which has bypassed these devices.
Wireshark can be used.
Let’s look at simple example :-
31. NETWORK HUNTING – HTTPS TRAFFIC
Normal HTTPS Suspicious HTTPS
Port 443 or 8443 Malware use this port as well.
Traffic is encrypted If traffic is not encrypted & secure
socket layer packet details are empty,
something suspicious
Web server in FQDN format Server will point to IP address instead
of FQDN
HTTPS is Secure version -Secure socket Layer (SSL/TLS)
33. THREAT HUNTING USING SIEM
Threat Hunting is basically searching something.
We need to have proper & useful data to hunt for threats in enterprise.
SIEM – Security Information & Event Management is such tool which can prove to be useful
in threat hunting.
SIEM collects logs from multiple devices of your network enterprise.
In addition to threat intelligence feeds, SIEM is very useful in querying the log database to
identify any anomaly.
Let’s look at some of use cases:-
35. THREAT HUNTING USING SIEM
Famous Email word/excel Macro attachments:-
• Phishing email containing .doc with macro file
• Macro contains script to initiate powershell.exe
• Powershell.exe uses legitimate tools like mimikatz for credential dump for gaining hashes from memory.
• What commands are executed using mimikatz.
36. THREAT HUNTING USING SIEM
Event viewer logs in SIEM can be useful to hunt for multiple threats.
Sysmon can be used to collect logs specific to endpoint systems based on defined
configuration.
Search queries are useful in identifying any malicious behavior inside the enteprise
environment.
In addition to threat intelligence and search queries, analytics is being used in SIEM which
uses Machine learning to automatically identify any anomalies inside the environment.
We will look out for some examples of hunts to be clear -
37. THREAT HUNTING HUNTS
Threat activity Hunts to look out for
Hunting suspicious accounts See for any unusual accounts logged into machines
with admin right – Event ID – 4672 (Special
privileges assigned to new logon)
Hunting Scheduled tasks Event ID – 4698, 106, 200 & 201
Hunting Pass the hash (PTH) Event ID- 4624 with logon type 3
Logon process – NtLmSsp, Key length – 0
Hunting for service creation Event ID- 4697
Hunting network shares Event ID - 4776
Hunting for process masquerading Look out for process path form where process is
executing – Example explorer.exe should run from
C:Windowsexplorer.exe or
C:Windowssystem32explorer.exe
38. THREAT HUNTING HUNTS
PTH – Look for remote logins associated with execution/writing of binaries.
IFEOI – Changes to path - HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File
Execution Optionsxyz.exeDebugger
Rundll32.exe making connection to internet.
Deletion of shadow copy file using wmic, vssadmin | *delete
39. THREAT HUNTING HUNTS
Disable system restore - Registry Write and Key = HKLMSoftwareMicrosoftWindows
NtSystemRestoreDisableSR and value = 1
Connection to process other than browser to suspicious domains like .tk, .onion,.tor2web etc.
Certutil.exe used to download files from internet - certutil.exe -urlcache -split -f
http://example/file.txt
40. THREAT HUNTING HUNTS
Monitor scheduled tasks – at and schtasks windows task scheduler used to schedule scripts
to be executed.
Double extensions malwares
Control.exe used to execute file stored in ADS.
Gpscript.exe used to executes logon scripts.
Mavinject.exe used to execute, read ADS files.
Hh.exe – executing and downloading files
Scriptrunner.exe – execution
Regsvr32.exe – Download script from internet
All are windows signed binaries, so none of Endpoint protection will tag it.
41. THREAT HUNTING HUNTS
Similar to the discussed hunts, there are multiple techniques which can be used to hunt for
threats.
A collection of many such techniques is collaborated and presented by ATT&CK MITRE &
Sigma rules.
Hunting using SIEM is the way ahead but there are multiple SIEM vendors – RSA,
Elasticsearch, Arcsight, Qradar etc.
In order to make life easy, I have prepared a Master Sheet of threat hunting hunts mapping it
to respective SIEM vendors-
Query it & Hunt IT - https://github.com/akky2892/Sigma-to/blob/master/Sigma-to.xlsx
42. REAL WORLD HUNTING PROCESS
What is threat hunting:- The human-centric process of proactively searching for evidence of
attacks. Anyone can threat hunt; experienced threat hunters have better models.
Threat hunting is the application of one or more models or frameworks to a problem. The
easiest framework to start with is Attack Centric Hunting.
In Attack centric hunting (ACH), you focus on seeking evidence that identifies a specific
attack. It's a 4 step process that starts with a question.
1. Question - Has an Attack incident occurred on my network?
2. What am I looking for?
3. Where am I likely to find it?
4. How can I manipulate the data to find it?
43. REAL WORLD HUNTING PROCESS
Example:
Question: Has Credential theft happened on my network?
1. What am I looking for?
a) Evidence of credential dumping application execution.
b) never before seen processes, process anomalies.
2. Where am I likely to find it ?
a) Windows process execution logs.
3. How can I manipulate the data to see it ?
a) Aggregate EID 4688 by process name for all endpoints and sort by least frequent
occurrence (LFO). (Event ID4688 = Process Execution event ID. )
44. MACHINE LEARNING & THREAT HUNTING -
ADVANCED HUNTING
Multiple SIEM vendors, or security product solutions uses Machine Learning or AI to assist
threat hunting.
Machine learning uses Classification, Association algorithms to identify & detect any kind of
anomalies in network.
Network traffic spike, unusual user account, computer account behavior, any deviation from
baselines can be identified by such techniques.
Analytics is widely used in modern day world and it has find it place in Cyber security as well.
Microsoft Defender, Microsoft ATA, Qradar SIEM, Fireeye, etc.