SACON - Threat hunting (Chandra Prakash)

SACON

SACONInternational2017

ChandraPrakashSuryawanshiAujasNetworkPvt Ltd

SVPchander80

India|Bangalore|November10– 11|HotelLalit Ashok

ThreatHunting

SACON 2017

Adversariesleavetrailseverywhere

Emaillogs

Endpointprocessaccounting

HTTPproxylogs

Authenticationrecords

Filesystemmetadata

Networksessiondata

Databasequerylogs

SACON 2017

Alertingonlygetsyousofar

Automatedsystemsaregreat,butsomehaveflaws

GoodFor

Easytocreatenewrules.

Automationdecreasesdwell

time.

BadAt

Can’tfindthingsyoudon’talreadyknowhowto

find!

SACON 2017

Whatis“hunting”?

Thecollectivenameforanymanualormachine-assistedtechniquesusedtodetect

securityincidentsthatyourautomatedsolutionsmissed.

SACON 2017

ThreatHuntingPlatformDrivers

Aunifiedenvironmentfor:Collectingandmanagingbigsecuritydata

Detectingandanalyzingadvancedthreats

VisuallyinvestigatingattackTTPsandpatterns

Automatinghunttechniques

Collaboratingamongstsecurityanalystteams

SACON 2017

HuntingStyles

Complexity

Value

Indicators

ArtifactAnalysis

Tactic&TechniqueAnalysis

AnomalyDetection

SACON 2017

TheHuntingMaturityModel(HMM)

SACON 2017

HUNTINGSTRATEGY

SACON 2017

Strategyenablesresults

WheredoIstart?

WhatshouldIlookfor?

What’smypath

toimprove?

Yourstrategydeterminesthequalityofyourresults.

Chooseastrategythatsupportsyourdetectiongoals.

Don’tunderestimatetheimportanceofgoodplanning!

SACON 2017

Strategy#1

Makethemostofwhatyoualreadycollect

Advantages

Youprobablyalreadycollectatleastsomedata.

Someoneisalreadyfamiliarwithitscontents.

Youmayalreadyhavesomeideaofthekeyquestionsyouwantanswered.

Disadvantages

Yourabilitytoaskquestionsislimitedbytheavailabledata.

Externalforceshavemoreinfluenceoveryourresults.

Mayconfuse“easy”with“effective”.

SACON 2017

Thethreedatadomains

Keepasmuchasyoucancomfortablystore

Network

• Authentication• Sessiondata• ProxyLogs• Filetransfers• DNSresolution

Host

• Authentication• Auditlogs• Processcreation

Application

• Authentication• DBqueries• Audit&transactionlogs• Securityalerts• Threatintel

SACON 2017

Aimfordatadiversity

Leveragedifferenttypesofdatato…

RevealRelationships

ClarifytheSituation

HighlightInconsistencies

TellaCompleteStory

SACON 2017

Alsolookfortoolsetdiversity

Differenttechniques,differentperspectives

SACON 2017

Strategy#2

FollowtheKillChain

Source:Intelligence-DrivenComputerNetworkDefenseInformedbyAnalysisofAdversaryCampaignsandIntrusionKillChains”,Hutchins,Cloppert,Amin,http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf(LastcheckedApril29th,2015)

Reconnaissance Weaponization Delivery Exploitation Installation Command&Control(C2)

ActionsonObjectives

SACON 2017

Strategy#2

FollowtheKillChain



ActionsonObjectives

Findincidentsalreadyoccurring

SACON 2017

Strategy#2

FollowtheKillChain



ActionsonObjectives


Expandthestoriesyouareabletotell

SACON 2017

Strategy#2

FollowtheKillChain



ActionsonObjectives


ExpandthestoriesyouareabletotellPredictincidents

beforetheyhappen

SACON 2017

THEHUNTINGPROCESS

SACON 2017

TheHuntingProcess

Successfulhuntingrequiresmanyiterationsthroughthiscycle.

Thefasteryouranalystsgetthroughthisloop,thebetter.

SACON 2017

Mosthuntsstartwithquestions

WhatdatadoIhaveandwhatdoesit

“looklike”?

Isthereanylateralmovementgoingon?

Isthereanydataexfiltrationgoingoninmynetwork?

Arethereanyunauthorizedusers

onmyVPN?Isanyonemisusingtheirdatabasecredentials?

Havemyusersbeenspearphished?

SACON 2017

Questionsbecomehypotheses

“Ifthisactivityisgoingon,itmightlooklike…”

That’syourhypothesis!

Ifatfirstyoudon’tsucceed,recraft it.

SACON 2017

HypothesesCanBeDrivenBy…

ThreatIntelligence

• BothIOCsearchesandTTPanalysis

• "d8e8fc[…]ba249isaknown-badfilehash.Let's see if it's onany ofour critical systems."

SituationalAwareness

• Basedonfriendlyintel,knowledgeofbusinessprocesses,CrownJewelsAnalysisorotherknowledgeofyourownenvironment

• "EngineeringusersshouldneveraccesstheFinancefileserver.Let'sseeifthey'redoingthat."

DomainExpertise

• Acombinationofintel- andawareness-based

• "Iknow(China|Russia|Iran)threatactorsTTPs.Aretheyinournetwork?"

SACON 2017

DataTypeandLocation

Datatypesforyourhuntareusuallydictatedbyyourhypothesis.• Command&Control:Networksessionrecords,HTTPproxylogs• LateralMovement:Windowsauthenticationlogs(orwhateveryourOSis)

Location fromwhichthedataiscollectedcanalsobeamajorfactor:• Command&Control:Internetconnectionpoints• LateralMovement:Internet-facingservices,criticalassets,endpoints,servers

Documentacollectionplanforeachhunt,includingtype&location,aswellasotherrelevantfilters(turnBigDataintoSmallerDataifyoucan).

SACON 2017

AnalyticTechnique

Imagecredit:fatmonk8,https://www.reddit.com/r/pics/comments/2gi309/coworker_said_i_had_the_most_organized_toolbox_in/

SACON 2017

Awiseowloncesaid…

SACON 2017

HUNTINGINSQRRL

SACON 2017

Createhypotheses

StartwithguidedhuntsusingtheSqrrlDetections

SACON 2017

Createhypotheses

Getmoreadvancedusingthehuntreports

SACON 2017

InvestigateviaToolsandTechniques

ThisisverysimilartoIncidentInvestigation– again,youwillwanttoaskthesamesixquestions:

1. Wastheactivityactuallyanincident?2. Wastheadversarysuccessful?3. Whatotherresourceswereinvolved?4. Whatactivitiesdidtheadversaryconduct?5. Whatresourceswerecompromised?6. Whatshouldthenextstepsbe?

SACON 2017

Additionalhypotheses

Thinkaboutwhatyourdatawillshow

SACON 2017

Wasthebeaconanincident?

Howlongdiditoccurfor?(Isitstilloccurring?)Lookattheendpoints(clickontheminthedetectionprofiletobringuptheirprofiles),startingwiththedestination

Whatdoyouknowaboutit?Isitaknownservice?Whatdomainisitassociatedwith?

MayneedtoexploreandexpandtoDNSDomainsWhatURIsisitassociatedwith?

MayneedtoexploreandexpandtoURIsCouldalsousetheactivitylogwithwebproxylogstofindthis

Aretheendpointsassociatedwithothermaliciousactivity?MayneedtoexploreandexpandtoAlertMayneedtodrilldownintotheactivity

SACON 2017

WastheLatMov anincident?

Lookatthepatterns:Isthisconsistentwithanadversaryexploringanetwork?Arethefailurepatternsconsistent?

LookattheHostnameentities:Areanyofthemknownjumpservers?

LookattheAccounts:Areanyofthemadminswhoareexpectedtousethistypeofactivity?AreanyoftheaccountslinkedtothesameUser,especiallyaregularandanadminaccountforthesameperson?

LookattheRelationships:Isthetimingconsistentwiththistypeofactivity?Isthereotheractivityoccurringbeforeoraftertoindicateitisnormal?

SACON 2017

Wasthestaginganincident?

Lookatthevolume:Isthisreallydatabeingstagedorjustastatisticaloutlier?

LookattheHostnames:WeretheyinvolvedinLateralMovementsorotherriskybehaviors?

LookattheAccounts:ExplorefromtheIPAddresses andexpandtoAccountsIsthisactivitybeingconductedbythesameperson?


SACON 2017

Wastheexfil anincident?

Lookatthevolume:Isthisreallydatabeingexfilled orjustastatisticaloutlier?

LookattheIPAddresses:Weretheinternalonesinvolvedinstagingorotherriskybehaviors?WeretheexternalonesassociatedwithsuspiciousdomainsorURIs?Mayneedtoexploreandexpandtofindthis

LookattheAccounts:ExplorefromtheinternalIPAddress andexpandtoAccountsWhoappearstobeconductingtheactivityandshouldtheybe?


SACON 2017

Atthispoint,youareinvestigatinganincident

ThestepsyoufollowforthefollowingarethesameasforIncidentInvestigation:

3. Whatotherresourceswereinvolved?4. Whatactivitiesdidtheadversaryconduct?5. Whatresourceswerecompromised?6. Whatshouldthenextstepsbe?

KeeptherestoftheHuntingProcessCycleinmindasyouanswerthesequestions,theywillbeusedforthefollowingsteps

SACON 2017

Piecetogethertheincident

Answeringthequestionsrequiresacompletepicture

SACON 2017

THANKYOU

SACON - Threat hunting (Chandra Prakash)

Technology

Transcript of SACON - Threat hunting (Chandra Prakash)