Successful Threat Hunting Begins with Looking at Behaviors · Endpoint logs for virus, malware or...

31
Successful Threat Hunting Begins with Looking at Behaviors Dean Sapp, CISO

Transcript of Successful Threat Hunting Begins with Looking at Behaviors · Endpoint logs for virus, malware or...

Page 1: Successful Threat Hunting Begins with Looking at Behaviors · Endpoint logs for virus, malware or infection indicators Web application attacks (WAF or Application Server Logs) Large

Successful Threat Hunting Begins

with Looking at Behaviors

Dean Sapp, CISO

Page 2: Successful Threat Hunting Begins with Looking at Behaviors · Endpoint logs for virus, malware or infection indicators Web application attacks (WAF or Application Server Logs) Large

©2018 Braintrace. All rights reserved. 2

Introductions

Dean Sapp, CISO

#dean_braintrace

[email protected]

Braintrace, Inc.

220 S. 200 E. Suite 300

SLC, Utah 84111

801-803-7902

17+ years working in cyber security

Husband, father of five great kids, author,

security researcher, Spartan racer, doer of

hard things and quintessential security nerd.

Security & Privacy Certifications:

CISSP, CISA, CIPP/US, ITILv3, GCCC,

GCIH, GSIP, GPEN, GAWN, GSLC, GCPM,

GWAPT, G2700, GLEG, GSOC

Page 3: Successful Threat Hunting Begins with Looking at Behaviors · Endpoint logs for virus, malware or infection indicators Web application attacks (WAF or Application Server Logs) Large

©2018 Braintrace. All rights reserved.

Bad Driving Behaviors

Running red lights

Ignoring stop signs

Driving too fast

Failure to yield to pedestrians

Hitting the gas instead of the brake

Tailgating

And…HSOs

Hitting stationary objects

Image here if car hitting building

Page 4: Successful Threat Hunting Begins with Looking at Behaviors · Endpoint logs for virus, malware or infection indicators Web application attacks (WAF or Application Server Logs) Large

©2018 Braintrace. All rights reserved.

Threat Hunting – Jamie Butler

“The purpose of threat

hunting is to reduce the

time between a breach and

its discovery.”

Forward, The Endgame Guide to Threat Hunting

Page 5: Successful Threat Hunting Begins with Looking at Behaviors · Endpoint logs for virus, malware or infection indicators Web application attacks (WAF or Application Server Logs) Large

©2018 Braintrace. All rights reserved.

Threat Hunting – FireEye

“Enterprises need to realize that they

should change their ways. They need to go

hunting – threat hunting. This threat

hunting cannot be an ancillary or

optional function that the security team

conducts. Instead, cyber threat hunting

needs to be conducted systematically

and programmatically.”

Page 6: Successful Threat Hunting Begins with Looking at Behaviors · Endpoint logs for virus, malware or infection indicators Web application attacks (WAF or Application Server Logs) Large

©2018 Braintrace. All rights reserved.

Threat Hunting – Verizon

"According to [the] 2018 Verizon’s Data Breach

Investigations Report, 68% of breaches aren’t

discovered for months or even years.”

Threat hunting can and should be used by businesses,

small and large, to understand indicators of

compromise (IoCs) and frequent attack methods.

Page 7: Successful Threat Hunting Begins with Looking at Behaviors · Endpoint logs for virus, malware or infection indicators Web application attacks (WAF or Application Server Logs) Large

©2018 Braintrace. All rights reserved.

TTPs are Behaviors

Threat hunting is all about the Tools, Techniques/Tactics

and Procedures used by your adversary.

Learn to identify TTPs for “Living off the land!”

Page 8: Successful Threat Hunting Begins with Looking at Behaviors · Endpoint logs for virus, malware or infection indicators Web application attacks (WAF or Application Server Logs) Large

©2018 Braintrace. All rights reserved.

What are the Attack Vectors?

8

The most common attacks we provide IR for…

Phishing / Business Email Compromise (BEC)

Account / Password theft

Ransomware (WannaCry / Petya, NotPetya, Petya2, etc.)

Exploitation of missing patches (Equifax example)

Printers and Mobile devices targeted

Internet of Things (IoT) exploitation

Whatever is the easiest way to get in

Page 9: Successful Threat Hunting Begins with Looking at Behaviors · Endpoint logs for virus, malware or infection indicators Web application attacks (WAF or Application Server Logs) Large

©2018 Braintrace. All rights reserved. 9

Page 10: Successful Threat Hunting Begins with Looking at Behaviors · Endpoint logs for virus, malware or infection indicators Web application attacks (WAF or Application Server Logs) Large

©2018 Braintrace. All rights reserved. 10

Page 11: Successful Threat Hunting Begins with Looking at Behaviors · Endpoint logs for virus, malware or infection indicators Web application attacks (WAF or Application Server Logs) Large

©2018 Braintrace. All rights reserved. 11

Page 12: Successful Threat Hunting Begins with Looking at Behaviors · Endpoint logs for virus, malware or infection indicators Web application attacks (WAF or Application Server Logs) Large

©2018 Braintrace. All rights reserved. 12

The risk from outside attack was

73% in 2017.

You need to prioritize your Threat

Hunting plan to identify if these

outsiders have gotten inside your

network!

Page 13: Successful Threat Hunting Begins with Looking at Behaviors · Endpoint logs for virus, malware or infection indicators Web application attacks (WAF or Application Server Logs) Large

©2018 Braintrace. All rights reserved. 13

Insider breach risk is up from

25% in 2016 to 28% in 2017

You need to have a Threat

Hunting plan for internal breach

risk too!

Page 14: Successful Threat Hunting Begins with Looking at Behaviors · Endpoint logs for virus, malware or infection indicators Web application attacks (WAF or Application Server Logs) Large

©2018 Braintrace. All rights reserved.

Where to Hunt? What you have

Page 15: Successful Threat Hunting Begins with Looking at Behaviors · Endpoint logs for virus, malware or infection indicators Web application attacks (WAF or Application Server Logs) Large

©2018 Braintrace. All rights reserved.©2018 Braintrace. All rights reserved.

Threat Hunting - Programmatic

1. What to Hunt?

Does the traffic look human generated or computer?

rwyoehbkhdhb.info

Didntmeanto.com

Does it appear to be malicious or harmless?

Malicious? Get host and scan for malware.

Harmless? Talk to user.

2. Anomalies

What appears different?

100 computers – 99 do not perform the action; 1 does

Why does the single computer attempt to go to a suspicious domain?

3. Pivoting

Does all traffic come to a SIEM or Breach detection platform?

If so, what other behavior does other systems show?

If not, go to other systems with data. Review logs.

Page 16: Successful Threat Hunting Begins with Looking at Behaviors · Endpoint logs for virus, malware or infection indicators Web application attacks (WAF or Application Server Logs) Large

18

Are you

Systematically

Correlating

events?

How did they authenticate?

DHCP

©2018 Braintrace. All rights reserved.

Intelligent Threat Hunting - Systematic

SIEM

Where was the initial threat observed?

What is that host?What data can it

access?

Central

Auth

Remote

Access

Wireless

AP

WAN /

LAN

What network are they on?

GUEST CORP

Are there anomalies in other layers of

security?IDS/IPS

Breach

DetectionDNS

Next-Gen

Firewall

Others

??Anti-

Virus

Page 17: Successful Threat Hunting Begins with Looking at Behaviors · Endpoint logs for virus, malware or infection indicators Web application attacks (WAF or Application Server Logs) Large

©2018 Braintrace. All rights reserved.

Behaviors to Monitor

19

The most common behaviors that indicate it is time to go hunting:

DDoS attacks that are noisy and obvious

Low and slow password Spraying / Brute Force attempts

Changes to Email automatic forwarding rules

Unusual access attempts to the DMS or systems with high value IP

Local workstation failed login attempts

Geographical uncharacteristic access attempts

PowerShell and WMI activity on the network

Page 18: Successful Threat Hunting Begins with Looking at Behaviors · Endpoint logs for virus, malware or infection indicators Web application attacks (WAF or Application Server Logs) Large

©2018 Braintrace. All rights reserved.

Behaviors to Monitor - 2

20

Endpoint logs for virus, malware or infection indicators

Web application attacks (WAF or Application Server Logs)

Large data copies or moves (aggregate) over time

Log Sources not receiving data any longer or hosts no longer sending log data

DNS Requests to known blacklisted IP, TOR nodes, spam bots networks and malicious domains

Unauthorized USB attempts

Employees giving notice – Monitoring of events related to terminations

Page 19: Successful Threat Hunting Begins with Looking at Behaviors · Endpoint logs for virus, malware or infection indicators Web application attacks (WAF or Application Server Logs) Large

©2018 Braintrace. All rights reserved.

Behaviors to Monitor - 3

21

Inbound / Outbound Encrypted Traffic from unusual sources

Bitsquating, Typosquating, Unicode masqueraded domains

Kerberos Traffic from printers or other IoT or odd devices

Authorized Access to code repos. from unusual sources

Unusual database listener activities and traffic

Uncharacteristic services and processes that deviate from standard builds

Use of network tools (FTP, SSH, etc.) on non-standard ports

Page 20: Successful Threat Hunting Begins with Looking at Behaviors · Endpoint logs for virus, malware or infection indicators Web application attacks (WAF or Application Server Logs) Large

©2018 Braintrace. All rights reserved.

Systems to Monitor

22

1. Email

2. Document Management Systems

3. Active Directory

4. Endpoints

5. Accounting Systems

6. Money moving systems (ACH, Wires, SWIFT)

7. Anywhere you have Intellectual Property (IP)

Page 21: Successful Threat Hunting Begins with Looking at Behaviors · Endpoint logs for virus, malware or infection indicators Web application attacks (WAF or Application Server Logs) Large

©2018 Braintrace. All rights reserved.

The Role of Deception

23

Deception helps to catch the bad guys in the act…

Open Source, Honeyd or Commercial Products (Eastwind Networks, Attivo)

Old, vulnerably, unpatched and full of valuable data…bingoWindows 2003 Server, running IIS 5.0 and MS SQL 2005

Low Interaction decoys

High Interaction decoys

The more realistic the host the better…but don’t forget to clear the SAM database of real hashes…

Page 22: Successful Threat Hunting Begins with Looking at Behaviors · Endpoint logs for virus, malware or infection indicators Web application attacks (WAF or Application Server Logs) Large

©2018 Braintrace. All rights reserved.

PowerShell Examples

24

Powershell ports and activities on the network

Powershell v5 or v6 logging should be turned on

Powershell Events and Ports non-standard (80 or 443)5985 - HTTP

5986 - HTTPS

RC4-HMAC instead of AES

Beware some tools use Powershell in interesting ways…

KACE Inventory Management tool example

Page 23: Successful Threat Hunting Begins with Looking at Behaviors · Endpoint logs for virus, malware or infection indicators Web application attacks (WAF or Application Server Logs) Large

©2018 Braintrace. All rights reserved.

A Few Words of Caution

25

False Positives happen (2 Examples)

1. KACE Inventory Management tool example

Most PowerShell activity is not malicious!

2. VIP network with IoT, Disney Circle example

Not all ARP Cache Poisoning is malicious!

Page 24: Successful Threat Hunting Begins with Looking at Behaviors · Endpoint logs for virus, malware or infection indicators Web application attacks (WAF or Application Server Logs) Large

©2018 Braintrace. All rights reserved.

Kerberoasting Attacks

26

Ticket Granting Service (TGS) Events

Events to be looking for – ID 4769

These events are quite common so you will need to identify the hosts where this behavior is unexpected.

Events to be looking for – ID 4770

These events are less common…so look for them originating from the same computers over a known period of time.

Page 25: Successful Threat Hunting Begins with Looking at Behaviors · Endpoint logs for virus, malware or infection indicators Web application attacks (WAF or Application Server Logs) Large

©2018 Braintrace. All rights reserved.

Where to Start1. Rank prioritize your IT systems and users

2. Ensure logging is turned on for these

3. Start watching the wire…it rarely lies

4. Establish baselines for normal traffic, services, processes and behavior

5. Set up automated alerts when baselines are exceeded

6. Plan to take 30 minutes to an hour a day hunting for breaches

7. Resolve operational issues you find along the way and re-baseline

8. Research new attack methods and build your skills

Page 26: Successful Threat Hunting Begins with Looking at Behaviors · Endpoint logs for virus, malware or infection indicators Web application attacks (WAF or Application Server Logs) Large

©2018 Braintrace. All rights reserved.

Go On Hunting Trips

28

Sr. Analysts taking Jr. Analysts on “hunting trips”

Practice with the toolset

Hit the cyber range

Locate IoCs on the real network

Search for Command and Control Servers

Validate encrypted outbound traffic flows

Review the previous list of targets

Page 27: Successful Threat Hunting Begins with Looking at Behaviors · Endpoint logs for virus, malware or infection indicators Web application attacks (WAF or Application Server Logs) Large

29

HMM = Hunting Maturity Model

HMM 0 - Initial

Relies primarily on automated alerting

Little or no routine data collection

5 Levels of HMM

©2018 Braintrace. All rights reserved.

HMM 1 - Minimal

Incorporates threat intelligence indicator searches

Moderate or high level of routine data collection

HMM 2 - Procedural

Follows data analysis procedures created

by others

High or very high level of routine data

collection

HMM 3 - Innovative

Creates new data analysis

procedures

High or very high level of routine

data collection

HMM 4 - Leading

Automates the majority of successful

data analysis procedures

Moderate or high level of routine data

collection

Page 28: Successful Threat Hunting Begins with Looking at Behaviors · Endpoint logs for virus, malware or infection indicators Web application attacks (WAF or Application Server Logs) Large

Questions?

Page 29: Successful Threat Hunting Begins with Looking at Behaviors · Endpoint logs for virus, malware or infection indicators Web application attacks (WAF or Application Server Logs) Large

©2018 Braintrace. All rights reserved.

Threat Hunting Resources1. Incident Response & Computer Forensics, Third Edition, Jason

Luttgens, Matt Pepe and Kevin Mandia

2. Threat Modeling: Designing for Security, Adam Shostack

3. https://www.threathunting.net/ – David Bianco

4. SQRRL, Hunt-O-Pedia https://sqrrl.com/media/huntpedia-web-2.pdfand Hunt Evil

5. The Endgame Guide to Threat Hunting, Paul Ewing & Devon Kerr (https//www.endgame.com/resource/white-paper/endgame-guide-threat-hunting-practitioners-edition)

Page 30: Successful Threat Hunting Begins with Looking at Behaviors · Endpoint logs for virus, malware or infection indicators Web application attacks (WAF or Application Server Logs) Large

©2018 Braintrace. All rights reserved.

Threat Hunting Resources6. https://taosecurity.blogspot.com/2017/03/the-origin-of-threat-hunting.html

7. SANS Reading Room; Offensive Intrusion Analysis: Uncovering Insiders with Threat Hunting and Active Defense

8. The US Army, Landcyber White Paper, http://dtic.mil/dtic/tr/fulltext/u2/a592724.pdf

9. https://github.com/0x4D31/awesome-threat-detection

10. https://github.com/meirwah/awesome-incident-response

Page 31: Successful Threat Hunting Begins with Looking at Behaviors · Endpoint logs for virus, malware or infection indicators Web application attacks (WAF or Application Server Logs) Large

Thank You!

Dean Sapp, CISO

#dean_braintrace

[email protected]

801-803-7902