The best defense - Black Hat Briefings · 2021. 1. 7. · The best defense. •Step -1: Build solid...
Transcript of The best defense - Black Hat Briefings · 2021. 1. 7. · The best defense. •Step -1: Build solid...
![Page 1: The best defense - Black Hat Briefings · 2021. 1. 7. · The best defense. •Step -1: Build solid security response procedures. •Full scope close-out. •Step 0: Establish data](https://reader035.fdocuments.us/reader035/viewer/2022081621/6127afcd048b9168305061d7/html5/thumbnails/1.jpg)
• Step -1: Build solid security response procedures• Full scope close-out
• Step 0: Establish data collection / Instrument Network• Start with existing data
• Improve based upon pain points
The best defense
Monthly Retrospective of Alerts and Incidents
• Sort by Type –• Executable attachments
• Server Side Compromises• Malicious Links
• Credential Re-Use
Identifying Pain Points
![Page 2: The best defense - Black Hat Briefings · 2021. 1. 7. · The best defense. •Step -1: Build solid security response procedures. •Full scope close-out. •Step 0: Establish data](https://reader035.fdocuments.us/reader035/viewer/2022081621/6127afcd048b9168305061d7/html5/thumbnails/2.jpg)
Hunting Approaches
Personnel Time Frame
Soc Analysts Day per Week
Incident Responders Week per Month / Quarter
Dedicated Teams Longer engagements
Continual Hunting
![Page 3: The best defense - Black Hat Briefings · 2021. 1. 7. · The best defense. •Step -1: Build solid security response procedures. •Full scope close-out. •Step 0: Establish data](https://reader035.fdocuments.us/reader035/viewer/2022081621/6127afcd048b9168305061d7/html5/thumbnails/3.jpg)
Approach 1: Day per week
• Staff: SoC analysts and/or IR staff
• Tactics: • Indicator sweeps
• Basic heuristic approaches
• Benefits: • Improve SoC staff proficiency
• Identifying the “simple” stuff
![Page 4: The best defense - Black Hat Briefings · 2021. 1. 7. · The best defense. •Step -1: Build solid security response procedures. •Full scope close-out. •Step 0: Establish data](https://reader035.fdocuments.us/reader035/viewer/2022081621/6127afcd048b9168305061d7/html5/thumbnails/4.jpg)
Approach 2: Week per month / quarter
• Staff: SoC Staff and/or IR teams
• Tactics:• Improving and tuning data sources
• Heuristics
• General tactics in threat reports
• Benefits:• Improved posture against a Pain Point
• New detection scripts
• Improved skillsets and situational awareness
![Page 5: The best defense - Black Hat Briefings · 2021. 1. 7. · The best defense. •Step -1: Build solid security response procedures. •Full scope close-out. •Step 0: Establish data](https://reader035.fdocuments.us/reader035/viewer/2022081621/6127afcd048b9168305061d7/html5/thumbnails/5.jpg)
Approach 3: Longer Engagements
• Staff: IR Staff, Dedicated Hunting Teams
• Tactics:• Data Deep Dive
• Benefits:• Deep Situational Awareness
• Establish a “Known Good” Baseline
• Sets the stage for continual hunting
![Page 6: The best defense - Black Hat Briefings · 2021. 1. 7. · The best defense. •Step -1: Build solid security response procedures. •Full scope close-out. •Step 0: Establish data](https://reader035.fdocuments.us/reader035/viewer/2022081621/6127afcd048b9168305061d7/html5/thumbnails/6.jpg)
Server Side Compromise:Web Access and Error Logs
• Search For RFI and LFI vulnerabilities• rare client side IPs• Web host enumeration – cold fusion .cfm pages
• File Owners – Administrator versus WWWService• Search for Web Shells
• via access.log• Tor and VPN IPs
• via shell scripts• exec(variable)
![Page 7: The best defense - Black Hat Briefings · 2021. 1. 7. · The best defense. •Step -1: Build solid security response procedures. •Full scope close-out. •Step 0: Establish data](https://reader035.fdocuments.us/reader035/viewer/2022081621/6127afcd048b9168305061d7/html5/thumbnails/7.jpg)
Persistent Programs / Scheduled Tasks / Cron• SysInternals AutoRuns• Scheduled Tasks
• Collect and review scheduled tasks • atN.job are suspicious
• Crontab$ hostname = `/bin/hostname`$ cr=`crontab –l`$ echo $hostname,$crontab >> /network_fileshare/cron_hunting.csv
![Page 8: The best defense - Black Hat Briefings · 2021. 1. 7. · The best defense. •Step -1: Build solid security response procedures. •Full scope close-out. •Step 0: Establish data](https://reader035.fdocuments.us/reader035/viewer/2022081621/6127afcd048b9168305061d7/html5/thumbnails/8.jpg)
Other Examples
• HTTP C2 Channels• Review Web Proxy
• Entries lacking referer• HTTPS C2
• Suricata or Bro – review certificates. • Remove alexa top 1000 from censys.io• New certificates
• DNS Covert channels• DNS logs
• Credential Re-Use• Speed of Light – New Locations
• Spear Phishing• Email Spool
• Instrument End Points• Osquery• Osxcollector
• Sysmon – apply filters –• dump to data store• UF or Elastic Search
Other Pain Points General Data Sources
![Page 9: The best defense - Black Hat Briefings · 2021. 1. 7. · The best defense. •Step -1: Build solid security response procedures. •Full scope close-out. •Step 0: Establish data](https://reader035.fdocuments.us/reader035/viewer/2022081621/6127afcd048b9168305061d7/html5/thumbnails/9.jpg)
General Tactics• Least Frequency Occurrence
• The rare things are the interesting things• Cross Hosts
• Clients versus Server hosts• Organizationally significant Hostnames
• Organizationally significant Usernames
![Page 10: The best defense - Black Hat Briefings · 2021. 1. 7. · The best defense. •Step -1: Build solid security response procedures. •Full scope close-out. •Step 0: Establish data](https://reader035.fdocuments.us/reader035/viewer/2022081621/6127afcd048b9168305061d7/html5/thumbnails/10.jpg)
Aaron Shelmire | Sr. Security Researcher2317 Broadway, 3rd Floor| Redwood City, CA 94063Twitter: @ashelmire
Happy Hunting