abstract tools for effective threat hunting
TRANSCRIPT
![Page 1: Abstract Tools for Effective Threat Hunting](https://reader031.vdocuments.us/reader031/viewer/2022021503/5878e2ff1a28abfa038b4e23/html5/thumbnails/1.jpg)
Abstract Tools forEffective Threat Hunting
Chris SandersChattanooga ISSA
![Page 2: Abstract Tools for Effective Threat Hunting](https://reader031.vdocuments.us/reader031/viewer/2022021503/5878e2ff1a28abfa038b4e23/html5/thumbnails/2.jpg)
Chris Sanders Find Evil @ FireEye Founder @ Rural Tech
Fund PhD Researcher GSE # 64 BBQ Pit Master Author:
Practical Packet Analysis Applied NSM
![Page 3: Abstract Tools for Effective Threat Hunting](https://reader031.vdocuments.us/reader031/viewer/2022021503/5878e2ff1a28abfa038b4e23/html5/thumbnails/3.jpg)
Rural Technology Fund Accessible Tech
Education Measureable Impact
$20,000 in Scholarships
1500 Repurposed Tech Books
$50,000 in Equipment Donations
Adopted Classroom
40 Students Impacted
![Page 4: Abstract Tools for Effective Threat Hunting](https://reader031.vdocuments.us/reader031/viewer/2022021503/5878e2ff1a28abfa038b4e23/html5/thumbnails/4.jpg)
FRAMING
![Page 5: Abstract Tools for Effective Threat Hunting](https://reader031.vdocuments.us/reader031/viewer/2022021503/5878e2ff1a28abfa038b4e23/html5/thumbnails/5.jpg)
Hunting and Expertise Most
practitioners believe that hunting is the pinnacle of security investigation experience. Only the brightest and the best are good hunters.
Tier 1 – Event
AnalystsTier 2 – Incident Respond
ers
Tier 3 - Hunters
![Page 6: Abstract Tools for Effective Threat Hunting](https://reader031.vdocuments.us/reader031/viewer/2022021503/5878e2ff1a28abfa038b4e23/html5/thumbnails/6.jpg)
The Investigation Process
Question
HypothesisAnswer
Observation
Conclusion
Network Security
MonitoringHunting Incident
ResponseHost
ForensicsMalware Analysis
![Page 7: Abstract Tools for Effective Threat Hunting](https://reader031.vdocuments.us/reader031/viewer/2022021503/5878e2ff1a28abfa038b4e23/html5/thumbnails/7.jpg)
CURIOSITY
![Page 8: Abstract Tools for Effective Threat Hunting](https://reader031.vdocuments.us/reader031/viewer/2022021503/5878e2ff1a28abfa038b4e23/html5/thumbnails/8.jpg)
Curiosity and Experience
• Low C
• High E
• Low C• Low E
• High C
• High E
• High C• Low E
Jumpy Excels
Apathetic
Ineffective
![Page 9: Abstract Tools for Effective Threat Hunting](https://reader031.vdocuments.us/reader031/viewer/2022021503/5878e2ff1a28abfa038b4e23/html5/thumbnails/9.jpg)
Curiosity and Experience
![Page 10: Abstract Tools for Effective Threat Hunting](https://reader031.vdocuments.us/reader031/viewer/2022021503/5878e2ff1a28abfa038b4e23/html5/thumbnails/10.jpg)
Curiosity and Experience
![Page 11: Abstract Tools for Effective Threat Hunting](https://reader031.vdocuments.us/reader031/viewer/2022021503/5878e2ff1a28abfa038b4e23/html5/thumbnails/11.jpg)
PIVOTS
![Page 12: Abstract Tools for Effective Threat Hunting](https://reader031.vdocuments.us/reader031/viewer/2022021503/5878e2ff1a28abfa038b4e23/html5/thumbnails/12.jpg)
Copyright © 2016 Applied Network Defense
Basic Pivoting
Flow Data Src/Dst IP PCAP
Data Sources Pivot Fields
Alert Src/Dst IP PCAP
PCAP Domain OSINT
HTTP Proxy Username Windows Log
![Page 13: Abstract Tools for Effective Threat Hunting](https://reader031.vdocuments.us/reader031/viewer/2022021503/5878e2ff1a28abfa038b4e23/html5/thumbnails/13.jpg)
Copyright © 2016 Applied Network Defense
Realistic Pivoting
Sysmon Process Logs MD5 Hash Bro Files
Conn ID Bro HTTP Logs Domain
DNS Logs
OSINT
Resp IP
PCAP DomainDNS Logs
OSINTFlow
OSINT
Scenario: While hunting, you’ve discovered a process whose name leads you to believe it might be malicious. Questions:
Is this file malicious? Where did this file come from?
Data Sources Pivot Fields
![Page 14: Abstract Tools for Effective Threat Hunting](https://reader031.vdocuments.us/reader031/viewer/2022021503/5878e2ff1a28abfa038b4e23/html5/thumbnails/14.jpg)
AGGREGATIONS
![Page 15: Abstract Tools for Effective Threat Hunting](https://reader031.vdocuments.us/reader031/viewer/2022021503/5878e2ff1a28abfa038b4e23/html5/thumbnails/15.jpg)
Copyright © 2016 Applied Network Defense
Aggregations
Query flow records for all communication on a network segment Aggregate bytes
per host to produce top talkers list
Query windows service execution logs on a network segment Aggregate unique
process field sorted by least frequent occurrence
Most Occurrences Least Occurrences
![Page 16: Abstract Tools for Effective Threat Hunting](https://reader031.vdocuments.us/reader031/viewer/2022021503/5878e2ff1a28abfa038b4e23/html5/thumbnails/16.jpg)
OBSERVATION STRATEGY
![Page 17: Abstract Tools for Effective Threat Hunting](https://reader031.vdocuments.us/reader031/viewer/2022021503/5878e2ff1a28abfa038b4e23/html5/thumbnails/17.jpg)
Copyright © 2016 Applied Network Defense
Observation Strategy
Hunting Observati
ons
Data Driven TTP Driven
Going from 0 to 100 in hunting revolves around making an observation that is worth digging into.
An observation strategy provides a construct to base your hunting on.
![Page 18: Abstract Tools for Effective Threat Hunting](https://reader031.vdocuments.us/reader031/viewer/2022021503/5878e2ff1a28abfa038b4e23/html5/thumbnails/18.jpg)
Copyright © 2016 Applied Network Defense
Data Driven Observations Can I find
anything in my data that looks like it doesn’t belong?
HTTP Data User Agent Field
Aggregation Least Frequent
Occurence
Choose Data Type
Choose a Specific
Field
Ask – What would be
weird here?
Apply a Data
Transformation
Repeat
![Page 19: Abstract Tools for Effective Threat Hunting](https://reader031.vdocuments.us/reader031/viewer/2022021503/5878e2ff1a28abfa038b4e23/html5/thumbnails/19.jpg)
Copyright © 2016 Applied Network Defense
TTP Driven Observations Can I find any
evidence of a known TTP on my network?
Suitable for things that aren’t suitable for alerting.
Research an Attack Type
Isolate Artifacts
that aren’t suitable for
IDS
Use an Analysis
Technique
Repeat
![Page 20: Abstract Tools for Effective Threat Hunting](https://reader031.vdocuments.us/reader031/viewer/2022021503/5878e2ff1a28abfa038b4e23/html5/thumbnails/20.jpg)
MISE EN PLACE
![Page 21: Abstract Tools for Effective Threat Hunting](https://reader031.vdocuments.us/reader031/viewer/2022021503/5878e2ff1a28abfa038b4e23/html5/thumbnails/21.jpg)
Everything in Place - Basic Tenants1. Minimize Movement2. Waste Nothing3. Clean as you Go4. Be Flexible
![Page 22: Abstract Tools for Effective Threat Hunting](https://reader031.vdocuments.us/reader031/viewer/2022021503/5878e2ff1a28abfa038b4e23/html5/thumbnails/22.jpg)
FRIENDLY INTEL
![Page 23: Abstract Tools for Effective Threat Hunting](https://reader031.vdocuments.us/reader031/viewer/2022021503/5878e2ff1a28abfa038b4e23/html5/thumbnails/23.jpg)
Copyright © 2016 Applied Network Defense
Friendly Intel H&P A history and physical
is designed to collect baseline information that will help make decisions later
For analysts, the H&P is based on systems and users
The H&P is based on persistent obsevations
![Page 24: Abstract Tools for Effective Threat Hunting](https://reader031.vdocuments.us/reader031/viewer/2022021503/5878e2ff1a28abfa038b4e23/html5/thumbnails/24.jpg)
Creating a Knowledgebase
![Page 25: Abstract Tools for Effective Threat Hunting](https://reader031.vdocuments.us/reader031/viewer/2022021503/5878e2ff1a28abfa038b4e23/html5/thumbnails/25.jpg)
INVESTIGATIONTHEORYTHE ANALYST MINDSET
10 Week CourseOn-Demand Video LecturesHands on Investigation Labs1:1 Instructor Feedback
Spring Sessions: January 9th
March 20th http://chrissanders.org/training