endgame sans - threat hunting before the incident
TRANSCRIPT
September 12, 2016
HUNTING BEFORE A KNOWN INCIDENTPaul EwingSr. Threat Research Engineer, ENDGAME
AGENDA
§ Me J§ Assume you are compromised
• Defenses fail. All the time.§ Be Proactive, Think Offense: Hunt!
• What is hunt• Hunt techniques• Benefits of hunt
§ Hunt vs. traditional IR§ Challenges of hunting and how to overcome§ Hunting best practices
ABOUT ME
§ Previous Experience§ 8 years within Federal Government
§ Hunt, Incident Response, Threat Research, etc.§ Currently
• Sr. Threat Research Engineer at Endgame· Analytics!!!
§ Me• Hockey• Weather• Penn State• …oh and tech
Hunting is the proactive, stealthy, and methodical pursuit and eviction of never-before-seen adversaries inside your network without relying on IOCs
HUNTING
§ Adversaries operate on your systems. They leave a trail• Understand what actions they take in the OS: chokepoints• Understand breadcrumbs they leave on and across systems: patterns and
anomalies.§ Gain the right visibility, collect the right data, analyze, detect, and respond
• Lock down systems while you’re doing it• Be stealthy
Today’s cycle isn’t working: prevention, detection, triage, response
TODAY’S REALITY
§ Prevention is important but will be bypassed§ Search and signature-based detection is way behind§ Often, notification is external§ Often, adversaries are already active while a known incident is closed
WHY DOES SIGNATURE DETECTION FAIL?§ On your network
• Encryption• Cloud services – staging, C2, exfiltration, blends in • Tailored and/or ephemeral attack infrastructure
§ On your endpoints • Polymorphism• Malware customization and diversification• Use of legitimate creds and admin tools
§ Assume compromise!• Someone else’s IOCs might not help you• Signatures won’t find everything and will not find what hasn’t been seen before
Attacks are changing and Unique
BE PROACTIVE, THINK OFFENSE
§ Adversaries are winning L§ You can’t afford to wait § Offensive, proactive discovery must be the response
• Search is necessary but insufficient• Look for techniques used by attackers• Look for patterns in the right data
Hunt within your networks, a.k.a Continuous IR
ADVERSARY HUNTING
Searching For IOCs• Detecting Known attacks• Hunters discover and pivot on
indicators
Waiting For An Alert• Reactive after compromise• IR is Late
Gathering Data • Is important but not enough• Need analysis and automation to
detect adversary
Hunting is not…
Confidential and Proprietary 8
Attacker Technique Focused• Signatures are brittle• Attacks are unique and tailored
Proactive• Hunt before an alert • Move from IR to proactive
adversary detection
Stealthy• Evade detection from
adversary• Hardened from adversary
Hunting is…
COMMON HUNT METHODS / TECHNIQUES
§ Indicator of Compromise (IOC)§ Network§ Endpoint§ Manual vs. scheduled vs. continuous§ Outliers/oddities vs. anomaly detection
INDICATOR HUNTING (SEARCHING)
§ What’s search good for?• Will help you react to an external notification• Will help you find well-known campaigns• Will help you consistently find unsophisticated threats• Will help you pivot on IOCs you find in your own network
· Determine the extent of an incident
§ Your hunt solution needs to facilitate search• Security muscle memory• But it needs to do much more
10
If you know what you are looking for it is not hunt, it is search
INDICATOR HUNTING (SEARCHING)
§ Where?•
11
If you know what you are looking for it is not hunt, it is search
HUNTING ON THE NETWORK
§ Network analytics often more noisy than on hosts, but still valuable• Best if you can tie to process
§ Listeners• What ports are listening only a few systems?• What processes have listening sockets on only a few systems?
§ DNS resolutions• What looks like it could be DGA?• What looks like it’s trying to masquerade as a real site?
§ Beaconing• What connections look like they could be malware beacons?
§ Same story – choose, collect, analyze, detect, respond
12
HUNTING ON THE NETWORK CONT.
§ Passive DNS• Monitor UDP Traffic (port 53)• Store -> Monitor -> HUNT
§ Apply to Fast Flux• Benign domains -> homogenous IP space• Malicious domains -> greater heterogeneity -> HUNT
§ DGA• Domains with abnormal lexicographical structure
· Also think about NXDOMAIN• Random forest classification tree with features:
· consonant-to-vowel ratio, longest consonant sequence, entropy, common ngrams with dictionary words, etc. (https://github.com/endgameinc/SANS_THIR16)
§ TCP vs PID• Which processes spawn generate network traffic?• Which ones are anomalous?
13
HUNTING ON ENDPOINTS§ Autoruns locations
• What’s persisting on only a few hosts?• What’s executing out of a strange location?
§ Running processes• What has a hash mismatch across hosts?• Which process has a loaded module not present on other systems?
§ Execution artifacts• What strange powershell commands have been run?• Where do I see unusual remote process executions?
§ Many other possibilities§ Choose what to hunt on, collect, analyze, detect, respond
14
HUNTING ON ENDPOINTS CONT.§ Yara
• Transfer Yara binary to target machine w/ native Windows functionality· PS> copy yara.exe \\TARGET-HOST\C$\TEMP\yara.exe
• Transfer rules· PS> copy rules.yara \\TARGET-HOST\C$\TEMP\rules.yara
• Execute scan w/ Invoke-Command· PS> Invoke-Command -ComputerName TARGET -ScriptBlock {
c:\TEMP\yara.exe c:\TEMP\rules.yara c:\targetdir } -credential USER§ Gotcha
• Highly dependent on rules, signature based L
15
HUNTING ON ENDPOINTS CONT.§ Autoruns
• Transfer binary (with msvcr100.DLL) to target machine w/ native Windows functionality· PS> copy autorunsc.exe \\TARGET-HOST\C$\TEMP\autorunsc.exe· PS> copy msvcr100.dll \\TARGET-HOST\C$\TEMP\msvcr100.dll
• Execute program w/ Invoke-Command (w/ optional output)· PS> Invoke-Command -ComputerName TARGET -ScriptBlock {
c:\TEMP\autorunsc.exe –a (??) –h (>> c:\TEMP\autoruns-output.txt) } -credential USER• Collect output
· PS> copy \\TARGET-HOST\C$\TEMP\autoruns-output.txt c:\directory§ Analysis
• Check hashes (e.g. VirusTotal)• Compare host to hash (e.g. cat hash-map.txt | cut -d’:’-f2 > hashes.txt)• Locations (e.g. startup in C:\Temp, uh oh)
16
BENEFITS OF HUNT
§ Reduce dwell time before discovery è Reduced costs• Shorter dwell time usually means reduced incident complexity• Shorter dwell time usually means less loss or damage
§ Break the cycle of reactivity§ Build new security muscle memory
• By continuous hunting, one gains an ability to see and react to patterns and anomalies
“Organizations that proactively work to discover incidents — ‘hunt’ for them — have a better chance of finding them and effectively reducing their impact” Gartner 2016
HUNT AND INCIDENT RESPONSE
§ Very similar methods and skills required§ Similar tools and techniques§ Assume breach and find it vs known starting point
• Steps from there are remarkably similar.
§ Don’t wait for the incident. Go find it.• IR teams can be the hunters• Consider hunting
18
HUNTING CHALLENGES
• Hiding from the adversary
• Strong anti-tampering to prevent detection gaps
Lack of Resources
Drowning in Data
Tipping off the Adversary
• Knowing where to look for the problem
• Search is not enough• Automating analysis
at scale
• Process• People • Technology
ENDGAME : ADVANTAGES
Confidential and Proprietary
Detects never-before-seen attacks
IOC INDEPENDENTPROTECTION
Enables zero business disruption
Prevents adversary disruption
STEALTHOPERATIONS
PRECISION RESPONSE
Transforms hunt, IR and SOC teams
HUNTAUTOMATION
20Endgame protects at earliest and all phases of kill chain
SUMMARY
§ The current detection and IR cycle doesn’t work§ Transform the IR cycle into a Hunt cycle§ Start hunting now§ Automate, automate, automate
21
DO YOU WANT MORE?
§ DEMO
22