abstract tools for effective threat hunting
TRANSCRIPT
Abstract Tools forEffective Threat Hunting
Chris SandersChattanooga ISSA
Chris Sanders Find Evil @ FireEye Founder @ Rural Tech
Fund PhD Researcher GSE # 64 BBQ Pit Master Author:
Practical Packet Analysis Applied NSM
Rural Technology Fund Accessible Tech
Education Measureable Impact
$20,000 in Scholarships
1500 Repurposed Tech Books
$50,000 in Equipment Donations
Adopted Classroom
40 Students Impacted
FRAMING
Hunting and Expertise Most
practitioners believe that hunting is the pinnacle of security investigation experience. Only the brightest and the best are good hunters.
Tier 1 – Event
AnalystsTier 2 – Incident Respond
ers
Tier 3 - Hunters
The Investigation Process
Question
HypothesisAnswer
Observation
Conclusion
Network Security
MonitoringHunting Incident
ResponseHost
ForensicsMalware Analysis
CURIOSITY
Curiosity and Experience
• Low C
• High E
• Low C• Low E
• High C
• High E
• High C• Low E
Jumpy Excels
Apathetic
Ineffective
Curiosity and Experience
Curiosity and Experience
PIVOTS
Copyright © 2016 Applied Network Defense
Basic Pivoting
Flow Data Src/Dst IP PCAP
Data Sources Pivot Fields
Alert Src/Dst IP PCAP
PCAP Domain OSINT
HTTP Proxy Username Windows Log
Copyright © 2016 Applied Network Defense
Realistic Pivoting
Sysmon Process Logs MD5 Hash Bro Files
Conn ID Bro HTTP Logs Domain
DNS Logs
OSINT
Resp IP
PCAP DomainDNS Logs
OSINTFlow
OSINT
Scenario: While hunting, you’ve discovered a process whose name leads you to believe it might be malicious. Questions:
Is this file malicious? Where did this file come from?
Data Sources Pivot Fields
AGGREGATIONS
Copyright © 2016 Applied Network Defense
Aggregations
Query flow records for all communication on a network segment Aggregate bytes
per host to produce top talkers list
Query windows service execution logs on a network segment Aggregate unique
process field sorted by least frequent occurrence
Most Occurrences Least Occurrences
OBSERVATION STRATEGY
Copyright © 2016 Applied Network Defense
Observation Strategy
Hunting Observati
ons
Data Driven TTP Driven
Going from 0 to 100 in hunting revolves around making an observation that is worth digging into.
An observation strategy provides a construct to base your hunting on.
Copyright © 2016 Applied Network Defense
Data Driven Observations Can I find
anything in my data that looks like it doesn’t belong?
HTTP Data User Agent Field
Aggregation Least Frequent
Occurence
Choose Data Type
Choose a Specific
Field
Ask – What would be
weird here?
Apply a Data
Transformation
Repeat
Copyright © 2016 Applied Network Defense
TTP Driven Observations Can I find any
evidence of a known TTP on my network?
Suitable for things that aren’t suitable for alerting.
Research an Attack Type
Isolate Artifacts
that aren’t suitable for
IDS
Use an Analysis
Technique
Repeat
MISE EN PLACE
Everything in Place - Basic Tenants1. Minimize Movement2. Waste Nothing3. Clean as you Go4. Be Flexible
FRIENDLY INTEL
Copyright © 2016 Applied Network Defense
Friendly Intel H&P A history and physical
is designed to collect baseline information that will help make decisions later
For analysts, the H&P is based on systems and users
The H&P is based on persistent obsevations
Creating a Knowledgebase
INVESTIGATIONTHEORYTHE ANALYST MINDSET
10 Week CourseOn-Demand Video LecturesHands on Investigation Labs1:1 Instructor Feedback
Spring Sessions: January 9th
March 20th http://chrissanders.org/training