SlideShare uma empresa Scribd logo

Threat Hunting 102: Beyond the Basics

Cybereason
Cybereason

Threat hunting is the best, proactive approach. But, excelling at threat hunting, discovering adversaries takes time, patience, planning, and some serious skills. Mature beyond the basics of hunting and evolve your program!

Tecnologia
1 de 16
Baixar para ler offline
Hunting 102 Beyond the Basics
#whoami Brad Mecha Hunting Team Manager at Cybereason Former Technology Consultant / Cyber Defense at RSA Former CIRT Lead at a Global Advanced Manufacturing Organization
Why we’re here today Quick Hunting Refresher I’m Hunting!! Now What? Giving Back & Process Integration Expanded PowerShell Use Case
The process of proactively discovering undesirable activity to illicit a positive outcome. Refresher: Hunting defined.
Refresher: Why? Prepare? Its very hard to defend what you can’t see and don’t understand. Be proactive? Don’t wait for bad to happen? Then have to react to fix. Fix stuff? Especially before it breaks!
Adapt or Perish. Learning is discovery, the discovery of the cause of our ignorance. However, the best way of learning is not the computation of information. Learning is discovering, uncovering what is there in us. When we discover, we are uncovering our own ability, our own eyes, in order to find our potential, to see what is going on, to discover how we can enlarge our lives, to find means at our disposal that will let us cope with a difficult situation. --Bruce Lee
The Hunting Process Motivation + Hypothesis Data Collection Tooling / Analysis Outcomes Automation*
I’m Hunting! Now What? We’re Giving Back! Incidents Detection Improvements / New Collection Techniques Prevention w/ Confidence Config Management / Compliance / Audit Improve Response / Triage
Incident Response Process Prepare Detect Respond Contain / Eradicate Post-Mortem / Prevent
Motivation + Hypothesis Data Collection Tooling / Analysis Outcomes Automation* Prepare Detect Respond Contain / Eradicate Post- Mortem / Prevent Hunting ProcessIncident Response Process Escalated Incident High Fidelity Detections Use blind spots / Gaps as sources of Motivation and Hypothesis/ New Data Collection and Analysis Techniques Improve Triage and Response SOPs
Hunting: A Deeper Dive Previous Outcomes create new Motivation + Hypothesis’ Introducing new datasets to expand previous outcomes Data stacking becomes more crucial to the journey to analysis / data science
Expanded Hunting: Powershell
© 2015 Cybereason Inc. All rights reserved. Powershell Service = commandline:powershell or .ps* Fileless Techniques Process Execution Network Comms Persistence Registry Services Hidden Obfuscated Shellcode / DLL Execution Encoded Download Commands Parent / Child Profiling Int2Ext Profiling DNS Queries Registry = commandline:powershell or .ps* commandLine:hidden|1|-nop|iex|- invoke|ICM|scriptblock, commandLine:`|1|^|+|$|*|&|. commandLine:nop|nonl|nol|bypass|e|enc|ec commandLine: DownloadFile|IWR|Invoke- WebRequest|IRM|Invoke-RestMethod|DownloadString|BITS commandLine:dllimport|virtualalloc Parent: wscript|mshta|MSOffice|Browser|WMI* Connections → Filter:isExternalConnection:true URL: .ps* DNS Query: TXT C2 DNS Query: Received vs Transmitted Ratios
Giving Back…Incident Escalation Incident 1: Powershell WebClient – Downloading Stage 2 Payload Incident 2: Remote .ps file execution / Invoking shellcode Incident 3: Mismatched Services – Adversarial use of .ps Incident 4: Data Exfil – Powershell BITSTransfer
Giving Back…Prevention Block execution of PowerShell.exe on all systems where it’s not in use for administrative purposes Force specific Parent/Child Process Relationships – MSOffice|Wscript|Mshta|Browsers|WMI spawning Powershell.exe Anchor Powershell scripts to a specific server directories, block .ps* from running directly on a system Use endpoint firewall to prevent powershell.exe from connecting to non-approved IPs Block “Bypass” “Hidden” ”Download String” “WebClient” ”DLLImport” “VirtualAlloc” as a command line argument for execution by an unauthorized user See #2 for allowing valid applications
brad@cybereason.com @cybereason Thank you!

Recomendados

Building a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the CloudBuilding a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the CloudProtectWise
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Abstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat HuntingAbstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat Huntingchrissanders88
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingCrowdStrike
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
 
Building a Successful Threat Hunting Program
Building a Successful Threat Hunting ProgramBuilding a Successful Threat Hunting Program
Building a Successful Threat Hunting ProgramCarl C. Manion
 

Recomendados

Building a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the CloudBuilding a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the CloudProtectWise
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Abstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat HuntingAbstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat Huntingchrissanders88
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingCrowdStrike
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
 
Building a Successful Threat Hunting Program
Building a Successful Threat Hunting ProgramBuilding a Successful Threat Hunting Program
Building a Successful Threat Hunting ProgramCarl C. Manion
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...MITRE - ATT&CKcon
 
The Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThe Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThreatConnect
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
(SACON) Shomiron das gupta - threat hunting use cases
(SACON) Shomiron das gupta - threat hunting use cases(SACON) Shomiron das gupta - threat hunting use cases
(SACON) Shomiron das gupta - threat hunting use casesPriyanka Aash
 
The Rise of the Purple Team
The Rise of the Purple TeamThe Rise of the Purple Team
The Rise of the Purple TeamPriyanka Aash
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...MITRE - ATT&CKcon
 
Art into Science 2017 - Investigation Theory: A Cognitive Approach
Art into Science 2017 - Investigation Theory: A Cognitive ApproachArt into Science 2017 - Investigation Theory: A Cognitive Approach
Art into Science 2017 - Investigation Theory: A Cognitive Approachchrissanders88
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
The Best Just Got Better, Intercept X Now With EDR
The Best Just Got Better, Intercept X Now With EDRThe Best Just Got Better, Intercept X Now With EDR
The Best Just Got Better, Intercept X Now With EDRNetpluz Asia Pte Ltd
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Crowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceCrowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceAlienVault
 
What's a MITRE with your Security?
What's a MITRE with your Security?What's a MITRE with your Security?
What's a MITRE with your Security?MITRE - ATT&CKcon
 
Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?marketingunitrends
 
Intelligence driven defense webinar
Intelligence driven defense webinarIntelligence driven defense webinar
Intelligence driven defense webinarThreatConnect
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE - ATT&CKcon
 
The Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThe Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThreatConnect
 
ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan bruggink
ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan brugginkATT&CKcon Power Hour - ATT&CK-onomics - gert-jan bruggink
ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan brugginkGert-Jan Bruggink
 
Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...
Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...
Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...NoNameCon
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckNorth Texas Chapter of the ISSA
 

Mais conteúdo relacionado

Mais procurados

Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...MITRE - ATT&CKcon
 
The Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThe Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThreatConnect
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
(SACON) Shomiron das gupta - threat hunting use cases
(SACON) Shomiron das gupta - threat hunting use cases(SACON) Shomiron das gupta - threat hunting use cases
(SACON) Shomiron das gupta - threat hunting use casesPriyanka Aash
 
The Rise of the Purple Team
The Rise of the Purple TeamThe Rise of the Purple Team
The Rise of the Purple TeamPriyanka Aash
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...MITRE - ATT&CKcon
 
Art into Science 2017 - Investigation Theory: A Cognitive Approach
Art into Science 2017 - Investigation Theory: A Cognitive ApproachArt into Science 2017 - Investigation Theory: A Cognitive Approach
Art into Science 2017 - Investigation Theory: A Cognitive Approachchrissanders88
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
The Best Just Got Better, Intercept X Now With EDR
The Best Just Got Better, Intercept X Now With EDRThe Best Just Got Better, Intercept X Now With EDR
The Best Just Got Better, Intercept X Now With EDRNetpluz Asia Pte Ltd
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Crowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceCrowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceAlienVault
 
What's a MITRE with your Security?
What's a MITRE with your Security?What's a MITRE with your Security?
What's a MITRE with your Security?MITRE - ATT&CKcon
 
Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?marketingunitrends
 
Intelligence driven defense webinar
Intelligence driven defense webinarIntelligence driven defense webinar
Intelligence driven defense webinarThreatConnect
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE - ATT&CKcon
 
The Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThe Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThreatConnect
 
ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan bruggink
ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan brugginkATT&CKcon Power Hour - ATT&CK-onomics - gert-jan bruggink
ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan brugginkGert-Jan Bruggink
 

Mais procurados (20)

Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
 
The Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThe Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat Intelligence
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
(SACON) Shomiron das gupta - threat hunting use cases
(SACON) Shomiron das gupta - threat hunting use cases(SACON) Shomiron das gupta - threat hunting use cases
(SACON) Shomiron das gupta - threat hunting use cases
 
The Rise of the Purple Team
The Rise of the Purple TeamThe Rise of the Purple Team
The Rise of the Purple Team
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
 
Art into Science 2017 - Investigation Theory: A Cognitive Approach
Art into Science 2017 - Investigation Theory: A Cognitive ApproachArt into Science 2017 - Investigation Theory: A Cognitive Approach
Art into Science 2017 - Investigation Theory: A Cognitive Approach
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
The Best Just Got Better, Intercept X Now With EDR
The Best Just Got Better, Intercept X Now With EDRThe Best Just Got Better, Intercept X Now With EDR
The Best Just Got Better, Intercept X Now With EDR
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Crowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceCrowd-Sourced Threat Intelligence
Crowd-Sourced Threat Intelligence
 
What's a MITRE with your Security?
What's a MITRE with your Security?What's a MITRE with your Security?
What's a MITRE with your Security?
 
Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?
 
Intelligence driven defense webinar
Intelligence driven defense webinarIntelligence driven defense webinar
Intelligence driven defense webinar
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
 
The Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThe Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence Webinar
 
ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan bruggink
ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan brugginkATT&CKcon Power Hour - ATT&CK-onomics - gert-jan bruggink
ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan bruggink
 

Semelhante a Threat Hunting 102: Beyond the Basics

Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...
Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...
Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...NoNameCon
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckNorth Texas Chapter of the ISSA
 
Maturing your threat hunting program
Maturing your threat hunting programMaturing your threat hunting program
Maturing your threat hunting programCybereason
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security FrameworkJerod Brennen
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
 
Attack Simulation and Hunting
Attack Simulation and HuntingAttack Simulation and Hunting
Attack Simulation and Huntingnathi mogomotsi
 
Myth-busting in Application Security
Myth-busting in Application SecurityMyth-busting in Application Security
Myth-busting in Application SecurityDevOps.com
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldShannon Lietz
 
Big data security
Big data securityBig data security
Big data securityCloudBees
 
International Conference on Cyber Security, Hide and Go Seek
International Conference on Cyber Security, Hide and Go SeekInternational Conference on Cyber Security, Hide and Go Seek
International Conference on Cyber Security, Hide and Go SeekDavid Knox
 
How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?PECB
 
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptxTop_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptxinfosec train
 
wannabe Cyberpunk; “I don’t know what I’m supposed to do.”
wannabe Cyberpunk; “I don’t know what I’m supposed to do.”wannabe Cyberpunk; “I don’t know what I’m supposed to do.”
wannabe Cyberpunk; “I don’t know what I’m supposed to do.”Moshiul Islam, CISSP, CISA, CFE
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber riskStephen Cobb
 
DevOps: Lead, Follow or Get Out of the Way - A CISO Perspective
DevOps: Lead, Follow or Get Out of the Way - A CISO PerspectiveDevOps: Lead, Follow or Get Out of the Way - A CISO Perspective
DevOps: Lead, Follow or Get Out of the Way - A CISO PerspectiveTexas.gov
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To PrepareResilient Systems
 
Carrots not sticks- Using Gamification to Transform Security Mindset of an Or...
Carrots not sticks- Using Gamification to Transform Security Mindset of an Or...Carrots not sticks- Using Gamification to Transform Security Mindset of an Or...
Carrots not sticks- Using Gamification to Transform Security Mindset of an Or...Salesforce Engineering
 
What Managers Need to Know about Data Science
What Managers Need to Know about Data ScienceWhat Managers Need to Know about Data Science
What Managers Need to Know about Data ScienceAnnie Flippo
 

Semelhante a Threat Hunting 102: Beyond the Basics (20)

Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...
Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...
Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
 
Maturing your threat hunting program
Maturing your threat hunting programMaturing your threat hunting program
Maturing your threat hunting program
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security Framework
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
 
Attack Simulation and Hunting
Attack Simulation and HuntingAttack Simulation and Hunting
Attack Simulation and Hunting
 
Myth-busting in Application Security
Myth-busting in Application SecurityMyth-busting in Application Security
Myth-busting in Application Security
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
 
Big data security
Big data securityBig data security
Big data security
 
International Conference on Cyber Security, Hide and Go Seek
International Conference on Cyber Security, Hide and Go SeekInternational Conference on Cyber Security, Hide and Go Seek
International Conference on Cyber Security, Hide and Go Seek
 
How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?
 
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptxTop_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
 
wannabe Cyberpunk; “I don’t know what I’m supposed to do.”
wannabe Cyberpunk; “I don’t know what I’m supposed to do.”wannabe Cyberpunk; “I don’t know what I’m supposed to do.”
wannabe Cyberpunk; “I don’t know what I’m supposed to do.”
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration Testing
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
 
Incident Response in the wake of Dear CEO
Incident Response in the wake of Dear CEOIncident Response in the wake of Dear CEO
Incident Response in the wake of Dear CEO
 
DevOps: Lead, Follow or Get Out of the Way - A CISO Perspective
DevOps: Lead, Follow or Get Out of the Way - A CISO PerspectiveDevOps: Lead, Follow or Get Out of the Way - A CISO Perspective
DevOps: Lead, Follow or Get Out of the Way - A CISO Perspective
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To Prepare
 
Carrots not sticks- Using Gamification to Transform Security Mindset of an Or...
Carrots not sticks- Using Gamification to Transform Security Mindset of an Or...Carrots not sticks- Using Gamification to Transform Security Mindset of an Or...
Carrots not sticks- Using Gamification to Transform Security Mindset of an Or...
 
What Managers Need to Know about Data Science
What Managers Need to Know about Data ScienceWhat Managers Need to Know about Data Science
What Managers Need to Know about Data Science
 

Mais de Cybereason

Antifragile Cyber Defense
Antifragile Cyber DefenseAntifragile Cyber Defense
Antifragile Cyber DefenseCybereason
 
An Introduction to the Agile SoC
An Introduction to the Agile SoCAn Introduction to the Agile SoC
An Introduction to the Agile SoCCybereason
 
Protecting the financial services industry
Protecting the financial services industryProtecting the financial services industry
Protecting the financial services industryCybereason
 
Protecting the healthcare industry
Protecting the healthcare industryProtecting the healthcare industry
Protecting the healthcare industryCybereason
 
Protecting the manufacturing industry
Protecting the manufacturing industryProtecting the manufacturing industry
Protecting the manufacturing industryCybereason
 
The attack lifecycle. Cybereason can help you answer: Are you under attack?
The attack lifecycle. Cybereason can help you answer: Are you under attack?The attack lifecycle. Cybereason can help you answer: Are you under attack?
The attack lifecycle. Cybereason can help you answer: Are you under attack?Cybereason
 
The Incident Response Checklist - 9 Steps Your Current Plan Lacks
The Incident Response Checklist - 9 Steps Your Current Plan LacksThe Incident Response Checklist - 9 Steps Your Current Plan Lacks
The Incident Response Checklist - 9 Steps Your Current Plan LacksCybereason
 
The Cyber Attack Lifecycle
The Cyber Attack LifecycleThe Cyber Attack Lifecycle
The Cyber Attack LifecycleCybereason
 
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...Cybereason
 
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Avoiding Sophisticated Targeted Breach Critical Guidance HealthcareAvoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Avoiding Sophisticated Targeted Breach Critical Guidance HealthcareCybereason
 
Some PowerShell Goodies
Some PowerShell GoodiesSome PowerShell Goodies
Some PowerShell GoodiesCybereason
 
Ransomware is Coming to a Desktop Near You
Ransomware is Coming to a Desktop Near YouRansomware is Coming to a Desktop Near You
Ransomware is Coming to a Desktop Near YouCybereason
 

Mais de Cybereason (12)

Antifragile Cyber Defense
Antifragile Cyber DefenseAntifragile Cyber Defense
Antifragile Cyber Defense
 
An Introduction to the Agile SoC
An Introduction to the Agile SoCAn Introduction to the Agile SoC
An Introduction to the Agile SoC
 
Protecting the financial services industry
Protecting the financial services industryProtecting the financial services industry
Protecting the financial services industry
 
Protecting the healthcare industry
Protecting the healthcare industryProtecting the healthcare industry
Protecting the healthcare industry
 
Protecting the manufacturing industry
Protecting the manufacturing industryProtecting the manufacturing industry
Protecting the manufacturing industry
 
The attack lifecycle. Cybereason can help you answer: Are you under attack?
The attack lifecycle. Cybereason can help you answer: Are you under attack?The attack lifecycle. Cybereason can help you answer: Are you under attack?
The attack lifecycle. Cybereason can help you answer: Are you under attack?
 
The Incident Response Checklist - 9 Steps Your Current Plan Lacks
The Incident Response Checklist - 9 Steps Your Current Plan LacksThe Incident Response Checklist - 9 Steps Your Current Plan Lacks
The Incident Response Checklist - 9 Steps Your Current Plan Lacks
 
The Cyber Attack Lifecycle
The Cyber Attack LifecycleThe Cyber Attack Lifecycle
The Cyber Attack Lifecycle
 
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
 
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Avoiding Sophisticated Targeted Breach Critical Guidance HealthcareAvoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
 
Some PowerShell Goodies
Some PowerShell GoodiesSome PowerShell Goodies
Some PowerShell Goodies
 
Ransomware is Coming to a Desktop Near You
Ransomware is Coming to a Desktop Near YouRansomware is Coming to a Desktop Near You
Ransomware is Coming to a Desktop Near You
 

Último

CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 

Último (20)

CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 

Threat Hunting 102: Beyond the Basics

  • 2. #whoami Brad Mecha Hunting Team Manager at Cybereason Former Technology Consultant / Cyber Defense at RSA Former CIRT Lead at a Global Advanced Manufacturing Organization
  • 3. Why we’re here today Quick Hunting Refresher I’m Hunting!! Now What? Giving Back & Process Integration Expanded PowerShell Use Case
  • 4. The process of proactively discovering undesirable activity to illicit a positive outcome. Refresher: Hunting defined.
  • 5. Refresher: Why? Prepare? Its very hard to defend what you can’t see and don’t understand. Be proactive? Don’t wait for bad to happen? Then have to react to fix. Fix stuff? Especially before it breaks!
  • 6. Adapt or Perish. Learning is discovery, the discovery of the cause of our ignorance. However, the best way of learning is not the computation of information. Learning is discovering, uncovering what is there in us. When we discover, we are uncovering our own ability, our own eyes, in order to find our potential, to see what is going on, to discover how we can enlarge our lives, to find means at our disposal that will let us cope with a difficult situation. --Bruce Lee
  • 8. I’m Hunting! Now What? We’re Giving Back! Incidents Detection Improvements / New Collection Techniques Prevention w/ Confidence Config Management / Compliance / Audit Improve Response / Triage
  • 10. Motivation + Hypothesis Data Collection Tooling / Analysis Outcomes Automation* Prepare Detect Respond Contain / Eradicate Post- Mortem / Prevent Hunting ProcessIncident Response Process Escalated Incident High Fidelity Detections Use blind spots / Gaps as sources of Motivation and Hypothesis/ New Data Collection and Analysis Techniques Improve Triage and Response SOPs
  • 11. Hunting: A Deeper Dive Previous Outcomes create new Motivation + Hypothesis’ Introducing new datasets to expand previous outcomes Data stacking becomes more crucial to the journey to analysis / data science
  • 13. © 2015 Cybereason Inc. All rights reserved. Powershell Service = commandline:powershell or .ps* Fileless Techniques Process Execution Network Comms Persistence Registry Services Hidden Obfuscated Shellcode / DLL Execution Encoded Download Commands Parent / Child Profiling Int2Ext Profiling DNS Queries Registry = commandline:powershell or .ps* commandLine:hidden|1|-nop|iex|- invoke|ICM|scriptblock, commandLine:`|1|^|+|$|*|&|. commandLine:nop|nonl|nol|bypass|e|enc|ec commandLine: DownloadFile|IWR|Invoke- WebRequest|IRM|Invoke-RestMethod|DownloadString|BITS commandLine:dllimport|virtualalloc Parent: wscript|mshta|MSOffice|Browser|WMI* Connections → Filter:isExternalConnection:true URL: .ps* DNS Query: TXT C2 DNS Query: Received vs Transmitted Ratios
  • 14. Giving Back…Incident Escalation Incident 1: Powershell WebClient – Downloading Stage 2 Payload Incident 2: Remote .ps file execution / Invoking shellcode Incident 3: Mismatched Services – Adversarial use of .ps Incident 4: Data Exfil – Powershell BITSTransfer
  • 15. Giving Back…Prevention Block execution of PowerShell.exe on all systems where it’s not in use for administrative purposes Force specific Parent/Child Process Relationships – MSOffice|Wscript|Mshta|Browsers|WMI spawning Powershell.exe Anchor Powershell scripts to a specific server directories, block .ps* from running directly on a system Use endpoint firewall to prevent powershell.exe from connecting to non-approved IPs Block “Bypass” “Hidden” ”Download String” “WebClient” ”DLLImport” “VirtualAlloc” as a command line argument for execution by an unauthorized user See #2 for allowing valid applications