Threat hunting is the best, proactive approach. But, excelling at threat hunting, discovering adversaries takes time, patience, planning, and some serious skills. Mature beyond the basics of hunting and evolve your program!
2. #whoami
Brad Mecha
Hunting Team Manager at Cybereason
Former Technology Consultant / Cyber Defense at RSA
Former CIRT Lead at a Global Advanced Manufacturing Organization
3. Why we’re
here today
Quick Hunting Refresher
I’m Hunting!! Now What?
Giving Back & Process Integration
Expanded PowerShell Use Case
4. The process of proactively
discovering undesirable activity
to illicit a positive outcome.
Refresher: Hunting defined.
5. Refresher: Why?
Prepare? Its very hard to defend what you can’t see and
don’t understand.
Be proactive? Don’t wait for bad to happen? Then have to
react to fix.
Fix stuff? Especially before it breaks!
6. Adapt or Perish.
Learning is discovery, the discovery of the
cause of our ignorance. However, the best
way of learning is not the computation of
information. Learning is discovering,
uncovering what is there in us. When we
discover, we are uncovering our own
ability, our own eyes, in order to find our
potential, to see what is going on, to
discover how we can enlarge our lives, to
find means at our disposal that will let us
cope with a difficult situation.
--Bruce Lee
11. Hunting: A Deeper Dive
Previous Outcomes create new Motivation + Hypothesis’
Introducing new datasets to expand previous outcomes
Data stacking becomes more crucial to the journey to
analysis / data science
15. Giving Back…Prevention
Block execution of PowerShell.exe on all systems where it’s not in use for administrative purposes
Force specific Parent/Child Process Relationships – MSOffice|Wscript|Mshta|Browsers|WMI spawning
Powershell.exe
Anchor Powershell scripts to a specific server directories, block .ps* from running directly on a system
Use endpoint firewall to prevent powershell.exe from connecting to non-approved IPs
Block “Bypass” “Hidden” ”Download String” “WebClient” ”DLLImport” “VirtualAlloc” as a command line
argument for execution by an unauthorized user
See #2 for allowing valid applications