O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Abstract Tools for Effective Threat Hunting

1.342 visualizações

Publicada em

In this presentation I discuss mental tools and skills that can make help make you a more effective threat hunter and investigator.

Publicada em: Tecnologia
  • Entre para ver os comentários

Abstract Tools for Effective Threat Hunting

  1. 1. Chris Sanders Chattanooga ISSA
  2. 2. Chris Sanders  Find Evil @ FireEye  Founder @ Rural Tech Fund  PhD Researcher  GSE # 64  BBQ Pit Master  Author:  Practical Packet Analysis  Applied NSM
  3. 3. Rural Technology Fund  Accessible Tech Education  Measureable Impact  $20,000 in Scholarships  1500 Repurposed Tech Books  $50,000 in Equipment Donations Adopted Classroom 40 Students Impacted
  4. 4. FRAMIN G
  5. 5. Hunting and Expertise  Most practitioners believe that hunting is the pinnacle of security investigation experience. Only the brightest and the best are good hunters. Tier 1 – Event Analysts Tier 2 – Incident Responders Tier 3 - Hunters
  6. 6. The Investigation Process Question Hypothesi s Answer Observatio n Conclusion Network Security Monitoring Hunting Incident Response Host Forensics Malware Analysis
  7. 7. CURIOSI TY
  8. 8. Curiosity and Experience • Low C • High E • Low C • Low E • High C • High E • High C • Low E Jumpy Excels ApatheticIneffective
  9. 9. Curiosity and Experience
  10. 10. Curiosity and Experience
  11. 11. PIVOTS
  12. 12. Basic Pivoting Copyright © 2016 Applied Network Defense Flow Data Src/Dst IP PCAP Data Sources Pivot Fields Alert Src/Dst IP PCAP PCAP Domain OSINT HTTP Proxy Username Windows Log
  13. 13. Realistic Pivoting Copyright © 2016 Applied Network Defense Sysmon Process Logs MD5 Hash Bro Files Conn ID Bro HTTP Logs Domain DNS Logs OSINT Resp IP PCAP Domain DNS Logs OSINT Flow OSINT Scenario: While hunting, you’ve discovered a process whose name leads you to believe it might be malicious.  Questions:  Is this file malicious?  Where did this file come from? Data Sources Pivot Fields
  14. 14. AGGREGATIO NS
  15. 15. Aggregations  Query flow records for all communication on a network segment  Aggregate bytes per host to produce top talkers list  Query windows service execution logs on a network segment  Aggregate unique process field sorted by least frequent occurrence Copyright © 2016 Applied Network Defense Most Occurrences Least Occurrences
  16. 16. OBSERVATION STRATEGY
  17. 17. Observation Strategy Hunting Observations Data Driven TTP Driven  Going from 0 to 100 in hunting revolves around making an observation that is worth digging into.  An observation strategy provides a construct to base your hunting on. Copyright © 2016 Applied Network Defense
  18. 18. Data Driven Observations  Can I find anything in my data that looks like it doesn’t belong?  HTTP Data  User Agent Field  Aggregation  Least Frequent Occurence Choose Data Type Choose a Specific Field Ask – What would be weird here? Apply a Data Transformation Repeat Copyright © 2016 Applied Network Defense
  19. 19. TTP Driven Observations  Can I find any evidence of a known TTP on my network?  Suitable for things that aren’t suitable for alerting. Research an Attack Type Isolate Artifacts that aren’t suitable for IDS Use an Analysis Technique Repeat Copyright © 2016 Applied Network Defense
  20. 20. MISE EN PLACE
  21. 21. Everything in Place - Basic Tenants 1. Minimize Movement 2. Waste Nothing 3. Clean as you Go 4. Be Flexible
  22. 22. FRIENDLY INTEL
  23. 23. Friendly Intel H&P Copyright © 2016 Applied Network Defense  A history and physical is designed to collect baseline information that will help make decisions later  For analysts, the H&P is based on systems and users  The H&P is based on persistent obsevations
  24. 24. Creating a Knowledgebase
  25. 25. INVESTIGATION THEORY THE ANALYST MINDSET 10 Week Course On-Demand Video Lectures Hands on Investigation Labs 1:1 Instructor Feedback Spring Sessions: January 9th March 20th http://chrissanders.org/training
  26. 26. Thank You! Mail: chris@chrissanders.org Twitter: @chrissanders88 Blog: chrissanders.org

×