SlideShare uma empresa Scribd logo

SACON - Threat Hunting Workshop (Shomiron Das Gupta)

Priyanka Aash
Priyanka Aash

SACON - Threat Hunting Workshop (Shomiron Das Gupta)

Tecnologia
1 de 17
Baixar para ler offline
© Copyright 2017 NETMONASTERY Inc Workshop on Threat Hunting THE MINDSET OF A CYBER THREAT HUNTER 1 Shomiron DAS GUPTA - Founder, CEO NETMONASTERY Inc. SACON 2017 Photo by Quentin Dr on Unsplash
© Copyright 2017 NETMONASTERY Inc Agenda ■ Threat Hunting - and what does that mean? ■ The process - planning, execution and follow through ■ Tools and techniques ■ Resources - where do we continue to learn from ■ Case 1 - DNS Tunneling ■ Case 2 - Webshells 2 NEXT 80 MINS
© Copyright 2017 NETMONASTERY Inc It’s the Continual Improvement process we have been waiting for! ■ Improvement in the state of awareness ■ Improvement in detection capability ■ Improvement in response and process ■ Improvement in collaborative threat intelligence So, What is Threat Hunting? 3 QUICK INTRO TO MY VERSION
© Copyright 2017 NETMONASTERY Inc SIEM So, What is Threat Hunting? 4 QUICK INTRO TO MY VERSION EVENTS ANALYST CORRELATED THREATS RULES BIG DATA ANALYTICS ENGINE THREAT FEEDS LOOKUP SERVICES THREAT HUNTER ACTIVE IOCs A Continuously Learning and Adapting Cyber Security Operations Center
© Copyright 2017 NETMONASTERY Inc We all hear about it THIS IS WHERE IT STARTS 5 HOW IT WORKS WHAT TO LOOK FOR
© Copyright 2017 NETMONASTERY Inc 6 Building the Hunt Plan THE CHECKLIST FOR THE HUNT NEW FILE EVERY WEEK Build a weekly hunt plan, include 1. Detection techniques 2. Indicators 3. Response guides Execute the hunt 1. Look for indicators 2. Look for symptoms Respond and Learn from the exercise….. repeat
© Copyright 2017 NETMONASTERY Inc But, how does it work exactly! Monitor external feeds Look for local symptoms Hunt for indicators Build content Write process Handover and review 7 PLAN, EXECUTE AND FOLLOW THROUGH HUNTER PROCESS SOC OPS Understand threats React - FP filtering Respond Resolve Metrics Improvement Case Retirement
© Copyright 2017 NETMONASTERY Inc Tools and Resources 8 1. Threat intelligence feeds - start with open source / think strategic paid feeds - Symantec, McAfee, TeamCymru, FireEye iSight, CriticalStack, SeQtree (INDIA) 2. Lookup sources - ThreatCrowd, VirusTotal, PDNS, WHOIS, GeoIntel, DomainTools, Intel 471, CrowdStrike, PhishMe, RecordedFuture 3. Access to threat intelligence platforms viz Alienvault OTX, ThreatConnect, Anomali, CertIn, Regional / Sectoral Certs 4. Tracking of developing standards - CAPEC, ATTACK, Threat Hunters Playbook 5. Analytics platforms that integrate viz Splunk, ELK, DNIF (INDIA) WHAT DO YOU NEED TO GET STARTED
CASE 1 HUNTING FOR AN EXFIL SOURCE 9
© Copyright 2017 NETMONASTERY Inc We found our data being sold 10 Questions from the customer - 1. Is the exfil still on? 2. If yes - find out how 3. Which systems were compromised We only have firewall data for the last 3mths THE SELLER PROMISED MORE RECORDS
© Copyright 2017 NETMONASTERY Inc The Context, key Questions 11 INITIAL THOUGHTS
© Copyright 2017 NETMONASTERY Inc POSSIBLE EXFIL SOURCES 12 HUNTING PLAN So how did we learn about DNS Exfiltration?
© Copyright 2017 NETMONASTERY Inc Running a Profiler 1. Index data from the past 2. Run a baseline / profile / link map on outbound DNS requests 3. Identify outliers with outbound baselining 4. Sample of hunting from that point on ….. DEMO 13 IDENTIFY NORMAL ACTIVITY
© Copyright 2017 NETMONASTERY Inc Some Takeaways Hunting is not easy, clearly You need to have a firm grip / understanding of the space Hunting is long and winding - 18 queries at an average to prove your hypothesis Log data is critical, can’t work in an straight jacketed environment 14 WHAT DID WE LEARN
CASE 2 HUNTING FOR WEBSHELL 15
© Copyright 2017 NETMONASTERY Inc We found a way to detect webshells Lack of control over what went online Webshells were a problem Reliable form of detection was scanning / lookups Automation is the key - save precious analysts’ time Scenario ….. demo 16 OUTCOME OF THE HUNTING WE CAN DETECT THEM
Thank You shom@dnif.it 100GB Free Forever Get Started with DNIF 17

Recomendados

Become a Threat Hunter by Hamza Beghal
Become a Threat Hunter by Hamza BeghalBecome a Threat Hunter by Hamza Beghal
Become a Threat Hunter by Hamza Beghal
Null Singapore
 
Sacon - IoT Forum Fresh Thinking (Arvind Tiwary + Bikash Barai)
Sacon - IoT Forum Fresh Thinking (Arvind Tiwary + Bikash Barai)Sacon - IoT Forum Fresh Thinking (Arvind Tiwary + Bikash Barai)
Sacon - IoT Forum Fresh Thinking (Arvind Tiwary + Bikash Barai)
Priyanka Aash
 
Intelligence driven defense webinar
Intelligence driven defense webinarIntelligence driven defense webinar
Intelligence driven defense webinar
ThreatConnect
 
Save Time and Act Faster with Playbooks
Save Time and Act Faster with PlaybooksSave Time and Act Faster with Playbooks
Save Time and Act Faster with Playbooks
ThreatConnect
 
Managing Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnectManaging Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnect
ThreatConnect
 
Advanced Threat Hunting - Botconf 2017
Advanced Threat Hunting - Botconf 2017Advanced Threat Hunting - Botconf 2017
Advanced Threat Hunting - Botconf 2017
Kevin Finley
 
Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?
marketingunitrends
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
CrowdStrike
 

Recomendados

Become a Threat Hunter by Hamza Beghal
Become a Threat Hunter by Hamza BeghalBecome a Threat Hunter by Hamza Beghal
Become a Threat Hunter by Hamza Beghal
Null Singapore
 
Sacon - IoT Forum Fresh Thinking (Arvind Tiwary + Bikash Barai)
Sacon - IoT Forum Fresh Thinking (Arvind Tiwary + Bikash Barai)Sacon - IoT Forum Fresh Thinking (Arvind Tiwary + Bikash Barai)
Sacon - IoT Forum Fresh Thinking (Arvind Tiwary + Bikash Barai)
Priyanka Aash
 
Intelligence driven defense webinar
Intelligence driven defense webinarIntelligence driven defense webinar
Intelligence driven defense webinar
ThreatConnect
 
Save Time and Act Faster with Playbooks
Save Time and Act Faster with PlaybooksSave Time and Act Faster with Playbooks
Save Time and Act Faster with Playbooks
ThreatConnect
 
Managing Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnectManaging Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnect
ThreatConnect
 
Advanced Threat Hunting - Botconf 2017
Advanced Threat Hunting - Botconf 2017Advanced Threat Hunting - Botconf 2017
Advanced Threat Hunting - Botconf 2017
Kevin Finley
 
Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?
marketingunitrends
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
CrowdStrike
 
Mastering Next Gen SIEM Use Cases (Part 3)
Mastering Next Gen SIEM Use Cases (Part 3)Mastering Next Gen SIEM Use Cases (Part 3)
Mastering Next Gen SIEM Use Cases (Part 3)
DNIF
 
Mastering Next Gen SIEM Use Cases (Part 2)
Mastering Next Gen SIEM Use Cases (Part 2)Mastering Next Gen SIEM Use Cases (Part 2)
Mastering Next Gen SIEM Use Cases (Part 2)
DNIF
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
Priyanka Aash
 
Soc 2030-socs-are-broken-lets-fix- them
Soc 2030-socs-are-broken-lets-fix- themSoc 2030-socs-are-broken-lets-fix- them
Soc 2030-socs-are-broken-lets-fix- them
Priyanka Aash
 
Insights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-centerInsights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-center
Priyanka Aash
 
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky
 
Mobile Security: 2016 Wrap-Up and 2017 Predictions
Mobile Security: 2016 Wrap-Up and 2017 PredictionsMobile Security: 2016 Wrap-Up and 2017 Predictions
Mobile Security: 2016 Wrap-Up and 2017 Predictions
Skycure
 
Demisto Webinar - When Shrinkage is Good
Demisto Webinar - When Shrinkage is GoodDemisto Webinar - When Shrinkage is Good
Demisto Webinar - When Shrinkage is Good
Rishi Bhargava
 
Pulling our-socs-up
Pulling our-socs-upPulling our-socs-up
Pulling our-socs-up
Priyanka Aash
 
Tomorrow Starts Here - Security Everywhere
Tomorrow Starts Here - Security Everywhere Tomorrow Starts Here - Security Everywhere
Tomorrow Starts Here - Security Everywhere
Cisco Canada
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
ShivamSharma909
 
The Perimeter Security Retreat: Fall Back, Fall Back to the Server
The Perimeter Security Retreat: Fall Back, Fall Back to the ServerThe Perimeter Security Retreat: Fall Back, Fall Back to the Server
The Perimeter Security Retreat: Fall Back, Fall Back to the Server
Rahul Neel Mani
 
Predicting exploitability-forecasts-for-vulnerability-management
Predicting exploitability-forecasts-for-vulnerability-managementPredicting exploitability-forecasts-for-vulnerability-management
Predicting exploitability-forecasts-for-vulnerability-management
Priyanka Aash
 
Ict conf td-evs_pcidss-final
Ict conf td-evs_pcidss-finalIct conf td-evs_pcidss-final
Ict conf td-evs_pcidss-final
Dejan Jeremic
 
Ecosystem
EcosystemEcosystem
Ecosystem
Moti Sagey מוטי שגיא
 
Episode IV: A New Scope
Episode IV: A New ScopeEpisode IV: A New Scope
Episode IV: A New Scope
ThreatConnect
 
Digital Shadows and Demisto Enterprise Integration Datasheet
Digital Shadows and Demisto Enterprise Integration DatasheetDigital Shadows and Demisto Enterprise Integration Datasheet
Digital Shadows and Demisto Enterprise Integration Datasheet
Digital Shadows
 
Operationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsOperationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent Actors
ThreatConnect
 
How Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & SecureHow Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & Secure
scoopnewsgroup
 
Splunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security KeynoteSplunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security Keynote
Splunk
 
SACON - Deception Technology (Sahir Hidayatullah)
SACON - Deception Technology (Sahir Hidayatullah)SACON - Deception Technology (Sahir Hidayatullah)
SACON - Deception Technology (Sahir Hidayatullah)
Priyanka Aash
 
SACON - Connected cars (Aditya Kakrania)
SACON - Connected cars (Aditya Kakrania)SACON - Connected cars (Aditya Kakrania)
SACON - Connected cars (Aditya Kakrania)
Priyanka Aash
 

Mais conteúdo relacionado

Mais procurados

Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky
 
Operationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsOperationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent Actors
ThreatConnect
 

Mais procurados (20)

Mastering Next Gen SIEM Use Cases (Part 3)
Mastering Next Gen SIEM Use Cases (Part 3)Mastering Next Gen SIEM Use Cases (Part 3)
Mastering Next Gen SIEM Use Cases (Part 3)
 
Mastering Next Gen SIEM Use Cases (Part 2)
Mastering Next Gen SIEM Use Cases (Part 2)Mastering Next Gen SIEM Use Cases (Part 2)
Mastering Next Gen SIEM Use Cases (Part 2)
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
 
Soc 2030-socs-are-broken-lets-fix- them
Soc 2030-socs-are-broken-lets-fix- themSoc 2030-socs-are-broken-lets-fix- them
Soc 2030-socs-are-broken-lets-fix- them
 
Insights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-centerInsights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-center
 
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
 
Mobile Security: 2016 Wrap-Up and 2017 Predictions
Mobile Security: 2016 Wrap-Up and 2017 PredictionsMobile Security: 2016 Wrap-Up and 2017 Predictions
Mobile Security: 2016 Wrap-Up and 2017 Predictions
 
Demisto Webinar - When Shrinkage is Good
Demisto Webinar - When Shrinkage is GoodDemisto Webinar - When Shrinkage is Good
Demisto Webinar - When Shrinkage is Good
 
Pulling our-socs-up
Pulling our-socs-upPulling our-socs-up
Pulling our-socs-up
 
Tomorrow Starts Here - Security Everywhere
Tomorrow Starts Here - Security Everywhere Tomorrow Starts Here - Security Everywhere
Tomorrow Starts Here - Security Everywhere
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
 
The Perimeter Security Retreat: Fall Back, Fall Back to the Server
The Perimeter Security Retreat: Fall Back, Fall Back to the ServerThe Perimeter Security Retreat: Fall Back, Fall Back to the Server
The Perimeter Security Retreat: Fall Back, Fall Back to the Server
 
Predicting exploitability-forecasts-for-vulnerability-management
Predicting exploitability-forecasts-for-vulnerability-managementPredicting exploitability-forecasts-for-vulnerability-management
Predicting exploitability-forecasts-for-vulnerability-management
 
Ict conf td-evs_pcidss-final
Ict conf td-evs_pcidss-finalIct conf td-evs_pcidss-final
Ict conf td-evs_pcidss-final
 
Ecosystem
EcosystemEcosystem
Ecosystem
 
Episode IV: A New Scope
Episode IV: A New ScopeEpisode IV: A New Scope
Episode IV: A New Scope
 
Digital Shadows and Demisto Enterprise Integration Datasheet
Digital Shadows and Demisto Enterprise Integration DatasheetDigital Shadows and Demisto Enterprise Integration Datasheet
Digital Shadows and Demisto Enterprise Integration Datasheet
 
Operationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsOperationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent Actors
 
How Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & SecureHow Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & Secure
 
Splunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security KeynoteSplunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security Keynote
 

Destaque

Destaque (20)

SACON - Deception Technology (Sahir Hidayatullah)
SACON - Deception Technology (Sahir Hidayatullah)SACON - Deception Technology (Sahir Hidayatullah)
SACON - Deception Technology (Sahir Hidayatullah)
 
SACON - Connected cars (Aditya Kakrania)
SACON - Connected cars (Aditya Kakrania)SACON - Connected cars (Aditya Kakrania)
SACON - Connected cars (Aditya Kakrania)
 
Sacon - IoT Hackfest (Sri Chakradhar K)
Sacon - IoT Hackfest (Sri Chakradhar K)Sacon - IoT Hackfest (Sri Chakradhar K)
Sacon - IoT Hackfest (Sri Chakradhar K)
 
Sacon Threat Modeling Overview (Abhishek Datta)
Sacon Threat Modeling Overview (Abhishek Datta)Sacon Threat Modeling Overview (Abhishek Datta)
Sacon Threat Modeling Overview (Abhishek Datta)
 
SACON - API Security (Suhas Desai)
SACON - API Security (Suhas Desai)SACON - API Security (Suhas Desai)
SACON - API Security (Suhas Desai)
 
SACON - Threat hunting (Chandra Prakash)
SACON - Threat hunting (Chandra Prakash)SACON - Threat hunting (Chandra Prakash)
SACON - Threat hunting (Chandra Prakash)
 
SACON - Mobile App Security (Srinath Venkataramani)
SACON - Mobile App Security (Srinath Venkataramani)SACON - Mobile App Security (Srinath Venkataramani)
SACON - Mobile App Security (Srinath Venkataramani)
 
SACON - Security Architecture (Arnab Chattopadhayay)
SACON - Security Architecture (Arnab Chattopadhayay)SACON - Security Architecture (Arnab Chattopadhayay)
SACON - Security Architecture (Arnab Chattopadhayay)
 
SACON - Immutable architecture (Nilanjan De)
SACON - Immutable architecture (Nilanjan De)SACON - Immutable architecture (Nilanjan De)
SACON - Immutable architecture (Nilanjan De)
 
SACON - Incident Response Automation & Orchestration (Amit Modi)
SACON - Incident Response Automation & Orchestration (Amit Modi)SACON - Incident Response Automation & Orchestration (Amit Modi)
SACON - Incident Response Automation & Orchestration (Amit Modi)
 
SACON - Devops-container (Richard Bussiere)
SACON - Devops-container (Richard Bussiere)SACON - Devops-container (Richard Bussiere)
SACON - Devops-container (Richard Bussiere)
 
SACON - Beyond corp (Arnab Chattopadhayay)
SACON - Beyond corp (Arnab Chattopadhayay)SACON - Beyond corp (Arnab Chattopadhayay)
SACON - Beyond corp (Arnab Chattopadhayay)
 
SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)
 
Sacon - Fresh Thinking IoT (Arnab Chattopadhayay)
Sacon - Fresh Thinking IoT (Arnab Chattopadhayay)Sacon - Fresh Thinking IoT (Arnab Chattopadhayay)
Sacon - Fresh Thinking IoT (Arnab Chattopadhayay)
 
SACON - Cyber Risk Assessment Using Bayesian Network (R Venkat)
SACON - Cyber Risk Assessment Using Bayesian Network (R Venkat)SACON - Cyber Risk Assessment Using Bayesian Network (R Venkat)
SACON - Cyber Risk Assessment Using Bayesian Network (R Venkat)
 
SACON - Cloud Security Architecture (Moshe Ferber)
SACON - Cloud Security Architecture (Moshe Ferber)SACON - Cloud Security Architecture (Moshe Ferber)
SACON - Cloud Security Architecture (Moshe Ferber)
 
SecOps Workshop (Gregory Pickett)
SecOps Workshop (Gregory Pickett)SecOps Workshop (Gregory Pickett)
SecOps Workshop (Gregory Pickett)
 
SACON - Enterprise Security Architecture (Bikash Barai)
SACON - Enterprise Security Architecture (Bikash Barai)SACON - Enterprise Security Architecture (Bikash Barai)
SACON - Enterprise Security Architecture (Bikash Barai)
 
SACON - Windows Forensic (Dr. Phil Polstra)
SACON - Windows Forensic (Dr. Phil Polstra)SACON - Windows Forensic (Dr. Phil Polstra)
SACON - Windows Forensic (Dr. Phil Polstra)
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness Presentation
 

Semelhante a SACON - Threat Hunting Workshop (Shomiron Das Gupta)

Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Adapted from an ESG report - Outnumbered, Outgunned.
Adapted from an ESG report - Outnumbered, Outgunned. Adapted from an ESG report - Outnumbered, Outgunned.
Adapted from an ESG report - Outnumbered, Outgunned.
Proofpoint
 

Semelhante a SACON - Threat Hunting Workshop (Shomiron Das Gupta) (20)

Mastering Next Gen SIEM Use Cases (Part 1)
Mastering Next Gen SIEM Use Cases (Part 1)Mastering Next Gen SIEM Use Cases (Part 1)
Mastering Next Gen SIEM Use Cases (Part 1)
 
Mastering next gen-siem-usecases-part1
Mastering next gen-siem-usecases-part1Mastering next gen-siem-usecases-part1
Mastering next gen-siem-usecases-part1
 
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech Talk
 
BSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security MonitoringBSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security Monitoring
 
Data Analytics in Cyber Security
Data Analytics in Cyber SecurityData Analytics in Cyber Security
Data Analytics in Cyber Security
 
Data Analytics in Cyber Security
Data Analytics in Cyber Security Data Analytics in Cyber Security
Data Analytics in Cyber Security
 
Splunk Threat Hunting Workshop
Splunk Threat Hunting WorkshopSplunk Threat Hunting Workshop
Splunk Threat Hunting Workshop
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session
 
Splunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk workshop-Threat Hunting
Splunk workshop-Threat Hunting
 
Modernizing Your SOC: A CISO-led Training
Modernizing Your SOC: A CISO-led TrainingModernizing Your SOC: A CISO-led Training
Modernizing Your SOC: A CISO-led Training
 
Developers’ mDay 2017. - Dragan Pleskonjić, Adjunct Professor
Developers’ mDay 2017. - Dragan Pleskonjić, Adjunct Professor Developers’ mDay 2017. - Dragan Pleskonjić, Adjunct Professor
Developers’ mDay 2017. - Dragan Pleskonjić, Adjunct Professor
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of Compromise
 
Adapted from an ESG report - Outnumbered, Outgunned.
Adapted from an ESG report - Outnumbered, Outgunned. Adapted from an ESG report - Outnumbered, Outgunned.
Adapted from an ESG report - Outnumbered, Outgunned.
 
Cyber Resilency VANCOUVER, BC Nov 2017
Cyber Resilency VANCOUVER, BC Nov 2017 Cyber Resilency VANCOUVER, BC Nov 2017
Cyber Resilency VANCOUVER, BC Nov 2017
 
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017
 
Splunk live nyc_2017_sec_buildinganalyticsdrivensoc
Splunk live nyc_2017_sec_buildinganalyticsdrivensocSplunk live nyc_2017_sec_buildinganalyticsdrivensoc
Splunk live nyc_2017_sec_buildinganalyticsdrivensoc
 

Mais de Priyanka Aash

Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 

Mais de Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Último

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Último (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 

SACON - Threat Hunting Workshop (Shomiron Das Gupta)

  • 1. © Copyright 2017 NETMONASTERY Inc Workshop on Threat Hunting THE MINDSET OF A CYBER THREAT HUNTER 1 Shomiron DAS GUPTA - Founder, CEO NETMONASTERY Inc. SACON 2017 Photo by Quentin Dr on Unsplash
  • 2. © Copyright 2017 NETMONASTERY Inc Agenda ■ Threat Hunting - and what does that mean? ■ The process - planning, execution and follow through ■ Tools and techniques ■ Resources - where do we continue to learn from ■ Case 1 - DNS Tunneling ■ Case 2 - Webshells 2 NEXT 80 MINS
  • 3. © Copyright 2017 NETMONASTERY Inc It’s the Continual Improvement process we have been waiting for! ■ Improvement in the state of awareness ■ Improvement in detection capability ■ Improvement in response and process ■ Improvement in collaborative threat intelligence So, What is Threat Hunting? 3 QUICK INTRO TO MY VERSION
  • 4. © Copyright 2017 NETMONASTERY Inc SIEM So, What is Threat Hunting? 4 QUICK INTRO TO MY VERSION EVENTS ANALYST CORRELATED THREATS RULES BIG DATA ANALYTICS ENGINE THREAT FEEDS LOOKUP SERVICES THREAT HUNTER ACTIVE IOCs A Continuously Learning and Adapting Cyber Security Operations Center
  • 5. © Copyright 2017 NETMONASTERY Inc We all hear about it THIS IS WHERE IT STARTS 5 HOW IT WORKS WHAT TO LOOK FOR
  • 6. © Copyright 2017 NETMONASTERY Inc 6 Building the Hunt Plan THE CHECKLIST FOR THE HUNT NEW FILE EVERY WEEK Build a weekly hunt plan, include 1. Detection techniques 2. Indicators 3. Response guides Execute the hunt 1. Look for indicators 2. Look for symptoms Respond and Learn from the exercise….. repeat
  • 7. © Copyright 2017 NETMONASTERY Inc But, how does it work exactly! Monitor external feeds Look for local symptoms Hunt for indicators Build content Write process Handover and review 7 PLAN, EXECUTE AND FOLLOW THROUGH HUNTER PROCESS SOC OPS Understand threats React - FP filtering Respond Resolve Metrics Improvement Case Retirement
  • 8. © Copyright 2017 NETMONASTERY Inc Tools and Resources 8 1. Threat intelligence feeds - start with open source / think strategic paid feeds - Symantec, McAfee, TeamCymru, FireEye iSight, CriticalStack, SeQtree (INDIA) 2. Lookup sources - ThreatCrowd, VirusTotal, PDNS, WHOIS, GeoIntel, DomainTools, Intel 471, CrowdStrike, PhishMe, RecordedFuture 3. Access to threat intelligence platforms viz Alienvault OTX, ThreatConnect, Anomali, CertIn, Regional / Sectoral Certs 4. Tracking of developing standards - CAPEC, ATTACK, Threat Hunters Playbook 5. Analytics platforms that integrate viz Splunk, ELK, DNIF (INDIA) WHAT DO YOU NEED TO GET STARTED
  • 9. CASE 1 HUNTING FOR AN EXFIL SOURCE 9
  • 10. © Copyright 2017 NETMONASTERY Inc We found our data being sold 10 Questions from the customer - 1. Is the exfil still on? 2. If yes - find out how 3. Which systems were compromised We only have firewall data for the last 3mths THE SELLER PROMISED MORE RECORDS
  • 11. © Copyright 2017 NETMONASTERY Inc The Context, key Questions 11 INITIAL THOUGHTS
  • 12. © Copyright 2017 NETMONASTERY Inc POSSIBLE EXFIL SOURCES 12 HUNTING PLAN So how did we learn about DNS Exfiltration?
  • 13. © Copyright 2017 NETMONASTERY Inc Running a Profiler 1. Index data from the past 2. Run a baseline / profile / link map on outbound DNS requests 3. Identify outliers with outbound baselining 4. Sample of hunting from that point on ….. DEMO 13 IDENTIFY NORMAL ACTIVITY
  • 14. © Copyright 2017 NETMONASTERY Inc Some Takeaways Hunting is not easy, clearly You need to have a firm grip / understanding of the space Hunting is long and winding - 18 queries at an average to prove your hypothesis Log data is critical, can’t work in an straight jacketed environment 14 WHAT DID WE LEARN
  • 16. © Copyright 2017 NETMONASTERY Inc We found a way to detect webshells Lack of control over what went online Webshells were a problem Reliable form of detection was scanning / lookups Automation is the key - save precious analysts’ time Scenario ….. demo 16 OUTCOME OF THE HUNTING WE CAN DETECT THEM
  • 17. Thank You shom@dnif.it 100GB Free Forever Get Started with DNIF 17