Mais conteúdo relacionado
Semelhante a SACON - Threat Hunting Workshop (Shomiron Das Gupta) (20)
Mais de Priyanka Aash (20)
SACON - Threat Hunting Workshop (Shomiron Das Gupta)
- 1. © Copyright 2017 NETMONASTERY Inc
Workshop on
Threat Hunting
THE MINDSET OF A CYBER THREAT HUNTER
1
Shomiron DAS GUPTA - Founder, CEO
NETMONASTERY Inc.
SACON 2017
Photo by Quentin Dr on Unsplash
- 2. © Copyright 2017 NETMONASTERY Inc
Agenda
■ Threat Hunting - and what does that mean?
■ The process - planning, execution and follow through
■ Tools and techniques
■ Resources - where do we continue to learn from
■ Case 1 - DNS Tunneling
■ Case 2 - Webshells
2
NEXT 80 MINS
- 3. © Copyright 2017 NETMONASTERY Inc
It’s the Continual Improvement process we have been waiting for!
■ Improvement in the state of awareness
■ Improvement in detection capability
■ Improvement in response and process
■ Improvement in collaborative threat intelligence
So, What is Threat Hunting?
3
QUICK INTRO TO MY VERSION
- 4. © Copyright 2017 NETMONASTERY Inc
SIEM
So, What is Threat Hunting?
4
QUICK INTRO TO MY VERSION
EVENTS
ANALYST
CORRELATED
THREATS
RULES
BIG DATA
ANALYTICS
ENGINE
THREAT
FEEDS
LOOKUP
SERVICES
THREAT HUNTER
ACTIVE IOCs
A Continuously Learning
and Adapting Cyber
Security Operations
Center
- 5. © Copyright 2017 NETMONASTERY Inc
We all hear about it
THIS IS WHERE IT STARTS
5
HOW IT WORKS
WHAT TO LOOK FOR
- 6. © Copyright 2017 NETMONASTERY Inc
6
Building the Hunt Plan
THE CHECKLIST FOR THE HUNT
NEW FILE EVERY WEEK Build a weekly hunt plan, include
1. Detection techniques
2. Indicators
3. Response guides
Execute the hunt
1. Look for indicators
2. Look for symptoms
Respond and Learn from the
exercise….. repeat
- 7. © Copyright 2017 NETMONASTERY Inc
But, how does it work exactly!
Monitor external feeds
Look for local symptoms
Hunt for indicators
Build content
Write process
Handover and review
7
PLAN, EXECUTE AND FOLLOW THROUGH
HUNTER PROCESS SOC OPS
Understand threats
React - FP filtering
Respond
Resolve
Metrics Improvement
Case Retirement
- 8. © Copyright 2017 NETMONASTERY Inc
Tools and Resources
8
1. Threat intelligence feeds - start with open source / think strategic paid feeds -
Symantec, McAfee, TeamCymru, FireEye iSight, CriticalStack, SeQtree (INDIA)
2. Lookup sources - ThreatCrowd, VirusTotal, PDNS, WHOIS, GeoIntel,
DomainTools, Intel 471, CrowdStrike, PhishMe, RecordedFuture
3. Access to threat intelligence platforms viz Alienvault OTX, ThreatConnect,
Anomali, CertIn, Regional / Sectoral Certs
4. Tracking of developing standards - CAPEC, ATTACK, Threat Hunters Playbook
5. Analytics platforms that integrate viz Splunk, ELK, DNIF (INDIA)
WHAT DO YOU NEED TO GET STARTED
- 10. © Copyright 2017 NETMONASTERY Inc
We found our data being sold
10
Questions from the customer -
1. Is the exfil still on?
2. If yes - find out how
3. Which systems were compromised
We only have firewall data for the last 3mths
THE SELLER PROMISED MORE RECORDS
- 11. © Copyright 2017 NETMONASTERY Inc
The Context, key Questions
11
INITIAL THOUGHTS
- 12. © Copyright 2017 NETMONASTERY Inc
POSSIBLE EXFIL SOURCES
12
HUNTING PLAN
So how did we learn
about DNS Exfiltration?
- 13. © Copyright 2017 NETMONASTERY Inc
Running a Profiler
1. Index data from the past
2. Run a baseline / profile / link map on outbound DNS requests
3. Identify outliers with outbound baselining
4. Sample of hunting from that point on ….. DEMO
13
IDENTIFY NORMAL ACTIVITY
- 14. © Copyright 2017 NETMONASTERY Inc
Some Takeaways
Hunting is not easy, clearly
You need to have a firm grip / understanding of the space
Hunting is long and winding - 18 queries at an average to prove your hypothesis
Log data is critical, can’t work in an straight jacketed environment
14
WHAT DID WE LEARN
- 16. © Copyright 2017 NETMONASTERY Inc
We found a way to detect webshells
Lack of control over what went online
Webshells were a problem
Reliable form of detection was scanning / lookups
Automation is the key - save precious analysts’ time
Scenario ….. demo
16
OUTCOME OF THE HUNTING WE CAN DETECT THEM