SlideShare uma empresa Scribd logo

Enabling effective hunt teaming and incident response

J
jeffmcjunkin

Tools and techniques for preparing for incidents and hunt teaming.

Tecnologia
1 de 41
Baixar para ler offline
Enabling effective Hunt Teaming and Incident Response (with zero budget and limited time)
whoami Jeff McJunkin, Senior Technical Analyst Counter Hack Challenges Certifications: Yes* *CISSP, CCNA, GSEC, GCED, GPEN, GCFA, GCIH, GMOB, GXPN, GREM, GCIA, hopefully soon GSE
What do I do? ● Expert witness (digital forensics) ● TA (and soon, here ın Portland, teach!) for SANS ● Create challenges to help people learn offensive and defensive security ○ (SANS NetWars Tournament) ● Background in systems / network administration
Disclaimer on tools ● I will discuss specific tools ● I’m not paid to endorse these tools They’re just examples that I’ve found to work well (Well, usually)
What is hunt teaming? Step 1) Assume compromise (It turns out this is very realistic)
What is hunt teaming? Step 1) Assume compromise (It turns out this is very realistic) Step 2) Find your compromised hosts
What is hunt teaming? Step 1) Assume compromise (It turns out this is very realistic) Step 2) Find your compromised hosts Step 3) Find how they were compromised (forensication time!)
What is hunt teaming? Step 1) Assume compromise (It turns out this is very realistic) Step 2) Find your compromised hosts Step 3) Find how they were compromised (forensication time!) Step 4) Set up preventative and detective controls
What is incident response? Step 1) Notice an incident. Example incident sources include... ● Help desk notices malware on system ● Network team notices lots of outbound traffic from a usually-quiet machine ● Your university is featured on https://krebsonsecurity.com/ Step 2) Hair on fire, stop the bleeding!
What is incident response? Step 1) Notice an incident. Example incident sources include... ● Help desk notices malware on system ● Network team notices lots of outbound traffic from a usually-quiet machine ● Your university is featured on https://krebsonsecurity.com/ Step 2) Hair on fire, stop the bleeding Step 3) Learn, implement detective and preventative controls
Note the difference Hunt teaming is proactive. Incident response is reactive. Learning how you’re owned proactively is preferred, but we all encounter surprises.
What do we prepare for? ● Prevention, prevention, prevention ● Penetration testers? ● Things that make our bosses upset (Critical Nessus findings) ● Antivirus ● Patching ● Compliance ● Protecting The Perimeter
An aside on compliance... ● Compliance is probably a net positive ● HIPPA, PCI, CJIS, etc. ● But sometimes we can focus too much on compliance and miss focusing on security
What actually happens? Focus on DATA, not anecdotes. The Verizon Data Breach Report is perhaps the best source of actual compromise data we have in this industry.
What actually happens? - Target 2013 Breach 40 million credit cards stolen What weaknesses were used? ● Third-party network access ● No review of security logs ● Lack of segmentation
What actually happens? - Home Depot 2014 Breach 56 million credit cards stolen What software was used? Details are still forthcoming, but… ● Malware that scraped RAM for credit card information ● Same malware family as Target! ● Likely Domain Admin-level access by the attackers ● Current indications: Attackers targeted self-checkout lane computers
But those examples are too big, and not us! Good point. Here’s a smaller, local example: C&K Systems, Inc.
C&K Systems, Inc. ● Who are they? ○ Third-party payment vendor for Goodwill ● What happened? ○ No details yet ● Who else was affected? ○ Two other unnamed clients Notice a growing tendency for “watering hole” attacks
C&K Systems, Inc. How long until they noticed the breach?
C&K Systems, Inc. How long until they noticed the breach? 18 MONTHS.
Today’s attacks versus Yesterday’s defenses ● How do you detect memory-only malware? ○ Never touching the hard drive ● What logs are normal from your machines? ○ I.e., do you have a baseline to compare against? ● How often do you review these logs? ● What if the attacker has “gone native”? ○ Example: No “hacker tools”, just PowerShell and valid credentials
A useful thought exercise... Imagine if there were no anti-virus. Imagine if all your computers had unpatch-able known exploits. (Not too difficult, given XP and Server 2003’s end of life)
Where do we stand a chance? 1. Exploit 2. Installation (persistence) 3. Command and Control 4. Exfiltration (...maybe)
What’s the difference? Prepare, hunt, respond, learn
Prepare, hunt, respond, learn Get useful data ahead of time (program execution, centralized logging, persistence, evidence of pivoting)
Prepare, hunt, respond, learn Assume compromise. Act accordingly.
Prepare, hunt, respond, learn Find evil and exterminate it.
Prepare, hunt, respond, learn Red team is threat emulation, blue team should be able to describe red team’s actions
Mind the gap ● How do you track persistence? ● How about new program execution? ● How about data exfiltration? Full packet capture?
Persistence How many methods of persistence do you know of?
Persistence How many methods of persistence do you know of? I promise Sysinternals Autoruns knows more.
Centralized Persistence Tracking? 1. Scheduled Task via Group Policy (autorunsc.exe to plain text file on file server) 2. Diff most recent and second-most recent files. 3. Email upon difference.
Tracking program execution ● Ever heard of Carbon Black? ○ For many shops, Sysinternals Sysmon is equivalent. ○ For free.
Example event of program execution
Centralized logging? Step 1) Get your Windows Event Logs to one server (Event Log Forwarding). Step 2) Get your centralized Windows Event Logs into something easier to work with. (Splunk, ELK, SexiLog) Use NXLog Community, not Snare. Snare is now dead to me.
Data exfiltration ● How many spare desktops do you have? ● Install Security Onion on one, set up a SPAN port mirroring your outbound traffic Snort / Suricata / Bro are their own presentations NWACC 2014, by Jesse Martinich and Christina Kaiseramn!
Questions? I’ll be around for the rest of the day as well. Don’t want to ask here? Send me an email: jeff@counterhack.com or jeff.mcjunkin@gmail.com

Recomendados

Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOMENegative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME
jeffmcjunkin
 
Abstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat HuntingAbstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat Hunting
chrissanders88
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
North Texas Chapter of the ISSA
 
SOC2016 - The Investigation Labyrinth
SOC2016 - The Investigation LabyrinthSOC2016 - The Investigation Labyrinth
SOC2016 - The Investigation Labyrinth
chrissanders88
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - October
MITRE - ATT&CKcon
 
Art into Science 2017 - Investigation Theory: A Cognitive Approach
Art into Science 2017 - Investigation Theory: A Cognitive ApproachArt into Science 2017 - Investigation Theory: A Cognitive Approach
Art into Science 2017 - Investigation Theory: A Cognitive Approach
chrissanders88
 
Resistance Isn't Futile: A Practical Approach to Threat Modeling
Resistance Isn't Futile: A Practical Approach to Threat ModelingResistance Isn't Futile: A Practical Approach to Threat Modeling
Resistance Isn't Futile: A Practical Approach to Threat Modeling
Katie Nickels
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE - ATT&CKcon
 

Recomendados

Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOMENegative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME
jeffmcjunkin
 
Abstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat HuntingAbstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat Hunting
chrissanders88
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
North Texas Chapter of the ISSA
 
SOC2016 - The Investigation Labyrinth
SOC2016 - The Investigation LabyrinthSOC2016 - The Investigation Labyrinth
SOC2016 - The Investigation Labyrinth
chrissanders88
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - October
MITRE - ATT&CKcon
 
Art into Science 2017 - Investigation Theory: A Cognitive Approach
Art into Science 2017 - Investigation Theory: A Cognitive ApproachArt into Science 2017 - Investigation Theory: A Cognitive Approach
Art into Science 2017 - Investigation Theory: A Cognitive Approach
chrissanders88
 
Resistance Isn't Futile: A Practical Approach to Threat Modeling
Resistance Isn't Futile: A Practical Approach to Threat ModelingResistance Isn't Futile: A Practical Approach to Threat Modeling
Resistance Isn't Futile: A Practical Approach to Threat Modeling
Katie Nickels
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE - ATT&CKcon
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedFrom Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have Changed
MITRE - ATT&CKcon
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
Building a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the CloudBuilding a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the Cloud
ProtectWise
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
OWASP Delhi
 
Threats that Matter - Murray State University 2017
Threats that Matter - Murray State University 2017Threats that Matter - Murray State University 2017
Threats that Matter - Murray State University 2017
chrissanders88
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
OWASP Delhi
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
InfoSec Addicts
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
Building a Successful Threat Hunting Program
Building a Successful Threat Hunting ProgramBuilding a Successful Threat Hunting Program
Building a Successful Threat Hunting Program
Carl C. Manion
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
Morane Decriem
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
What's a MITRE with your Security?
What's a MITRE with your Security?What's a MITRE with your Security?
What's a MITRE with your Security?
MITRE - ATT&CKcon
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
MITRE - ATT&CKcon
 
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pillThe Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
Frode Hommedal
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE - ATT&CKcon
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
MITRE - ATT&CKcon
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
Threat hunting workshop
Threat hunting workshopThreat hunting workshop
Threat hunting workshop
Megan Shippy
 
Worst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are DetectedWorst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are Detected
EndgameInc
 
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
EndgameInc
 

Mais conteúdo relacionado

Mais procurados

Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedFrom Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have Changed
MITRE - ATT&CKcon
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
OWASP Delhi
 
What's a MITRE with your Security?
What's a MITRE with your Security?What's a MITRE with your Security?
What's a MITRE with your Security?
MITRE - ATT&CKcon
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
MITRE - ATT&CKcon
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
MITRE - ATT&CKcon
 

Mais procurados (20)

Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedFrom Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have Changed
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Building a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the CloudBuilding a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the Cloud
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
 
Threats that Matter - Murray State University 2017
Threats that Matter - Murray State University 2017Threats that Matter - Murray State University 2017
Threats that Matter - Murray State University 2017
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Building a Successful Threat Hunting Program
Building a Successful Threat Hunting ProgramBuilding a Successful Threat Hunting Program
Building a Successful Threat Hunting Program
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
What's a MITRE with your Security?
What's a MITRE with your Security?What's a MITRE with your Security?
What's a MITRE with your Security?
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
 
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pillThe Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
Threat hunting workshop
Threat hunting workshopThreat hunting workshop
Threat hunting workshop
 

Destaque

Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
EndgameInc
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
EndgameInc
 
Hunting before a Known Incident
Hunting before a Known IncidentHunting before a Known Incident
Hunting before a Known Incident
EndgameInc
 
Hiding In Plain Sight – Protect Against Bad Hashes
Hiding In Plain Sight – Protect Against Bad HashesHiding In Plain Sight – Protect Against Bad Hashes
Hiding In Plain Sight – Protect Against Bad Hashes
Tripwire
 
Concepts of Malicious Windows Programs
Concepts of Malicious Windows ProgramsConcepts of Malicious Windows Programs
Concepts of Malicious Windows Programs
Natraj G
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
AlienVault
 
Level Up Your Security with Threat Intelligence
Level Up Your Security with Threat IntelligenceLevel Up Your Security with Threat Intelligence
Level Up Your Security with Threat Intelligence
IBM Security
 

Destaque (20)

Worst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are DetectedWorst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are Detected
 
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet Noise
 
Hardware-Assisted Rootkits & Instrumentation
Hardware-Assisted Rootkits & InstrumentationHardware-Assisted Rootkits & Instrumentation
Hardware-Assisted Rootkits & Instrumentation
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
 
​Dynamic Detection of Malicious Behavior
​Dynamic Detection of Malicious Behavior​Dynamic Detection of Malicious Behavior
​Dynamic Detection of Malicious Behavior
 
Hunting before a Known Incident
Hunting before a Known IncidentHunting before a Known Incident
Hunting before a Known Incident
 
Hiding In Plain Sight – Protect Against Bad Hashes
Hiding In Plain Sight – Protect Against Bad HashesHiding In Plain Sight – Protect Against Bad Hashes
Hiding In Plain Sight – Protect Against Bad Hashes
 
Mr201401 consideration for indicators of malware likeness based on static fil...
Mr201401 consideration for indicators of malware likeness based on static fil...Mr201401 consideration for indicators of malware likeness based on static fil...
Mr201401 consideration for indicators of malware likeness based on static fil...
 
Dll hijacking
Dll hijackingDll hijacking
Dll hijacking
 
Concepts of Malicious Windows Programs
Concepts of Malicious Windows ProgramsConcepts of Malicious Windows Programs
Concepts of Malicious Windows Programs
 
Big Game Hunting - Peculiarities In Nation State Malware Research
Big Game Hunting - Peculiarities In Nation State Malware ResearchBig Game Hunting - Peculiarities In Nation State Malware Research
Big Game Hunting - Peculiarities In Nation State Malware Research
 
Dns security threats and solutions
Dns security threats and solutionsDns security threats and solutions
Dns security threats and solutions
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
 
PE Packers Used in Malicious Software - Part 1
PE Packers Used in Malicious Software - Part 1PE Packers Used in Malicious Software - Part 1
PE Packers Used in Malicious Software - Part 1
 
Level Up Your Security with Threat Intelligence
Level Up Your Security with Threat IntelligenceLevel Up Your Security with Threat Intelligence
Level Up Your Security with Threat Intelligence
 
SOC Foundation
SOC FoundationSOC Foundation
SOC Foundation
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat Intelligence
 
Infoblox Secure DNS Solution
Infoblox Secure DNS SolutionInfoblox Secure DNS Solution
Infoblox Secure DNS Solution
 
Machine Learning for Malware Classification and Clustering
Machine Learning for Malware Classification and ClusteringMachine Learning for Malware Classification and Clustering
Machine Learning for Malware Classification and Clustering
 

Semelhante a Enabling effective hunt teaming and incident response

[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
CODE BLUE
 
[CB20] Keynote2:Practical and Intelligent Incident Response Planning by Russ ...
[CB20] Keynote2:Practical and Intelligent Incident Response Planning by Russ ...[CB20] Keynote2:Practical and Intelligent Incident Response Planning by Russ ...
[CB20] Keynote2:Practical and Intelligent Incident Response Planning by Russ ...
CODE BLUE
 
Digital Forensics & Incident Response Fundamentals.pdf
Digital Forensics & Incident Response Fundamentals.pdfDigital Forensics & Incident Response Fundamentals.pdf
Digital Forensics & Incident Response Fundamentals.pdf
Christopher Doman
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Barry Greene
 
03.fnc corporate protect workshop new
03.fnc corporate protect workshop new03.fnc corporate protect workshop new
03.fnc corporate protect workshop new
forensicsnation
 

Semelhante a Enabling effective hunt teaming and incident response (20)

HITB2013AMS Defenting the enterprise, a russian way!
HITB2013AMS Defenting the enterprise, a russian way!HITB2013AMS Defenting the enterprise, a russian way!
HITB2013AMS Defenting the enterprise, a russian way!
 
International Cooperative: APT Hunting
International Cooperative: APT HuntingInternational Cooperative: APT Hunting
International Cooperative: APT Hunting
 
Incident handling.final
Incident handling.finalIncident handling.final
Incident handling.final
 
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
 
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
 
[CB20] Keynote2:Practical and Intelligent Incident Response Planning by Russ ...
[CB20] Keynote2:Practical and Intelligent Incident Response Planning by Russ ...[CB20] Keynote2:Practical and Intelligent Incident Response Planning by Russ ...
[CB20] Keynote2:Practical and Intelligent Incident Response Planning by Russ ...
 
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton ChuvakinUsing Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
 
Digital Forensics & Incident Response Fundamentals.pdf
Digital Forensics & Incident Response Fundamentals.pdfDigital Forensics & Incident Response Fundamentals.pdf
Digital Forensics & Incident Response Fundamentals.pdf
 
Advanced malware analysis training session3 botnet analysis part2
Advanced malware analysis training session3 botnet analysis part2Advanced malware analysis training session3 botnet analysis part2
Advanced malware analysis training session3 botnet analysis part2
 
Malware Most Wanted: Security Ecosystem
Malware Most Wanted: Security EcosystemMalware Most Wanted: Security Ecosystem
Malware Most Wanted: Security Ecosystem
 
Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008
Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008
Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008
 
Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008
Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008
Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration Testing
 
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5
 
What does "monitoring" mean? (FOSDEM 2017)
What does "monitoring" mean? (FOSDEM 2017)What does "monitoring" mean? (FOSDEM 2017)
What does "monitoring" mean? (FOSDEM 2017)
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security Checklist
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...
 
The Most Important Thing: How Mozilla Does Security and What You Can Steal
The Most Important Thing: How Mozilla Does Security and What You Can StealThe Most Important Thing: How Mozilla Does Security and What You Can Steal
The Most Important Thing: How Mozilla Does Security and What You Can Steal
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
 
03.fnc corporate protect workshop new
03.fnc corporate protect workshop new03.fnc corporate protect workshop new
03.fnc corporate protect workshop new
 

Último

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 

Último (20)

CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 

Enabling effective hunt teaming and incident response

  • 1. Enabling effective Hunt Teaming and Incident Response (with zero budget and limited time)
  • 2. whoami Jeff McJunkin, Senior Technical Analyst Counter Hack Challenges Certifications: Yes* *CISSP, CCNA, GSEC, GCED, GPEN, GCFA, GCIH, GMOB, GXPN, GREM, GCIA, hopefully soon GSE
  • 3. What do I do? ● Expert witness (digital forensics) ● TA (and soon, here ın Portland, teach!) for SANS ● Create challenges to help people learn offensive and defensive security ○ (SANS NetWars Tournament) ● Background in systems / network administration
  • 4.
  • 5. Disclaimer on tools ● I will discuss specific tools ● I’m not paid to endorse these tools They’re just examples that I’ve found to work well (Well, usually)
  • 6. What is hunt teaming? Step 1) Assume compromise (It turns out this is very realistic)
  • 7. What is hunt teaming? Step 1) Assume compromise (It turns out this is very realistic) Step 2) Find your compromised hosts
  • 8. What is hunt teaming? Step 1) Assume compromise (It turns out this is very realistic) Step 2) Find your compromised hosts Step 3) Find how they were compromised (forensication time!)
  • 9. What is hunt teaming? Step 1) Assume compromise (It turns out this is very realistic) Step 2) Find your compromised hosts Step 3) Find how they were compromised (forensication time!) Step 4) Set up preventative and detective controls
  • 10. What is incident response? Step 1) Notice an incident. Example incident sources include... ● Help desk notices malware on system ● Network team notices lots of outbound traffic from a usually-quiet machine ● Your university is featured on https://krebsonsecurity.com/ Step 2) Hair on fire, stop the bleeding!
  • 11. What is incident response? Step 1) Notice an incident. Example incident sources include... ● Help desk notices malware on system ● Network team notices lots of outbound traffic from a usually-quiet machine ● Your university is featured on https://krebsonsecurity.com/ Step 2) Hair on fire, stop the bleeding Step 3) Learn, implement detective and preventative controls
  • 12. Note the difference Hunt teaming is proactive. Incident response is reactive. Learning how you’re owned proactively is preferred, but we all encounter surprises.
  • 13. What do we prepare for? ● Prevention, prevention, prevention ● Penetration testers? ● Things that make our bosses upset (Critical Nessus findings) ● Antivirus ● Patching ● Compliance ● Protecting The Perimeter
  • 14. An aside on compliance... ● Compliance is probably a net positive ● HIPPA, PCI, CJIS, etc. ● But sometimes we can focus too much on compliance and miss focusing on security
  • 15. What actually happens? Focus on DATA, not anecdotes. The Verizon Data Breach Report is perhaps the best source of actual compromise data we have in this industry.
  • 16.
  • 17. What actually happens? - Target 2013 Breach 40 million credit cards stolen What weaknesses were used? ● Third-party network access ● No review of security logs ● Lack of segmentation
  • 18. What actually happens? - Home Depot 2014 Breach 56 million credit cards stolen What software was used? Details are still forthcoming, but… ● Malware that scraped RAM for credit card information ● Same malware family as Target! ● Likely Domain Admin-level access by the attackers ● Current indications: Attackers targeted self-checkout lane computers
  • 19. But those examples are too big, and not us! Good point. Here’s a smaller, local example: C&K Systems, Inc.
  • 20. C&K Systems, Inc. ● Who are they? ○ Third-party payment vendor for Goodwill ● What happened? ○ No details yet ● Who else was affected? ○ Two other unnamed clients Notice a growing tendency for “watering hole” attacks
  • 21. C&K Systems, Inc. How long until they noticed the breach?
  • 22. C&K Systems, Inc. How long until they noticed the breach? 18 MONTHS.
  • 23.
  • 24. Today’s attacks versus Yesterday’s defenses ● How do you detect memory-only malware? ○ Never touching the hard drive ● What logs are normal from your machines? ○ I.e., do you have a baseline to compare against? ● How often do you review these logs? ● What if the attacker has “gone native”? ○ Example: No “hacker tools”, just PowerShell and valid credentials
  • 25. A useful thought exercise... Imagine if there were no anti-virus. Imagine if all your computers had unpatch-able known exploits. (Not too difficult, given XP and Server 2003’s end of life)
  • 26. Where do we stand a chance? 1. Exploit 2. Installation (persistence) 3. Command and Control 4. Exfiltration (...maybe)
  • 27. What’s the difference? Prepare, hunt, respond, learn
  • 28. Prepare, hunt, respond, learn Get useful data ahead of time (program execution, centralized logging, persistence, evidence of pivoting)
  • 29. Prepare, hunt, respond, learn Assume compromise. Act accordingly.
  • 30. Prepare, hunt, respond, learn Find evil and exterminate it.
  • 31. Prepare, hunt, respond, learn Red team is threat emulation, blue team should be able to describe red team’s actions
  • 32. Mind the gap ● How do you track persistence? ● How about new program execution? ● How about data exfiltration? Full packet capture?
  • 33. Persistence How many methods of persistence do you know of?
  • 34. Persistence How many methods of persistence do you know of? I promise Sysinternals Autoruns knows more.
  • 35. Centralized Persistence Tracking? 1. Scheduled Task via Group Policy (autorunsc.exe to plain text file on file server) 2. Diff most recent and second-most recent files. 3. Email upon difference.
  • 36.
  • 37. Tracking program execution ● Ever heard of Carbon Black? ○ For many shops, Sysinternals Sysmon is equivalent. ○ For free.
  • 38. Example event of program execution
  • 39. Centralized logging? Step 1) Get your Windows Event Logs to one server (Event Log Forwarding). Step 2) Get your centralized Windows Event Logs into something easier to work with. (Splunk, ELK, SexiLog) Use NXLog Community, not Snare. Snare is now dead to me.
  • 40. Data exfiltration ● How many spare desktops do you have? ● Install Security Onion on one, set up a SPAN port mirroring your outbound traffic Snort / Suricata / Bro are their own presentations NWACC 2014, by Jesse Martinich and Christina Kaiseramn!
  • 41. Questions? I’ll be around for the rest of the day as well. Don’t want to ask here? Send me an email: jeff@counterhack.com or jeff.mcjunkin@gmail.com