Threat hunting 101 by Sandeep Singh
4 likesâą1,705 views
The document outlines an agenda for understanding and practicing threat hunting, emphasizing its importance as a human-led activity to detect advanced security threats that escape traditional controls. It discusses the roles, skills, and hypothesis generation required for effective threat hunting, as well as frameworks and tools to assist hunters. Additionally, it provides examples of potential hunts and resources for further learning in the field of cybersecurity.
Threat hunting 101 by Sandeep Singh
- 1. Getting Started with Threat Hunting
- 2. Agenda â What is Threat Hunting? â Becoming the Threat Hunter â Hypothesis Generation â Useful Frameworks â Example Hunts â Free and Open Source Tools to Assist in Hunts â Further Learning Resources
- 3. The Rise of Yet Another Buzzword 2016-2017ish - Threat Hunting started making buzz https://www.outlookmarketingsrv.com/the-buzzword-epidemic-is-your-content-infected/
- 4. What is Threat Hunting? Human Led (and assisted by tools) practice of searching iteratively through data to detect advanced threats that evade traditional security controls (Sqrrl and Me)
- 5. What is Threat Hunting? â Hypothesis-led approach â Determine gaps in the ability to detect and respond to threats â It is a way to assess your security (people, process, and technology) against threats while extending your automation footprint to better be prepared in the future - Rob M Lee â Incident Response without an actual incident done with a purpose - Rob M Lee
- 6. Threat Detection vs Hunting Detection: Automated with machines such as IDS/IPS, AV, etc.; Focussed on known attacks, IOCs, etc. Hunting: Humans ïŹnd bad stuffs with the help of machines; Hunting will lead to identifying detection gaps and creation of new detections
- 7. Becoming the Threat Hunter â The Threat Hunter role sits between the common offensive and defensive roles â The role needs strong offensive knowledge and defensive skills â Skills - Analytical Mindset, OS and Network Architecture, Offensive Skills (attack methods, TTPs, etc.), Host Analysis, Network Analysis, Malware Analysis, Memory Analysis, Data Analysis (SIEM, Logs, PCAP, NetïŹow, etc.), Hunting Tools
- 8. Hypothesis â This is what makes Threat Hunting a Human Led activity â Reasonable assumption about adversaries and techniques they might be using to attack or persist in an environment â Example - Attackers will leverage signed windows binaries to perform malicious activities, which will not be ïŹagged by existing security tools/controls Ref: https://pages.endgame.com/rs/627-YBU-612/images/The%20Endgame%20Guide%20to%20Threat%20Hunting%20-%20ebook.pdf
- 10. Useful Frameworks Kill Chain: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html ATT&CK: https://attack.mitre.org Diamond Model: http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf
- 11. Useful Frameworks Alerting and Detection Strategies (ADS) Framework https://github.com/palantir/alerting-detection-strategy-framework Hunting Maturity Model (HMM) http://detect-respond.blogspot.com/2015/10/a-simple-hunting- maturity-model.html Pyramid of Pain http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
- 12. Finally, What does a Threat Hunter has ? To Develop Hunts: â Collected Data â Blogs â Twitter â MITRE ATT&CK â APT Reports â CTI â Mailing List â Red Teaming â Adversary Simulation â and many more ...
- 13. Example Hunts â Hypothesis - Attackers are still using dyndns hostnames for C2 â Take the List - https://gist.github.com/neu5ron/8dd695d4cb26b6dcd997 and compare with DNS queries in your environment â Hypothesis - Attackers maintaining persistence using Runkeys â Collect RunKeys from your environment (using EDR tool or just using powershell) â Group executables in Run Keys, Group Executable Paths, Command Line arguments, etc. http://pwndizzle.blogspot.com/2014/01/powershell-retrieve-run-keys-start-menu.htm https://www.sans.org/cyber-security-summit/archives/ïŹle/summit-archive-1492713638.pdfl
- 14. Free and Open Source Tools to Assist in Hunts â Endpoint â GRR - https://github.com/google/grr â Sysmon - https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon â OSQuery - https://osquery.io â Network â Bro - https://www.bro.org/download/index.html â Suricata - https://suricata-ids.org/
- 15. Free and Open Source Tools to Assist in Hunts â Storage & Analytics â Elastic Stack - https://www.elastic.co/elk-stack â Logs - WinBeat, File Beat â HELK - https://github.com/Cyb3rWard0g/HELK â Infrastructure â Puppet, Chef, Ansible, Docker, etc.
- 16. Useful Blogs â Blogs: â David Bianco's Blog â sqrrl Hunting Blog â DFIR and Threat Hunting Blog â CyberWardog's Blog â Chris Sanders' Blog â Kolide Blog â Endgame Blog â Robert M Leeâs Blog â and many others whom I may have missed
- 17. References: â https://sqrrl.com/media/Your-Practical-Guide-to-Threat-Hunting.pdf â https://gsec.hitb.org/materials/sg2017/COMMSEC%20D1%20-%20Hamza%20Beghal%20-%20Threat% 20Hunting%20101%20-%20%20Become%20the%20Hunter.pdf â https://www.sans.org/cyber-security-summit/archives/ïŹle/summit-archive-1492713638.pdf â http://www.robertmlee.org/hunting-vs-incident-response-vs-just-doing-your-job/ â https://speakerdeck.com/heirhabarov/phdays-2018-threat-hunting-hands-on-lab â https://www.youtube.com/watch?v=aZxtCKHhAUE â https://www.sans.org/reading-room/whitepapers/threats/generating-hypotheses-successful-threat-hunti ng-37172
- 18. Thank You