170509-introduction to threat...
TRANSCRIPT
Introduction to
Threat Hunting
Find the malware that’s hiding – Trust your IT infrastructure again.
Agenda
1.What is threat hunting, really?
2.Past and present of threat hunting
3.Role of hunting in a security program
4.How to start hunting
5.Trends shaping the future
Threat Hunting Defined
The Current Malware Reality
You are likely already breached
• Question is not uninvited people are on your
network.
• But when you will find out, and how.
• And, what you are going to do about it.
Threat Hunting Defined
The Current Malware Reality
Most organizations approach security as a
defensive measure:
Firewall, AV, IDS, IPS, EDR, etc.
All important, but...
Malware still gets through.
Threat Hunting Defined
The Current Malware Reality
You may all engage in:
• penetration tests,
• vulnerability assessments,
• web application assessments,
• code reviews, etc.
These are all useful exercises.
Undetected Malware14 weeks
Undetected Malware67 weeks
Undetected Malware2 weeks
Undetected MalwareUndisclose Period
Undetected MalwareUndisclosed Period
Undetected Malware24 weeks
Undetected MalwareUndisclosed Period
Undetected MalwareUndisclosed Period
RETURNS
Undetected Malware52 weeks
Undetected Malware75 weeks
Undetected Malware2 weeks
Undetected Malware4-6 weeks
Undetected Malware8 weeks
Undetected Malware52 weeks
2.0
Undetected Malware12 weeks
Malware Breaches in 2016
Threat Hunting Defined
The Current Malware Reality
• Defensive measures and security tests are
not enough.
• We are still infected by malware and
targeted attacks.
• Let’s start hunting!
Threat Hunting Defined
What is threat hunting?
The proactive search for threats
hiding within a network you
controlChris Gerritz – Ex-US Air Force Threat Hunting
Pioneer
Threat Hunting Defined
Reactive
vs
Proactive
Threat Hunting Defined
Reactive Example
React Bank
• Several layers of defense; firewalls, AV, EDR
• SIEM hosted in the SOC of an MSSP vendor
• SWIFT CSP compliant
Threat Hunting Defined
React Bank receives notification from
SWIFT about an unusual transfer…
Dashboards are checked, everything
looks fine…
Threat Hunting Defined
Proactive Example
Al Amin
• Several layers of defense; firewalls, AV, EDR
• Host their own SIEM
• SWIFT CSP compliant
• Mature threat hunting process
Threat Hunting Defined
Proactive Example
Al Amin
• Several layers of defense; firewalls, AV, EDR
• Host their own SIEM
• SWIFT CSP compliant
• Mature threat hunting process
2. Past and the present of
Threat Hunting
Find the malware that’s hiding – Trust your IT infrastructure again.
Past and present of threat hunting
• Military industrial complex – companies
that build jet fighters, defense systems,
nuclear missiles, and other war machines.
• Intelligence circles
• Five Eyes - Australia, Canada, New
Zealand, the UK, the United States.
• Military
Past and present of threat hunting
• In the private sector, large enterprises in
the Five Eyes countries are the early
adopters.
• From there, it is spreading to Europe, Asia,
the GCC and the rest of the world.
• Proper threat hunting is still an unknown
concept to most in the GCC, Asia and Latin
America.
3 .Role of hunting in a security program
Find the malware that’s hiding – Trust your IT infrastructure again.
Role of hunting in security program
Common Questions
1. Does it remove the need for AV, SIEM, EDR,
or IDS; defensive technologies?
2.Do we wait for signs of compromise before
starting?
3. What’s the right frequency to hunt?
Reconnaissance Exploitation InstallationCommand and
ControlLateral
MovementExfiltration Persist
Real Time Detection Post-Compromise Detection Incident Response
Attack In Progress Breach Detection Gap (169 Days in US, 465 Days in EMEA)
Incident Declared
Threat Prevention and Detection ($$$)
Malware Hunt ($)
Response Services ($$$$$)
Solutions Solutions Solutions
Network IDS/IPSNext Gen Firewalls
Endpoint IDS/IPSEvent Monitoring
Anti-MalwareWhitelisting
Malware Hunt Digital ForensicsNetwork
Forensics
• Primary targets vary industry to industry, but all endpoints and devices are at risk of malware.
• Incidents can be identified earlier if endpoints are treated as inherently untrusted, until it is demonstrated that they can be trusted.
• Only a true malware hunt solution can address the Breach Detection Gap effectively.
• Reliance on outsourced managed security services is inadequate and ineffective without a hunt capability.
Breach Detection Gap
Role of hunting in security program
Q. Should it replace AV, EDR, or IDS?
• No, threat hunting does not replace
defensive and real-time technologies
• Threat hunting should be seen as a safety
net to validate that your endpoints can be
trusted
• Not either, or, but and, and
Role of hunting in security program
Q. Do we wait for signs of compromise
before starting?
• No
• Waiting for compromise before taking
action is reactive Incident Response and
involves Digital Forensics; DFIR
Role of hunting in security program
Q. What’s the right frequency to hunt?
• It mainly depends on your risk appetite.
• How much time do you want to give bad
actors on your network after a breach?
• Better visibility leads to more control and
trust.
Role of hunting in security program
Gaps in the SWIFT Customer SecurityControls• Only looks at defensive measures• I prepared a commentary suggesting two
additional controls:1. Define and manage the Breach Detection
Gap2. Compromise assessments
Find the malware that’s hiding – Trust your IT infrastructure again.
4. How to start
Threat Hunting
How to start huntingFour key principles in designing threat hunting program
1. Accept that malware and APTs continue to breach existing defenses
2. Endpoints should be treated as untrusted until they are validated
3. Any trust established is both limited and temporary
4. Endpoints need to be validated on a regular basis
How to start huntingWhat’s a good approach to start threat hunting?
1. Determine an acceptable Breach Detection
Gap for threats that have passed your
defenses
2. Enforce the BDG by hunting for
compromise within the defined period
How to start hunting
Example 1: Many start on the network
• Suspicious traffic leaving the network
• If persistent malware is not sending out any
suspicious traffic, this is not useful
• Needle in a haystack
How to start hunting
Example 2: Event logs from endpoints
and network devices
• Data-centric approach is limited by
resources and what you are logging
• Analyzing everything is impossible
• A lot of malware will not trigger events
How to start huntingInstead of looking at large amounts of data, we
suggest to evaluate a limited amount of data,
but the right data.
So let’s look directly on the endpoint
using forensic tools, techniques and
procedures.
How to start huntingDoing it right; establish what is normal on the
endpoint
• Processes, drivers, hooks, modules,
persistence mechanisms, and more.
• Document what you find
• For a great start, look at our B-Sides talk on
using PowerShell scripts, or Andrew Case’s
talk on the philosophy of hunting.
How to start huntingDoing it right; learn how to do manual
Incident Response (IR) on endpoints.
• Mark Russinovich has a great talk on this
called Malware Hunting with the
Sysinternals tools.
Find the malware that’s hiding – Trust your IT infrastructure again.
5. Trends Shaping The Future
Future trends and conclusion
Education is required
• There’s a lot of confusion about what
threat hunting is.
• Sessions like this help people
understand what threat hunting is
and how to start.
Future trends and conclusion
Response capabilities being adopted
• As organisations mature, the skills
required for Incident Response are
becoming a general practice.
• EDR technologies are also capable of
doing response and remediation
Future trends and conclusion
Compromise assessments are becoming a
more common requirement.
• Some enterprises are satisfied with the
occasional compromise assessment
• Other enterprises will want finer control
and do it themselves, leading to a threat
hunting program.
• Automation is key
Future trends and conclusion
Skills are a challenge as it’s a relatively new
field
• Learning curve is too steep to quickly
onboard resources
• Automation and internal development of
skill sets is the best bet
• Using third parties is a good alternative
Future trends and conclusion
Conclusion
Threat hunting is:
• … becoming important as risks increase
• … not trivial, but you should start
• … important practice to maintain trust,
control, and avoid being the subject of a
large breach.
Resources to start hunting1. SWIFT CSP Commentary – Ask me or email [email protected]
2. Automated hunting at scale:
1. Powershell-Fu - Hunting on the Endpoint- Chris Gerritz –
Infocyte: https://youtu.be/2MrrOxsJk_M
2. PS Hunt - https://github.com/Infocyte/PSHunt
3. Infocyte HUNT – http://www.infocyte.com
3. Hunting on a single Windows endpoint: Malware Hunting with the
Sysinternals Tools - Mark Russinovich – Microsoft:
https://channel9.msdn.com/Events/TechEd/Europe/2014/CDP-B373
4. Proactive Threat Hunting – Proactive Defense and Threat Hunting-
Andrew Case – Volatility Project: https://youtu.be/751bkSD2Nn8