avoiding the pitfalls of hunting - bsides charm 2016
TRANSCRIPT
1 © Copyright 2015 EMC Corporation. All rights reserved.
Avoiding the Pitfalls of Hunting
The Art of Fail
2 © Copyright 2015 EMC Corporation. All rights reserved.
Press Start if you’re ready You’re not ready…
3 © Copyright 2015 EMC Corporation. All rights reserved.
• Tony Cook
• RSA IR
• Just here for the Good Times…
Your Supposed Guide… (Good Luck)
4 © Copyright 2015 EMC Corporation. All rights reserved.
• Where Hunting can go wrong
• How to avoid losing before starting
• Review old fails to make your fails “less badder”
What’s the goal of this Talk?
5 © Copyright 2015 EMC Corporation. All rights reserved.
Don’t be that guy
6 © Copyright 2015 EMC Corporation. All rights reserved.
• Empower enterprises to PROACTIVELY search for and discover threats within their networks.
• Assumes Breach has occurred
• One Component in a SOC
To Keep in mind: What’s the goal of Hunting
7 © Copyright 2015 EMC Corporation. All rights reserved.
• Everyone’s _____ is different – Environment – Company Mission – Staff – Tools – Policies
• Stop taking everyone’s advice – Think Critically about your network
• Risk Based Analysis will give you your depth for each of these – Maybe you don’t have the budget for Cream of the Crop
• Tools • Staff
– Still need a way to look through your Jungle
First things First
8 © Copyright 2015 EMC Corporation. All rights reserved.
• Where most Fails start
• Not knowing where your Jungle inside & out – Borders & Internal
• Not understanding what’s in your environment
• You can’t defend what you don’t know
• Understand the Context of your Network
• Invisible Enemy’s are hard to fight
Make a Map AKA Critical Top 20 - #1 & #2
9 © Copyright 2015 EMC Corporation. All rights reserved.
• Understand your trusted relationships
• Understand their Vulnerabilities/Threats
• Have complete Visibility/Control into traffic coming to and from your Jungle – You have enough to deal with – Most of the threats come from outside
• If you had to how would you segregate yourself from any/all other partners?
Shared Jungles Who do you trust?
10 © Copyright 2015 EMC Corporation. All rights reserved.
• Review your current Tool Sets to see what you can you use
• Suggestions – NetFlow Hunting
• Tracking Ingressing & Egressing Hosts – Who’s talking to who?
– Prads/p0f – Host Based Agents
• HBSS • IR Tools • Vulnerability Management • NAC
• Network Discovery Tools
Tools to Help this
11 © Copyright 2015 EMC Corporation. All rights reserved.
• # 1 way to fail is to trust a single dataset – Coalesce ALL THE THINGS
• HBSS -> Vulnerability Scan -> NMAP -> Netflow – Find the outliers
• Patch Management -> NMAP -> NetFlow
• Trust in One, Fail by One
VALIDATE
12 © Copyright 2015 EMC Corporation. All rights reserved.
• Understand your tools
• Know their strengths and weaknesses
• Ensure their purposes – Visibility – Control – Both?
• If both… Ensure a validating measure
It’s dangerous out there… Take this
13 © Copyright 2015 EMC Corporation. All rights reserved.
• You wouldn’t go hunting without ever firing a gun at the range – Don’t go into the Jungle without first knowing how to use your tool
for various situations – Misunderstanding tool outputs are some of the biggest pitfalls
you’ll ever face. • The biggest pit you’ll fall down is the one you keep digging
• TEST OUT YOUR TOOLS – Virtual Network – Guest Network – Anything
Train with your tools
14 © Copyright 2015 EMC Corporation. All rights reserved.
• How fast can you go from IOC to Confirmation to Remediation? – Network Detection -> Exact Host
• X-Forwarded-For Enabled? • DHCP Logs? • DNS Logs?
– Exact Host -> Artifacts – Host Detection -> Artifacts
• Compliment each other in such a way that you can seamlessly pivot from Network indicator <-> Host indicator
• How deep is your visibility on your Hosts/Network? – Are you using them for a Hunting Dataset? – Full Packet Capture || Netflow? – Process Execution || AntiVirus
• How do you bring your datasets together? – Do they benefit one another
Pitfall - Does your Security Stack Blend?
15 © Copyright 2015 EMC Corporation. All rights reserved.
• Are you using Everything at your disposal?
• Do your tools let you grab everything you need?
Host-Based – SHIMCache – Services – CIM – Scheduled Tasks – Run Once Hives – Much More
Network-Based – MetaData within PCAP
• UserAgents • Referrals • Session Size • Flags • Much Much Much more
How Deep do your Datasets go?
16 © Copyright 2015 EMC Corporation. All rights reserved.
• If you don’t understand the tool…
ASK WHO MADE IT!!!
• 9/10 you’re not using it to it’s fullest potential
• Most Vendor’s will be more than happy to send PS out to make you a success story
• Assuming how a tool works will lead to misery
Vendors… A Quick Fix...
17 © Copyright 2015 EMC Corporation. All rights reserved.
1. Don’t Deploy them everywhere
2. Don’t Include them in legacy plans
3. Don’t size them appropriately
4. Don’t Cross-Train Your Team
5. Don’t Log them Centrally
6. Don’t Use All of their Features
7. Don’t correlate them with your other tools
8. Check the Box
How to Fail with your Tools
18 © Copyright 2015 EMC Corporation. All rights reserved.
Got your Map & Your Tools? Let’s GO….
19 © Copyright 2015 EMC Corporation. All rights reserved.
• Gather Data
• Analyze Data – Look for
• IOC’s • Outliers • Known Bad INTEL • Modify IOCs
– Document
• Remediate any findings
• Repeat
Remember Not Every Outcome of Hunting is Malicious - Policy Violations - Configuration Issues - Gaps in Coverage
General Concept of Hunting
Gather Data
Analyze Data
- IOC’s - Outliers - Bad Intel
- Modify IOC’s
Document
Remediate
20 © Copyright 2015 EMC Corporation. All rights reserved.
• One of the biggest Pitfalls is running around aimlessly looking at all the things
• Pick or Develop a Repeatable Methodology for Analysis
• Can be different for each analyst, cell, or company
• Examples – OODA Loop – 5 I’s
Analysis Methodology Required
21 © Copyright 2015 EMC Corporation. All rights reserved.
Example OODA Loop
22 © Copyright 2015 EMC Corporation. All rights reserved.
• Observe – Bring in Data!
• Orient – Analyze – Synthesize it to work in your datasets – Put in the proper context!!! – Use prior validated knowledge – Analyze
• Decide – Make a Proper Hypothesis REPEAT THESE THREE THINGS UNTIL YOU HAVE SOMETHING ACTIONABLE
• Act – Remediate or Document
Quick WalkThrough
23 © Copyright 2015 EMC Corporation. All rights reserved.
• Seeing the same old thing over & over?
• Different Approaches – Anomaly – Intelligence – Objective
• Try out various Data Analytics on different datasets – Temporal – Rare – Variance – New
Analysis Bias
24 © Copyright 2015 EMC Corporation. All rights reserved.
• Don’t get so “HYPE” that you lose the forest for a tree
• Don’t mismanage your resources – Have everyone work on the same thing – Rely on one person
• Don’t let a fire get out of your control
• Take a breath & make sure you’re in context
Slow Down
25 © Copyright 2015 EMC Corporation. All rights reserved.
• Don’t be afraid to use “RED” Tools
• There is a reason they’re using them
• Most of them are built-in OS Tools
Thinking like the enemy…
26 © Copyright 2015 EMC Corporation. All rights reserved.
A run through of more Pitfalls
27 © Copyright 2015 EMC Corporation. All rights reserved.
• 1st My thoughts… – That this is still a thing… – Every major vendor has a free solution to do this... – If you don’t have this already being done... – 0 days are always there but getting owned by a 5 year old
vulnerability... Just... I can’t even…
• Simply PATCH
• 2nd Are you using it in more ways than one? – Context Value added to your Map – Using it to further understand your critical hosts
• New Software Deployed
My least favorite Pitfall… Vulnerability Management
28 © Copyright 2015 EMC Corporation. All rights reserved.
• Most Environments… It’s Black or White – Don’t complicate it
• Snake = Bad • Extra Life = Good
• Once you found a scorpion & know how it moves... Document it & Be Alert for it next time
• Failure to do so will get you bit… Over & Over
• Also... Sharing is caring.
Threat Intelligence How not to use it
29 © Copyright 2015 EMC Corporation. All rights reserved.
• Putting IOCs into a ticket which never become actionable
• Not having NO context to IOCs
• Creating bad Signatures – Strings – Not deploying them properly – No validation
• Deploying other’s signatures with 0 testing
• Diving too deep – Making it Grey – Getting too wrapped up in non-plausible attacks – Make it relevant to your environment
Pitfalls
30 © Copyright 2015 EMC Corporation. All rights reserved.
• The more you play the more you can see the slight differences in the snakes, scorpions, and pitfalls
• Same with Hunting – IOC’s will become clear – How attacks happen will become clearer
Inherent Knowledge Same thing as a game
31 © Copyright 2015 EMC Corporation. All rights reserved.
• How are you tracking your users?
• Check your Authentication Mechanism – Several New Tools – Poor Man’s Way
• Pull your AD Tree with Powershell • Diff it Daily
– Check for variances
• Check for new users logging into systems they never have before • Check for user’s with new permission • https://gallery.technet.microsoft.com/scriptcenter/Powershell-script-to-5edcdaea
Masked Threats Identity / Account Management
32 © Copyright 2015 EMC Corporation. All rights reserved.
• Properly Use a Red Team – Find your blind spots – Use pre-determined Test cases
• Validate results
• Work with them Not Against them – Don’t make it a competition – Make it a value added training
• Understand the results of the test
• Continual Process – Not a One & Done
Test yourself
33 © Copyright 2015 EMC Corporation. All rights reserved.
Questions???
34 © Copyright 2015 EMC Corporation. All rights reserved.
Fin