avoiding the pitfalls of hunting - bsides charm 2016

1 © Copyright 2015 EMC Corporation. All rights reserved.

Avoiding the Pitfalls of Hunting

The Art of Fail


Press Start if you’re ready You’re not ready…


•  Tony Cook

•  RSA IR

•  Just here for the Good Times…

Your Supposed Guide… (Good Luck)


•  Where Hunting can go wrong

•  How to avoid losing before starting

•  Review old fails to make your fails “less badder”

What’s the goal of this Talk?


Don’t be that guy


•  Empower enterprises to PROACTIVELY search for and discover threats within their networks.

•  Assumes Breach has occurred

•  One Component in a SOC

To Keep in mind: What’s the goal of Hunting


•  Everyone’s _____ is different –  Environment –  Company Mission –  Staff –  Tools –  Policies

•  Stop taking everyone’s advice –  Think Critically about your network

•  Risk Based Analysis will give you your depth for each of these –  Maybe you don’t have the budget for Cream of the Crop

•  Tools •  Staff

–  Still need a way to look through your Jungle

First things First


•  Where most Fails start

•  Not knowing where your Jungle inside & out –  Borders & Internal

•  Not understanding what’s in your environment

•  You can’t defend what you don’t know

•  Understand the Context of your Network

•  Invisible Enemy’s are hard to fight

Make a Map AKA Critical Top 20 - #1 & #2


•  Understand your trusted relationships

•  Understand their Vulnerabilities/Threats

•  Have complete Visibility/Control into traffic coming to and from your Jungle –  You have enough to deal with –  Most of the threats come from outside

•  If you had to how would you segregate yourself from any/all other partners?

Shared Jungles Who do you trust?


•  Review your current Tool Sets to see what you can you use

•  Suggestions –  NetFlow Hunting

•  Tracking Ingressing & Egressing Hosts –  Who’s talking to who?

–  Prads/p0f –  Host Based Agents

•  HBSS •  IR Tools •  Vulnerability Management •  NAC

•  Network Discovery Tools

Tools to Help this


•  # 1 way to fail is to trust a single dataset –  Coalesce ALL THE THINGS

•  HBSS -> Vulnerability Scan -> NMAP -> Netflow –  Find the outliers

•  Patch Management -> NMAP -> NetFlow

•  Trust in One, Fail by One

VALIDATE


•  Understand your tools

•  Know their strengths and weaknesses

•  Ensure their purposes –  Visibility –  Control –  Both?

•  If both… Ensure a validating measure

It’s dangerous out there… Take this


•  You wouldn’t go hunting without ever firing a gun at the range –  Don’t go into the Jungle without first knowing how to use your tool

for various situations –  Misunderstanding tool outputs are some of the biggest pitfalls

you’ll ever face. •  The biggest pit you’ll fall down is the one you keep digging

•  TEST OUT YOUR TOOLS –  Virtual Network –  Guest Network –  Anything

Train with your tools


•  How fast can you go from IOC to Confirmation to Remediation? –  Network Detection -> Exact Host

•  X-Forwarded-For Enabled? •  DHCP Logs? •  DNS Logs?

–  Exact Host -> Artifacts –  Host Detection -> Artifacts

•  Compliment each other in such a way that you can seamlessly pivot from Network indicator <-> Host indicator

•  How deep is your visibility on your Hosts/Network? –  Are you using them for a Hunting Dataset? –  Full Packet Capture || Netflow? –  Process Execution || AntiVirus

•  How do you bring your datasets together? –  Do they benefit one another

Pitfall - Does your Security Stack Blend?


•  Are you using Everything at your disposal?

•  Do your tools let you grab everything you need?

Host-Based –  SHIMCache –  Services –  CIM –  Scheduled Tasks –  Run Once Hives –  Much More

Network-Based –  MetaData within PCAP

•  UserAgents •  Referrals •  Session Size •  Flags •  Much Much Much more

How Deep do your Datasets go?


•  If you don’t understand the tool…

ASK WHO MADE IT!!!

•  9/10 you’re not using it to it’s fullest potential

•  Most Vendor’s will be more than happy to send PS out to make you a success story

•  Assuming how a tool works will lead to misery

Vendors… A Quick Fix...


1.  Don’t Deploy them everywhere

2.  Don’t Include them in legacy plans

3.  Don’t size them appropriately

4.  Don’t Cross-Train Your Team

5.  Don’t Log them Centrally

6.  Don’t Use All of their Features

7.  Don’t correlate them with your other tools

8.  Check the Box

How to Fail with your Tools


Got your Map & Your Tools? Let’s GO….


•  Gather Data

•  Analyze Data –  Look for

•  IOC’s •  Outliers •  Known Bad INTEL •  Modify IOCs

–  Document

•  Remediate any findings

•  Repeat

Remember Not Every Outcome of Hunting is Malicious - Policy Violations - Configuration Issues - Gaps in Coverage

General Concept of Hunting

Gather Data

Analyze Data

- IOC’s - Outliers - Bad Intel

- Modify IOC’s

Document

Remediate


•  One of the biggest Pitfalls is running around aimlessly looking at all the things

•  Pick or Develop a Repeatable Methodology for Analysis

•  Can be different for each analyst, cell, or company

•  Examples –  OODA Loop –  5 I’s

Analysis Methodology Required


Example OODA Loop


•  Observe – Bring in Data!

•  Orient – Analyze –  Synthesize it to work in your datasets –  Put in the proper context!!! –  Use prior validated knowledge –  Analyze

•  Decide – Make a Proper Hypothesis REPEAT THESE THREE THINGS UNTIL YOU HAVE SOMETHING ACTIONABLE

•  Act – Remediate or Document

Quick WalkThrough


•  Seeing the same old thing over & over?

•  Different Approaches –  Anomaly –  Intelligence –  Objective

•  Try out various Data Analytics on different datasets –  Temporal –  Rare –  Variance –  New

Analysis Bias


•  Don’t get so “HYPE” that you lose the forest for a tree

•  Don’t mismanage your resources –  Have everyone work on the same thing –  Rely on one person

•  Don’t let a fire get out of your control

•  Take a breath & make sure you’re in context

Slow Down


•  Don’t be afraid to use “RED” Tools

•  There is a reason they’re using them

•  Most of them are built-in OS Tools

Thinking like the enemy…


A run through of more Pitfalls


•  1st My thoughts… –  That this is still a thing… –  Every major vendor has a free solution to do this... –  If you don’t have this already being done... –  0 days are always there but getting owned by a 5 year old

vulnerability... Just... I can’t even…

•  Simply PATCH

•  2nd Are you using it in more ways than one? –  Context Value added to your Map –  Using it to further understand your critical hosts

•  New Software Deployed

My least favorite Pitfall… Vulnerability Management


•  Most Environments… It’s Black or White –  Don’t complicate it

•  Snake = Bad •  Extra Life = Good

•  Once you found a scorpion & know how it moves... Document it & Be Alert for it next time

•  Failure to do so will get you bit… Over & Over

•  Also... Sharing is caring.

Threat Intelligence How not to use it


•  Putting IOCs into a ticket which never become actionable

•  Not having NO context to IOCs

•  Creating bad Signatures –  Strings –  Not deploying them properly –  No validation

•  Deploying other’s signatures with 0 testing

•  Diving too deep –  Making it Grey –  Getting too wrapped up in non-plausible attacks –  Make it relevant to your environment

Pitfalls


•  The more you play the more you can see the slight differences in the snakes, scorpions, and pitfalls

•  Same with Hunting –  IOC’s will become clear –  How attacks happen will become clearer

Inherent Knowledge Same thing as a game


•  How are you tracking your users?

•  Check your Authentication Mechanism –  Several New Tools –  Poor Man’s Way

•  Pull your AD Tree with Powershell •  Diff it Daily

–  Check for variances

•  Check for new users logging into systems they never have before •  Check for user’s with new permission •  https://gallery.technet.microsoft.com/scriptcenter/Powershell-script-to-5edcdaea

Masked Threats Identity / Account Management


•  Properly Use a Red Team –  Find your blind spots –  Use pre-determined Test cases

•  Validate results

•  Work with them Not Against them –  Don’t make it a competition –  Make it a value added training

•  Understand the results of the test

•  Continual Process – Not a One & Done

Test yourself


Questions???


Fin

avoiding the pitfalls of hunting - bsides charm 2016

Presentations & Public Speaking