Free Webinar: How to hunt for Security Threats by Netcom Learning

How to Hunt for Security Threats

Tom Updegrove NetCom Learning www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

ÂŠ1998-2018 NetCom Learning

Agenda

• What is Threat Hunting • Preparing for the Hunt • Hunting • Mastering Hunting • Tips for improving your THSS

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

What is Threat Hunting

The Definition

"The process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions."

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

ÂŠ1998-2018 NetCom Learning

Understanding Threat Hunting

• Security Threats • Motivations • Hackers, Crackers, Hacktivist, Nation State, etc. • Methods • Intuition • Analysis & Hypothesis

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Types of Hypotheses

There are three types of hypotheses: Analytics-Driven: "Machine-learning and UEBA, used to develop aggregated risk scores that can also serve as hunting hypotheses" Situational-Awareness Driven: "Crown Jewel analysis, enterprise risk assessments, company- or employee-level trends" Intelligence-Driven: "Threat intelligence reports, threat intelligence feeds, malware analysis, vulnerability scans" www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

ÂŠ1998-2018 NetCom Learning

Types of Indicators

There are two types of indicators: • •

Compromise Concern

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Detection Maturity Level (DML) Model

• High Semantics • goal and strategy, or tactics, techniques and procedure. • Low Semantics • IP addressing, network anomalies • AI, SIEM & ELK

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Five Levels of Maturity

• Initial - level 0: An organization relies primarily on automated reporting and does little or no routine data collection. • Minimal - level 1: An organization incorporates threat intelligence indicator searches. It has a moderate or high level of routine data collection. • Procedural - level 2: An organization follows analysis procedures created by others. It has a high or very high level of routine data collection. www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Five Levels of Maturity

• Innovative - level 3: An organization creates new data analysis procedures. It has a high or very high level of routine data collection. • Leading - level 4: Automates the majority of successful data analysis procedures. It has a high or very high level of routine data collection.

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Dwell Time

â&#x20AC;˘

Cyber-attackers operate undetected for an average of 99 days, obtain administrator credentials in less than three day.* *Mandiant M-Trends Report The study also showed that 53% of attacks are discovered only after notification from an external party

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

ÂŠ1998-2018 NetCom Learning

Mean Time to Detection

• • •

The average company takes 170 days to detect an advanced threat.* 39 days to mitigate.* 43 days to recover* *Ponemon Institute

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Difference Between Threat Hunting and Pen Testing

• What threats are hunted • The development of threat hunting • • • • • •

Co-Existence Man & Computers The Big Picture Intruders Data exploitation Knowing the enemy

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Preparing for the Hunt

• • • •

The Team Finding the Time Training Processes

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Threat Hunting

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

ÂŠ1998-2018 NetCom Learning

The Technology of Threat Hunting

• • • •

Endpoints Network detection Threat Intelligence Data Correlation

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

The Baseline

• • •

What is normal and what isn’t What are the High Value Targets Reverse engineering the attack

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

How to Prepare for Threat Hunting

• • • • • •

Where to start Filtering out legitimate traffic What is suspicious Diving deeper Impact Remediation

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Mastering Threat Hunting

• • • • •

Research Intuition Educated hunches OODA Developing tools & traps

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Perfecting the Technique

• • • • • • • • •

Know your Environment Think like a Hacker Develop the OODA Mindset Apply sufficient resources to the Hunt Deploy endpoint intelligence throughout the network Collaborate Log results Develop your skills Keep up to date on Attack Trends www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Threat Hunting

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

ÂŠ1998-2018 NetCom Learning

Threat Hunting

Articles (Quick Start) • Incident Response is Dead… Long Live Incident Response, Scott Roberts • Straight talk in plain language about the idea of hunting, why your organization should be doing it, and what it takes to create a successful hunting program. Read this one first! • Demystifying Threat Hunting Concepts, Josh Liburdi • A strategic look at the importance of good beginnings, middles and ends of the hunt. • A Simple Hunting Maturity Model, David J. Bianco • Proposes a practical definition of “hunting”, and a maturity model to help explain the various stages of hunting capability an organization can go through. The HMM can be viewed as a roadmap that an organization can use to describe their current capability and plan for improvement. • The Threat Hunting Reference Model Part 2: The Hunting Loop, Sqrrl • Building on the HMM, this describes the hypothesis-driven cycle that successful hunters must iterate through • The Who, What, Where, When, Why and How of Effective Threat Hunting, Robert M. Lee & Rob Lee, The SANS Institute • A very comprehensive discussion of many aspects of hunting, which a special emphasis on how it fits within the overal security program and the “active cyber defense cycle”.

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Threat Hunting

Articles (Quick Start) • Generating Hypotheses for Successful Threat Hunting, Robert M. Lee & David J. Bianco • An in-depth discussion of the different types of hunting hypotheses and how to create good ones to get your hunts started right. • Building Threat Hunting Strategies with the Diamond Model, Sergio Caltagirone

• The first part of this article is all about how to organize and prepare for your next hunt. It introduces “the 4 hunting questions” you must answer before you begin. The second part presents a framework for categorizing different hunting approaches based on the Diamond Model of Intrusion Analysis (of which Mr. Caltagirone was a primary author). • Cyber Threat Hunting (1): Intro, Samuel Alonso • Another good intro to threat hunting. Offers a slightly different viewpoint on hunting than some of the other items in this list.

• Cyber Hunting: 5 Tips to Bag Your Prey, David J. Bianco • Who doesn’t like a good “Top N” list?? This one offers 5 quick bullet points to help you think about how to get your team started hunting. • Threat Hunting: Open Season on the Adversary, Dr. Eric Cole, The SANS Institute • The recent SANS threat hunting survey is probably the most authoritative source on how real practitioners and security executives view hunting, their own hunting programs, and their wants & needs for improvement.

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Threat Hunting Books Huntpedia, Richard Bejtlich, Danny Akacki, David Bianco, Tyler Hudak, Scott Roberts, et al. A collection of essays and “how-to” articles on threat hunting put by Sqrrl. It’s not tied to their product, though, and is a great reference for both beginners and advanced threat hunters. The first section talks about hunting theory and practice, while the second focuses on providing detailed, concrete examples of actionable hunts. Data-Driven Security: Analysis, Visualization and Dashboards, Jay Jacobs & Bob Rudis A wide-ranging look at many aspects of data analysis and presentation fundamental to many hunting techniques. Includes lots of code in R, but also Python. It’s great for learning the basic ideas behind data analysis and using the results to make decision and drive changes in your security program. Network Security Through Data Analysis: Building Situational Awareness, Michael Collins Covers many (free!) tools for collecting and analyzing large amounts of data, primarily to find potential intrusions. The book takes a heavily hands-on, practical approach with extensive examples written in Python. Other Resources Windows Commands Abused by Attackers, JPCERT/CC Using data drawn from actual attacks, this article shows the most common Windows commands used and abused by attackers once they gain access to a system. The commands are organized into “Initial Investigation”, “Reconnaissance” and “Spread of Infection” (Lateral Movement). There are no actual analytic techniques discussed here, but the data will be quite useful as the basis for generating some hunts based on Windows command usage. www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Recorded Webinar Video

To watch the recorded webinar video for live demos, please access the link: https://bit.ly/2McHkOy

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

ÂŠ1998-2018 NetCom Learning

About NetCom Learning

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

ÂŠ1998-2018 NetCom Learning

Recommended Courses

» Certified Information Systems Security Professional (CISSP) Certification - Class scheduled on Aug 20 » CompTIA Security+ Certification - Class scheduled on Aug 20 » CISA Certification - Class scheduled on Sep 10 » EC-Council CEH: Certified Ethical Hacker v10 & CNDA: Certified Network Defense Architect - Class scheduled on Sep 10 » CompTIA PenTest+ Certification - Class scheduled on Sep 17

» CompTIA Advanced Security Practitioner (CASP) Certification - Class scheduled on Sep 17 » CompTIA Cybersecurity Analyst (CySA+) Certification - Class scheduled on Oct 29

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Creating Social Media Graphics in Photoshop CC Office 365 Design Insights Project Management: Developing Project Schedules and Budgets How to Configure Networking in Windows 10 Devices ASP.NET Functions on Microsoft Azure Getting Started With CompTIA PenTest+ PowerPoint 2016: 10 Tips to Master Presentations Hands-On Power BI for Data Visualization

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

ÂŠ1998-2018 NetCom Learning

Promotions

From Cloud to Security, to Data and AI, to Networking, to Application Development, to Design, to Business Process & Application; all classes delivered by top-notch instructors in in-person Instructor-led Classroom or Live Online. And after you train, treat yourself with Gift Card rewards. Learn More www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

ÂŠ1998-2018 NetCom Learning

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

ÂŠ1998-2018 NetCom Learning

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

ÂŠ1998-2018 NetCom Learning

THANK YOU !!!

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266