Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Go to Hunt, Then Sleep

David J. Bianco
July 27, 2017
Technology
0
2.1k

Go to Hunt, Then Sleep

Are nightmares of data breaches and targeted attacks keeping your CISO up at night? You know you should be hunting for these threats, but where do you start? Told in the style of the popular children’s story spoof, this soothing bedtime tale will lead Li’l Threat Hunters through the first five hunts they should do to find bad guys and, ultimately, help their CISOs “Go the F*ck to Sleep”.

David J. Bianco

July 27, 2017
Tweet

More Decks by David J. Bianco

See All by David J. Bianco
Five Lies & a Truth: Attacking the Defender's Dilemma
davidjbianco
0
7
Five Lies and a Truth: Attacking the Defender's Dilemma
davidjbianco
0
160
Developers: What Your Security Team Wishes You Knew (And It's Not Secure Coding!)
davidjbianco
0
91
Raising the Tide: Driving Improvement in Security by Being a Good Human
davidjbianco
0
33
Evolving the Hunt: A Case Study in Improving a Mature Hunt Program
davidjbianco
0
910
Quality Over Quantity: Determining Your CTI Detection Efficacy
davidjbianco
1
320
Quality over Quantity: Determining Your CTI Detection Efficacy
davidjbianco
0
240
Introduction to Data Analysis with Security Onion (and Other Open Source Tools)
davidjbianco
0
1.1k
Things that Make You go HMM: Using a Simple Hunting Maturity Model to Establish and Improve Your Threat Hunting Program
davidjbianco
0
1.2k

Other Decks in Technology

See All in Technology
エンジニアのためのマネジメント入門/Introduction to Management for Software Engineers
dskst
1
330
ORM - Object-relational mapping
onk
PRO
0
490
Webアプリケーション設計の第一歩は
ディレクトリの整理から / Encraft 1
okunokentaro
22
6.2k
GitHub Actionsと"仲良くなる"ための練習方法
tsubakimoto_s
10
2.8k
QMファンネルとQAキャリア
gen519
PRO
1
170
PHP で学ぶ Cache の距離の話 / study_cache_with_php
hanhan1978
3
780
IBM Cloud PLUS - #3 IBM PowerVS 入門と最新情報
6onoda
0
110
WebGLやCanvasを使ったデータ可視化コンテンツ開発/nikkei-tech-talk5-3
nikkei_engineer_recruiting
0
130
Snyk の紹介 〜セキュリティの Shift Left を目指す〜
toshiaizawa
0
120
軽率に休学したら Babylon.js×WebARで 夢を3つ叶えてた / my dreams with babylon.js and WebAR
drumath2237
0
130
ZOZOTOWNの裏側に迫る! Javaで作られたBFFの開発事例を紹介
yutaro527
0
300
Autonomous Database - Dedicated 技術詳細 / adb-d_technical_detail_jp
oracle4engineer
PRO
1
2.4k

Featured

See All Featured
Imperfection Machines: The Place of Print at Facebook
scottboms
254
12k
Atom: Resistance is Futile
akmur
256
24k
10 Git Anti Patterns You Should be Aware of
lemiorhan
643
55k
The Invisible Side of Design
smashingmag
292
49k
Large-scale JavaScript Application Architecture
addyosmani
499
110k
Testing 201, or: Great Expectations
jmmastey
25
5.8k
The Illustrated Children's Guide to Kubernetes
chrisshort
23
43k
What the flash - Photography Introduction
edds
64
10k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
44
14k
Navigating Team Friction
lara
177
12k
Creatively Recalculating Your Daily Design Routine
revolveconf
207
11k
How GitHub (no longer) Works
holman
299
140k

Transcript

  1. View Slide

  2. View Slide

  3. Go to Hunt, But First Read
    Generating Hypotheses for Successful
    Threat Hunting
    https://goo.gl/Jo9qCA
    The ICS Cyber Kill Chain
    https://goo.gl/fivxp7
    The ThreatHunting Project
    http://ThreatHunting.net
    MITRE ATT&CK Framework
    https://attack.mitre.org
    Little Bobby
    http://LittleBobbyComic.com
    David J. Bianco
    Principal Engineer
    Target Corporation
    @DavidJBianco
    Robert M. Lee
    CEO
    Dragos, Inc.
    @RobertMLee

    View Slide

  4. View Slide

  5. Identifying Hunt Targets
    Use “friendly intel” to identify core processes and assets.
    Use threat intel to identify likely actors and their common tactics and known techniques
    against those assets.
    Cross reference with MITRE ATT&CK framework to identify related techniques.

    View Slide

  6. Setting Priorities
    Plot Tactics/Techniques against the attack lifecycle.

    View Slide

  7. Setting Priorities
    Plot Tactics/Techniques against the attack lifecycle.
    Rank entries in each phase by potential impact & breadth of activity coverage.
    Prioritize on two axes: lifecycle phase and rank in phase.

    View Slide

  8. Creating the Hunt Plan
    Research each technique to determine side effects & likely artifacts.
    Turn this research into actionable hunt info:
    Hunt hypotheses
    Data required
    Artifacts or effects to look for
    Analytic techniques
    Schedule these according to your available resources.
    Don’t forget to automate successful hunts!

    View Slide

  9. View Slide

  10. Welcome to the Jungle
    Jungle, Inc. is the leading supplier of wildlife-themed
    fidget spinners to the rainforest industry. Critical assets
    include:
    ● Product plans & specifications
    ● Manufacturing processes
    ● Market & customer info
    Most of their business relies on a single product. Rivals
    able to produce similar products more cheaply could
    severely impact their market share, so their biggest
    concerns are the confidentiality of their product plans
    and associated manufacturing processes.

    View Slide

  11. View Slide

  12. Data Exfiltration via PCR Shift
    The Producer-Consumer Ratio (PCR)
    measures the “shape” of a system’s pattern
    of network use. Significant shifts in PCR
    may indicate unusual data movement
    (staging or exfil).
    Hypothesis: Large amount of data being
    staged/exfiltrated will significantly change
    PCR from one or few hosts.
    Data Required: Network flow records.
    Source: The ThreatHunting Project (https://goo.gl/J7oGE9)
    Artifacts & Effects: Large PCR change over time
    Analytic Techniques: Visualization

    View Slide

  13. Lateral Movement in Process
    Logs
    An attacker’s first foothold in the
    environment is unlikely to offer them
    access to product plans or the ICS
    environment. Therefore, LM will be
    necessary.
    Source: The ThreatHunting Project (https://goo.gl/ZiqA1R and https://goo.gl/gM8HcM)
    Artifacts & Effects: Command shells started by documents or
    other weird parents; spikes in use of CLI recon tools
    Analytic Techniques: Visualization, stack counting
    Hypothesis: Lateral movement will be performed from the command line, requiring the
    attacker to spawn command shells. Additionally, they will tend to use existing CLI tools to
    orient themselves when they compromise a new host.
    Data Required: Process creation (Win event 4688, Sysmon event 1, EDR logs, etc)

    View Slide

  14. Adversary Positioning on HMIs
    HMIs are often on Windows and Linux systems
    familiar to adversaries, contain important visual
    information about the physical process, and can
    be connected for remote usage.
    Artifacts & Effects: New process spawning outside of maintenance periods, VPN
    session lengths/frequency, or HMI logs for undocumented interaction
    Analytic Techniques: Configuration and Frequency Analysis
    Human Machine Interfaces (HMIs) are the Supervisory Control for the Process
    Hypothesis: Adversaries will position on HMIs as
    familiar territory (Windows and Linux) while learning
    the industrial process.
    Data Required: Process creation, VPN logs, and
    HMI logs

    View Slide

  15. Exfiltration from Data Historian
    Espionage would require both the manufacturing
    schematics (IT) as well as the physical process
    information ultimately making up the full “recipe”
    details (ICS), which would require the Historian.
    Artifacts & Effects: Spikes in OPC usage and trends of larger
    OPC communications over time than previous
    Analytic Techniques: Visualization, Configuration Analysis,
    Time Series Seasonal Decomposition
    Hypothesis: Exfiltration from Historians would
    utilize legitimate ICS protocols such as OPC but it
    would generate consistently larger OPC
    communications.
    Data Historians hold the specifics about the physical industrial process.
    Data Required: Network captures of OPC

    View Slide

  16. Machine Learning for HTTP C2
    http://www.rhaensch.de/vrf.html
    By nature, most HTTP C2 will be slightly
    different than normal traffic. We may be able
    to exploit that by applying some simple ML
    techniques.
    Hypothesis: At least some HTTP C2
    transactions are “different enough” that an
    ML model can learn to find them.
    Data Required: Outgoing HTTP logs
    Artifacts & Effects: Not Applicable
    Analytic Techniques: Random Forests (Supervised), Isolation Forests
    (Unsupervised)
    Source: https://github.com/DavidJBianco/Clearcut

    View Slide

  17. Machine Learning for HTTP C2
    http://cs.nju.edu.cn/zhouzh/zhouzh.files/publication/icdm08b.pdf
    Source: https://github.com/DavidJBianco/Clearcut
    By nature, most HTTP C2 will be slightly
    different than normal traffic. We may be able
    to exploit that by applying some simple ML
    techniques.
    Hypothesis: At least some HTTP C2
    transactions are “different enough” that an
    ML model can learn to find them.
    Data Required: Outgoing HTTP logs
    Artifacts & Effects: Not Applicable
    Analytic Techniques: Random Forests (Supervised), Isolation Forests
    (Unsupervised)

    View Slide

  18. View Slide

  19. View Slide