$30 off During Our Annual Pro Sale. View Details »

Go to Hunt, Then Sleep

David J. Bianco
July 27, 2017
Technology
0
2.2k

Go to Hunt, Then Sleep

Are nightmares of data breaches and targeted attacks keeping your CISO up at night? You know you should be hunting for these threats, but where do you start? Told in the style of the popular children’s story spoof, this soothing bedtime tale will lead Li’l Threat Hunters through the first five hunts they should do to find bad guys and, ultimately, help their CISOs “Go the F*ck to Sleep”.

David J. Bianco

July 27, 2017
Tweet

More Decks by David J. Bianco

See All by David J. Bianco
Generative AI in Cybersecurity: Rise of the Machines?
davidjbianco
0
11
Trust Unearned? Evaluating CA Trustworthiness Across 5 Billion Certificates
davidjbianco
0
150
Five Lies & a Truth: Attacking the Defender's Dilemma
davidjbianco
0
25
Five Lies and a Truth: Attacking the Defender's Dilemma
davidjbianco
0
200
Developers: What Your Security Team Wishes You Knew (And It's Not Secure Coding!)
davidjbianco
0
120
Raising the Tide: Driving Improvement in Security by Being a Good Human
davidjbianco
0
37
Evolving the Hunt: A Case Study in Improving a Mature Hunt Program
davidjbianco
0
920
Quality Over Quantity: Determining Your CTI Detection Efficacy
davidjbianco
1
350
Quality over Quantity: Determining Your CTI Detection Efficacy
davidjbianco
0
260

Other Decks in Technology

See All in Technology
AWS Security Hubを有効化したけど見てない人に向けたDevSecOpsの実現方法 / #kayac_andpad_event
muziyoshiz
0
220
サービスの1等地ホーム画面改善と効果的なステークホルダーマネジメント / Improvement of Prime Location Home Screen for Services and Effective Stakeholder Management
rilmayer
0
220
Go Getでのchecksum不一致に遭遇した話とその対応
replu
0
290
CTO of the year 2023ピッチ資料(オーディエンス賞)チューリングCTO青木
aoshun7
0
710
技術広報経験0のEMがエンジニアブランディングをはじめてみた
coconala_engineer
1
140
kintone テクニカルライター採用ピッチ資料
cybozuinsideout
PRO
0
880
10分でわかる株式会社ログラス − エンジニア向け会社説明資料 / Loglass in 10 min for Engineers
loglass2019
2
870
機械学習システム構築実践ガイド
shibuiwilliam
0
300
隙間家具OSS開発で『自分の庭』をつくる / kayac-andpad-event
fujiwara3
0
400
生成AIでシステム開発はどう変わるか
etaroid
19
7.8k
device mapperによるディスクI/O障害のエミュレーション
sat
PRO
7
2.3k
231116 あつまれ入力デバイスの沼 Ryu.Cyberさん
comucal
PRO
0
230

Featured

See All Featured
Designing for Performance
lara
601
66k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
123
31k
Optimizing for Happiness
mojombo
368
68k
Rails Girls Zürich Keynote
gr2m
90
12k
What's new in Ruby 2.0
geeforr
335
30k
Practical Orchestrator
shlominoach
179
9.4k
Bootstrapping a Software Product
garrettdimon
PRO
299
110k
The Cost Of JavaScript in 2023
addyosmani
10
3.1k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
1
900
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
6
7.3k
Navigating Team Friction
lara
177
13k
Building an army of robots
kneath
299
41k

Transcript

  1. View Slide

  2. View Slide

  3. Go to Hunt, But First Read
    Generating Hypotheses for Successful
    Threat Hunting
    https://goo.gl/Jo9qCA
    The ICS Cyber Kill Chain
    https://goo.gl/fivxp7
    The ThreatHunting Project
    http://ThreatHunting.net
    MITRE ATT&CK Framework
    https://attack.mitre.org
    Little Bobby
    http://LittleBobbyComic.com
    David J. Bianco
    Principal Engineer
    Target Corporation
    @DavidJBianco
    Robert M. Lee
    CEO
    Dragos, Inc.
    @RobertMLee

    View Slide

  4. View Slide

  5. Identifying Hunt Targets
    Use “friendly intel” to identify core processes and assets.
    Use threat intel to identify likely actors and their common tactics and known techniques
    against those assets.
    Cross reference with MITRE ATT&CK framework to identify related techniques.

    View Slide

  6. Setting Priorities
    Plot Tactics/Techniques against the attack lifecycle.

    View Slide

  7. Setting Priorities
    Plot Tactics/Techniques against the attack lifecycle.
    Rank entries in each phase by potential impact & breadth of activity coverage.
    Prioritize on two axes: lifecycle phase and rank in phase.

    View Slide

  8. Creating the Hunt Plan
    Research each technique to determine side effects & likely artifacts.
    Turn this research into actionable hunt info:
    Hunt hypotheses
    Data required
    Artifacts or effects to look for
    Analytic techniques
    Schedule these according to your available resources.
    Don’t forget to automate successful hunts!

    View Slide

  9. View Slide

  10. Welcome to the Jungle
    Jungle, Inc. is the leading supplier of wildlife-themed
    fidget spinners to the rainforest industry. Critical assets
    include:
    ● Product plans & specifications
    ● Manufacturing processes
    ● Market & customer info
    Most of their business relies on a single product. Rivals
    able to produce similar products more cheaply could
    severely impact their market share, so their biggest
    concerns are the confidentiality of their product plans
    and associated manufacturing processes.

    View Slide

  11. View Slide

  12. Data Exfiltration via PCR Shift
    The Producer-Consumer Ratio (PCR)
    measures the “shape” of a system’s pattern
    of network use. Significant shifts in PCR
    may indicate unusual data movement
    (staging or exfil).
    Hypothesis: Large amount of data being
    staged/exfiltrated will significantly change
    PCR from one or few hosts.
    Data Required: Network flow records.
    Source: The ThreatHunting Project (https://goo.gl/J7oGE9)
    Artifacts & Effects: Large PCR change over time
    Analytic Techniques: Visualization

    View Slide

  13. Lateral Movement in Process
    Logs
    An attacker’s first foothold in the
    environment is unlikely to offer them
    access to product plans or the ICS
    environment. Therefore, LM will be
    necessary.
    Source: The ThreatHunting Project (https://goo.gl/ZiqA1R and https://goo.gl/gM8HcM)
    Artifacts & Effects: Command shells started by documents or
    other weird parents; spikes in use of CLI recon tools
    Analytic Techniques: Visualization, stack counting
    Hypothesis: Lateral movement will be performed from the command line, requiring the
    attacker to spawn command shells. Additionally, they will tend to use existing CLI tools to
    orient themselves when they compromise a new host.
    Data Required: Process creation (Win event 4688, Sysmon event 1, EDR logs, etc)

    View Slide

  14. Adversary Positioning on HMIs
    HMIs are often on Windows and Linux systems
    familiar to adversaries, contain important visual
    information about the physical process, and can
    be connected for remote usage.
    Artifacts & Effects: New process spawning outside of maintenance periods, VPN
    session lengths/frequency, or HMI logs for undocumented interaction
    Analytic Techniques: Configuration and Frequency Analysis
    Human Machine Interfaces (HMIs) are the Supervisory Control for the Process
    Hypothesis: Adversaries will position on HMIs as
    familiar territory (Windows and Linux) while learning
    the industrial process.
    Data Required: Process creation, VPN logs, and
    HMI logs

    View Slide

  15. Exfiltration from Data Historian
    Espionage would require both the manufacturing
    schematics (IT) as well as the physical process
    information ultimately making up the full “recipe”
    details (ICS), which would require the Historian.
    Artifacts & Effects: Spikes in OPC usage and trends of larger
    OPC communications over time than previous
    Analytic Techniques: Visualization, Configuration Analysis,
    Time Series Seasonal Decomposition
    Hypothesis: Exfiltration from Historians would
    utilize legitimate ICS protocols such as OPC but it
    would generate consistently larger OPC
    communications.
    Data Historians hold the specifics about the physical industrial process.
    Data Required: Network captures of OPC

    View Slide

  16. Machine Learning for HTTP C2
    http://www.rhaensch.de/vrf.html
    By nature, most HTTP C2 will be slightly
    different than normal traffic. We may be able
    to exploit that by applying some simple ML
    techniques.
    Hypothesis: At least some HTTP C2
    transactions are “different enough” that an
    ML model can learn to find them.
    Data Required: Outgoing HTTP logs
    Artifacts & Effects: Not Applicable
    Analytic Techniques: Random Forests (Supervised), Isolation Forests
    (Unsupervised)
    Source: https://github.com/DavidJBianco/Clearcut

    View Slide

  17. Machine Learning for HTTP C2
    http://cs.nju.edu.cn/zhouzh/zhouzh.files/publication/icdm08b.pdf
    Source: https://github.com/DavidJBianco/Clearcut
    By nature, most HTTP C2 will be slightly
    different than normal traffic. We may be able
    to exploit that by applying some simple ML
    techniques.
    Hypothesis: At least some HTTP C2
    transactions are “different enough” that an
    ML model can learn to find them.
    Data Required: Outgoing HTTP logs
    Artifacts & Effects: Not Applicable
    Analytic Techniques: Random Forests (Supervised), Isolation Forests
    (Unsupervised)

    View Slide

  18. View Slide

  19. View Slide