whoami 證照: • CEH CHFI • Palo Alto Network ACE • McAfee Vulnerability Manager 經歷: • 協助檢調單位偵辦重大網路犯罪 • 建置企業APT防護 • 協助企業資安事件處理 專長: • Incident Response / Compromised Assessment / Malware Analysis • Penetration Testing & Exploit Research • Security Solution Implementation • APT(Gateway/Mail/Sandbox/End point) • NGFW & NGIPS • Endpoint/Managed Detection and Response 

老闆跟我們的夢想… 

CyberSec 101 偵測威脅機制DETECT Threat Hunting & Compromised Assessment on the cheap 101 

Agenda 1. What is Threat Hunting & Compromised Assessment 2. Hunting and Assessment Cycle 3. How to… On the Cheap… A. Host B. Network C. Intelligence 4. Conclusion 

1. What is Threat Hunting & Compromised Assessment 

5 Why we need??? (1) • 企業的入侵向量(Initial Access) • The initial access tactic represents the vectors adversaries use to gain an initial foothold within a network. • 駭客怎麼打進來的方法… 

6 Why we need??? (2) 沙箱繞過與反分析 • https://github.com/a0rtega/pafis h • https://github.com/AlicanAkyol/s ems/ • https://github.com/LordNotewort hy/al-khaser • https://github.com/marcusbotaci n/Anti.Analysis • https://github.com/ricardojrdez/a nti-analysis-tricks • https://github.com/google/sandb ox-attacksurface-analysis-tools 

Why we need??? (3) LOLBAS • Only pre-installed software is used by the attacker and no additional binary executables are installed onto the system 7 

Why we need??? (4) 合法掩護非法 • SoftEther VPN是一個由筑波大學研究生Daiyuu Nobori（登太游）因碩士論文 而開發的開源、跨平台、多重協定的虛擬私人網路方案，此方案讓一些虛擬私人 網路協定像是SSL VPN 、L2TP、IPsec、OpenVPN以及微軟SSTP都由同一個單 一VPN伺服器提供。 • 北韓網軍LAZURUS攻擊事件也使用該VPN工具作為跳板使用 8 

Alerting vs Hunting ALERTING (AUTOMATIC) • Reactive: Focus on known threats HUNTING (MANUAL) • Proactive: Focus on new threats TI – threat intelligence MA – malwareanalysis DF – digital forensics IR – incident response 

Threat Hunting. What is It? • Cyber threat hunting is the practice of searching iteratively through data to detect advanced threats that evade traditional security solutions. (sqrrl) • “Searching for persistent threats that have evaded existing security controls”(Delta Risk) 

Compromise Assessment (1) • A compromise assessment is a high-level review of the organization that does not rely on a hypothesis or limited scope in order to answer a very fundamental question: am I compromised? In other words, based upon your organization’s data, logs, and existing telemetry, are there any indicators of compromise, or threat actors present in the environment? (Cisco) • “A proactive time-bound effort to detect threats that have evaded existing security controls”(Delta Risk) • 台灣好像叫 木馬檢測 or 資安健檢的惡意軟體檢視 & 網路流量及記錄檔 分析 … 

Compromise Assessment (2) Definitionally, compromise assessment should be: • Focused - On detecting malicious software and unauthorized activity within the organization • Time Bound - Assessments are short duration with high intensity generally completed with hours/days • Affordable - Organization should be able to conduct them regularly • Independent - Should not depend on in-place detection tools , which may have missed the threat in the first place 

2. Hunting and Assessment Cycle 

Cycle Look at your network(Log) and your hosts(Log) General Hunt methodology • Collect data (收好收滿跟監控) • Analyze collection (分析) • Follow up on leads (追蹤線索) • Remediate (處理修復) • Repeat (循環持續 or 定期進行) 

3.A How to … On the Cheap … Host 

收 (IR Toolkit) https://github.com/diogo-fernan/ir-rescue • activity: user activity data • disk: disk data • events: Windows event logs • filesystem: data related with NTFS and files • malware: system data that can be used to spot malware • memory: the memory • network: network data • registry: system and user registry • system: system-related information • web: browsing history and caches. 

Yara Scan • https://github.com/Yara-Rules/rules • https://github.com/Neo23x0/signature-base/tree/master/yara 

Sandbox • https://www.one-tab.com/page/0weIQ1SfQqmTbQGJ__wbBw 

SYSMON • https://github.com/nshalabi/SysmonTools 

No content

LINUX 相關好文匯整 • https://www.one-tab.com/page/3tLqOfx8T8qkCDp4dDm6_Q 

22 MacOS Assessment • KnockKnock (類似微軟三寶之Autoruns) 

23 MacOS Assessment • TaskExplorer (類似微軟三寶之ProcessExplorer) 

https://github.com/orlikoski 

3.A How to … On the Cheap … Network 

Sigma • https://github.com/Neo23x0/sigma • Sigma is for log files what Snort is for network traffic and YARA is for files. 

sigmac • python sigmac --target splunk app_python_sql_exceptions.yml -c sysmon 

https://uncoder.io 

2019/ 2 甚麼叫 奇怪的PATTERN 

sigma2 • https://docs.google.com/spreadsheets/d/1pjgXD9ABpXwWFKPMr 2R7wIyCz1VbQZjyDCA8ciIAsRw/edit?usp=sharing 

SOCPRIME 

MITRE ATT&CK Detection Assessment 

3.C How to … On the Cheap … Intelligence 

威脅情資 情資蒐集方法及來源 • IR • VIRUSTOTAL Yara Hunting • Threat Hunting (Anomaly Detection) • OSINT • Twitter • https://github.com/hslatman/awesome-threat- intelligence • https://www.one- tab.com/page/higRMQLCTxaBpuYO0_JEuA • https://github.com/CyberMonitor/APT_CyberCri minal_Campagin_Collections • 客戶提供之不明樣本分析及後續關聯 • Honeypot( Open Proxy、Tor node) • 各大資安設備情資萃取 • 主動木馬檢測 情資類別 • 弱點及漏洞 • 中繼站 • 駭客手法 

9 V.S 14 • 台視 • 中視 • 民視 • 華視 • 東森 • 年代 • 中天 • 三立 • 非凡 • 八大關鍵基礎設施 • 六都區域聯防 35 

台灣威脅情資的現實 • 「台灣 G-ISAC 成立於 2009，發 展至 2019 ISAC 數量已超越台灣 有線電視新聞台，期許情資品質 也要超越新聞台」 

What is Compromised Assessment? • https://www.one-tab.com/page/GoxG9XzdTbe3N47cc2_Kpw 

4. Conclusion 

資安沒有百分之百 唯有讓駭客入侵的成本提高 The cyber adversary's tactics flow like water, seeking the path of least resistance. Plan accordingly. - Sun Tzu, The Art of Cyber War - 

被入侵並不可恥 是否有真正回饋及改善 The competent cyber warrior learns from their mistakes. The cyber master learns from the mistakes & knowhow of others. - Sun Tzu, The Art of Cyber War - 

Thank You