Threat Hunting What’s on Your Network? Ray Strubinger DFIR Managing Consultant

Today’s Goals • Develop a basic understanding of the concept and methods of threat hunting. • Understand how threat hunting may be used to identify security events before they evolve into security incidents.

Our Approach • Feel free to ask questions • Slides are available at www.versprite.com/2018ISSA

Your Speaker – Ray Strubinger • Managing Consultant, Digital Forensics & Incident Response at VerSprite • Background in IT & Information Security Operations • Industry experience in financial services, software development, government, higher education, healthcare, and consulting • Certifications in forensics, auditing and incident management • Led or participated in over 100 cases • Hacking, fraud & assorted white collar crimes • Large & small organizations

Our Focus • General principals • Techniques & concepts • Nothing product specific

What is Threat Hunting? Who Uses It? Why is it Necessary?

Let’s Talk about Threats • What is a threat? • NIST FIPS200 & ISO27005 • “potential to harm assets such as information, processes and systems” • Term “Threat Hunting” is relatively young – 2012 • Term is new, the work is not • Building a team – challenges recruiters

What is Threat Hunting? • Process that actively seeks & identifies suspicious files, activities or behaviors in the computing environment • Files – malicious or “dual purpose” content found on a system or in flight (network transfer, email, web activity, etc.) • Activities – connections or interactions with suspicious or unexpected sites, countries or regions • Behaviors – patterns such as transfers or beacons that take place in or out of the environment • Threat Hunting is fundamentally: • Analysis of deviations from a baseline – reviewing the unusual • Understanding “normal” is powerful

Threat Hunting Foundation • “Kornblum Maxim” • Malware can hide but it must run • Originally presented in 2006 paper by Jesse Kornblum, “Exploiting the Rootkit Paradox with Windows Memory Analysis” • Malware operators want to avoid detection • Malware operators need the malware to run • This paradox contributes to the discovery of malware

Who Threat Hunts? • Security Operations Centers (SOCs) or Fusion Centers • Usually a very seasoned analyst • Incident Response Teams • Consulting firms • Internal IR team • Specialized TH teams • Often former senior SOC analysts • Tend to self-source intel • Typically found in larger orgs or consulting firms

Who Needs Threat Hunting? • Organizations that may have been compromised • Identification – methods may differ from what’s normally in place and potentially known to the attacker • Organizations that have been compromised • Containment/Eradication – see it, manage it • Recovery – monitoring for reinfection • Those that want to minimize the impact of a compromise • Identify threats early in the incident life cycle • Earlier detection = lower recovery costs (maybe) • Combine with red team exercises before a compromise

Who Needs Threat Hunting? • M & A due diligence • Identify issues that impact purchasing or integration strategy • Technical pre-acquisition assessments are becoming common • Auditing the existing environment • Identify gaps • Provide assurance • Proper TH is not just “check the box” auditing

Why is Threat Hunting Necessary? • Active approach • Hunt - search determinedly for someone or something • Potent countermeasure against emerging & evolving threats & threat actors • Corporate computing environments have changed • What is the shape of your network? • Where is the network’s edge?

What’s needed for Threat Hunting? Human & Technical Aspects

Threat Hunting - Human Aspects • A skill to be developed • Nearly insatiable curiosity • Checklists only take things so far • Solid research skills • Not limited to traditional internet searches • May need a virtual environment – a “lab” • Understand the technical • Where do applications typically reside & run? • Should this system communicate with another country? • Should tens of gigs of data be flowing over port 8080?

Threat Hunting - Technical Aspects • Gain hypervisibility to the endpoints & ideally the network • Push an app (an agent) to every system • Gather metadata about running processes • Collect information about ports and IP addresses • Registry review • Startup locations • Scheduled tasks • Alternatively query the OS for this information

Threat Hunting - Technical Aspects • Collect & aggregate data from every system • A SOC, TIC or Fusion Center may do this • Data may be in a SIEM or other appliance • Threat may not be recognized for several reasons • Detection may use signatures instead of behaviors • Talent may not realize what they see • Low quality baseline • Volume of events may drown the signal • Event not actually captured

Threat Hunting - Technical Aspects • Interaction with all systems may not be practical • Too much data • Too much effort • Too costly • If interaction with every system is not practical • There’s sampling (that’s a topic of another presentation)

Bringing It All Together

We have data, now what? • Review running applications • Note parent/child relationships • Notepad launched an app? • Does the process match a file on the storage media? • Are there hollow processes? • Note the path of running applications • lsass.exe running out of system32? Is that okay? • File hashes – do they check out?

We have data, now what? • Review open ports • Port 445 may be open on every system but what about port 22? • Why is zxcybea.exe talking to 178.216.249.71 on port 443? • Validate process to port mappings • Why does notepad have port 21 open? • Why is port 6666 open by zxcybea.exe? • Note the network traffic • Source & destination ports & protocol • Volume of traffic • Destination IP addresses

Threat Hunting Considerations Advantages • Active approach • Behavior vs signature Challenges • May only detect active threats • Requires skilled people to be most effective

Final Thought – Where to start - Logs • If what we’ve been talking about seems impossible, consider this: • 2009, 2010 & 2012 Verizon DBIR • “…opportunity for detection is there; 66% percent of victims had sufficient evidence available within their logs to discover the breach…“ • “…lack of monitoring active event logs remains a consistent weakness … 84% of victims had evidence of the breach in their event logs.”

Thank you Ray Strubinger rays@versprite.com Slides: www.versprite.com/2018ISSA