Intel Driven Threat Hunting

Objectives • Threat Hunting • Who will hunt? • Tools to hunt? • Pyramid of Pain • Where do we hunt? • PASTA • Threat Intelligence • Methodically Hunting

What is Threat hunting? • Reactively pursuing of abnormal activity on devices that may be signs of compromise, intrusion, or exfiltration. • Proactively and iteratively searching through networks to detect advanced threat’s that evade existing security

Reactive • Tactical Methodology • Current / Now / “Is” or “Has” happened • Driven from present Alerts and Notifications • Incident Response Process

Proactive • Strategic Methodology • Deep Analysis utilizing Threat Modeling • Efficiently mature and develop for the long-term results • Utilizes knowledge of • Indicators of Attack • Tactics • Techniques • Procedures • Early warning with actively developing Threat Intelligence

Where do we begin?

Who will hunt? • Critical and Creative thinking (Think like a bad guy) • Objective • Analytical Mindset • Diverse (Jack of all trade) • Network Architecture • OS Architecture • Network Forensics • Understand Attack Lifecycle • Offline Investigative Skills • Perspective (Open Minded)

What tool to use? https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html TTP-Based Detection Manual search’s and hunting Tool-Based Detection AV/EDR Detections, Yara, tool Specific detectors such as Fireeye IOC-Based Detection Automatic matching of indicators from intel feeds developed into a product

PASTA: What is PASTA? • Process for Attack Simulation and Threat Analysis • Authored by Tony UcedaVélez (VerSprite CEO) in 2015 • Provides organizations a guide to assess realistic threats.

PASTA: How does PASTA work? • Organizations establish threats to important assets • Organizational Profile: • Important processes • Important hardware and software • Important data • Important roles (of employees) • Important safeguards • Important suppliers • Important proprietaries

PASTA: How does PASTA work? • Map assets onto business objectives • Two ways: • Importance of processes • Importance of product or service • Ask: what do the processes, product, or service provide?

PASTA: How does PASTA work? • Build a Threat Library • Or, an understanding of possible security threats similar organizations face. • Key word: ‘similar’ • Update your threat library, often.

PASTA: How does PASTA work? • Vulnerability Analysis • Key Question: what infrastructural (physical and technical) or computer- based exploits in our organization? • Purpose: to catalogue institutional and system-based weaknesses • Such as: points of entry or escalation

PASTA: How does PASTA work? • Assess findings • What attacks worked? • What else could be compromised? • Which suspicious activities should be prioritized? • Which suspicious should not? • Does organizational playbook need to change? • Implement findings

No content

PASTA: Main Purpose: Helps businesses identify and prioritize safeguards for organizational assets threat actors may seek to target.

What are Threat Models? • Process maps of how threat actors could compromise or disrupt and organization. • Purpose: Elucidates possible attack methods threat actors could enact against an organization. By creating maps of possible: •points of entry or escalation threat actors can leverage •informational technology or cybersecurity weaknesses within an organization.

No content

How does PASTA and Threat Models Relate? • PASTA provides a framework for prioritizing discovered vulnerabilities. • Function of Threat Models remains constant: purpose changes. • Purpose of Threat Models, now, business centric. • PASTA is innovative and state-of-the-art tool-kit. • Can change processes, outcomes, and goals within an organization • High-level: Frameworks, like PASTA, can alter the purpose and significance of Threat Models.

Benefits of Implementing PASTA into Threat Models • New concept: Organizational Threat Models • Realistic: data, trends, and outcomes • Sophisticated: planned, organized, tried and true.

Why Threat Hunting utilizing a Threat Library? • Technology advances and changes daily • Signature and Heuristic detection methods cannot keep up with evolving trends. • Utilizing Threat Modeling allows us to evolve hunting around a baseline that can be updated and adapted easily, without waiting for movements of a threat to be documented and adapt to current detection methods. • View the organization from the outside in – As a threat actor or hacker

Threat Intelligence In today’s age, Threat Intelligence is marketed as a reaction, its developed to be utilized after an event. Threat Intel should be developed for your Threat Library by: • Developed thru ANALYSIS of intelligence feeds– Not purchased • Knowing your surroundings – Both Digitally, Geographically, and Target Markets. • World Events • History • Offline (News – Meet ups – Local Interaction)

Threat Library Development Organization Threat Model • Technology • Business Initiatives • Geographical Location • Target Market • Competitors • Suppliers • INDIVIDUALS *** Threat Intel • Technology • Economics • Business • Military • Diplomatic • Infrastructure • Cultural/Professional • Religious Developed Baseline to drive hunts and architecture!

How to hunt?

How do we bring this all together? Create Hypotheses Investigate VIA Tools & Techniques Uncover New Patterns and TTPS Inform and Enrich Analytics Threat Hunting Loop

Reactive vs Proactive Hypothesis Hunting Malware Forensics Threat Intelligence Alert IR Analysis

Hypothesis Every hunt begins with a hypotheses, but what do we hunt for? • Analyze threat library • Apply threat intelligence to the library • Formulate hypothesis of from events associated with the library

Investigation Target • Host Analysis Capability • Adversary Toolkits Infrastructure • Log Analysis Adversary • TTPS • Toolkit

Uncover Discover new Patterns and TTPs from Threat Hunt • Intrusion Discovery and Response • Attack Tree Analysis

Inform & Enrich • Produce Threat Intelligence from discovery • Develop Hunting Techniques • Enhance Security Posture • Update Threat Library

Recap • Threat Hutning • Who is hunting? • Tools • What are we hunting? • Threat Hunt Model