Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hunting in the Dark - UNC Cybersecurity Symposi...

Ryan Kazanciyan
October 05, 2016
Technology
0
390

Hunting in the Dark - UNC Cybersecurity Symposium 2016

"Hunting" is a key phase of the incident response lifecycle that aims to identify, on a proactive basis, unknown threats lurking in an environment. In practice, many hunting teams focus on searching for public or purchased IOCs­ often representing intelligence that has already been burned. Hunting without specific leads is difficult, and every environment (and incident) has its own unique characteristics. This presentation will provide analytic techniques that can identify generic evidence of post­-compromise activity, with focus on the contemporary approaches that targeted attackers employ for credential harvesting, persistence, and lateral movement in Windows environments. It will illustrate sources of evidence that are ideal for large­-scale anomaly analysis, and provide examples of how to effectively collect data, reduce noise, and minimize dependencies on external threat feeds.

Ryan Kazanciyan

October 05, 2016
Tweet

More Decks by Ryan Kazanciyan

See All by Ryan Kazanciyan
Broken Links - Emergence and Future of Software Supply-Chain Compromises
ryankaz
1
200
(Re)Investigating PowerShell Attacks - BruCon 2018
ryankaz
0
84
The 7 Habits of Highly Effective Hackers
ryankaz
1
570
IOCs are Dead - Long Live IOCs! (CounterMeasure 2016)
ryankaz
0
310
DSCompromised: A Windows DSC Attack Framework
ryankaz
0
98
IOCs are Dead - Long Live IOCs! (RSA USA 2016)
ryankaz
2
280
Desired State: Compromised - BruCon 2015
ryankaz
0
160
Hunting in the Dark - HTCIA 2015
ryankaz
0
780
Investigating PowerShell Attacks - Black Hat 2014
ryankaz
0
140

Other Decks in Technology

See All in Technology
VideoMamba: State Space Model for Efficient Video Understanding
chou500
0
190
【Startup CTO of the Year 2024 / Audience Award】アセンド取締役CTO 丹羽健
niwatakeru
0
990
強いチームと開発生産性
onk
PRO
34
11k
Adopting Jetpack Compose in Your Existing Project - GDG DevFest Bangkok 2024
akexorcist
0
110
OTelCol_TailSampling_and_SpanMetrics
gumamon
1
120
Python(PYNQ)がテーマのAMD主催のFPGAコンテストに参加してきた
iotengineer22
0
470
TypeScript、上達の瞬間
sadnessojisan
46
13k
Security-JAWS【第35回】勉強会クラウドにおけるマルウェアやコンテンツ改ざんへの対策
4su_para
0
180
Why App Signing Matters for Your Android Apps - Android Bangkok Conference 2024
akexorcist
0
130
DMARC 対応の話 - MIXI CTO オフィスアワー #04
bbqallstars
1
160
Amplify Gen2 Deep Dive / バックエンドの型をいかにしてフロントエンドへ伝えるか #TSKaigi #TSKaigiKansai #AWSAmplifyJP
tacck
PRO
0
380
OCI Security サービス 概要
oracle4engineer
PRO
0
6.5k

Featured

See All Featured
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
169
50k
How To Stay Up To Date on Web Technology
chriscoyier
788
250k
Teambox: Starting and Learning
jrom
133
8.8k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
6
410
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.4k
4 Signs Your Business is Dying
shpigford
180
21k
Making the Leap to Tech Lead
cromwellryan
133
8.9k
[RailsConf 2023] Rails as a piece of cake
palkan
52
4.9k
How to Think Like a Performance Engineer
csswizardry
20
1.1k
Mobile First: as difficult as doing things right
swwweet
222
8.9k
The World Runs on Bad Software
bkeepers
PRO
65
11k

Transcript

  1. Hunting in the Dark Ryan Kazanciyan, Chief Security Architect October

    5, 2016

  2. whoami Copyright 2016 Tanium Inc. All rights reserved. 2

  3. Examining an environment, on a proactive or reactive basis, for

    evidence of malicious activity – without specific investigative leads

  4. Goals and success criteria Copyright 2016 Tanium Inc. All rights

    reserved. 4 • Functional at enterprise-scale • Complementary to IOC & threat feed detection • Repeatable over time

  5. My focus for this presentation Copyright 2016 Tanium Inc. All

    rights reserved. 5 • Endpoint-centric • Widely-available data • Techniques, not specific tools

  6. Common Pitfalls

  7. Distinguishing normal, interesting, and bad

  8. Analysts often radically underestimate the noise level of an enterprise

    environment

  9. Your applications are noisy Copyright 2016 Tanium Inc. All rights

    reserved. 9 • Different OS versions and add-ons • User-installed applications • Random / GUID file names & paths • Temporary artifacts of software installers • Updates & patches “How many unique PE files (EXEs, DLLs, drivers) have been loaded across all my systems?”

  10. Your users are noisy Copyright 2016 Tanium Inc. All rights

    reserved. 10 • Maintenance and administration scripts • Ad-hoc troubleshooting • Service and application accounts • Misunderstood native OS behavior “How often do my privileged accounts authenticate across the environment?

  11. Overwhelming yourself with data, “just in case”…

  12. You cannot capture everything, constantly Copyright 2016 Tanium Inc. All

    rights reserved. 12 • OS-level telemetry • Application-level telemetry • Data at-rest • Volatile memory

  13. We’ve been through this already… Copyright 2016 Tanium Inc. All

    rights reserved. 13 Expectation Reality

  14. Falling victim to tunnel vision on “important assets”

  15. Defender bias Copyright 2016 Tanium Inc. All rights reserved. 15

    “…what may be critical to you…may not be the ‘crown jewels’ from the perspective of the adversary...” “You'll find yourself hunkered down in your Maginot Line bunkers, awaiting that final assault, only to be mystified when it never seems to come.” – Harlan Carvey Source: http://windowsir.blogspot.com)

  16. Hacking is graph traversal Copyright 2016 Tanium Inc. All rights

    reserved. 16

  17. Practical example: BloodHound Copyright 2016 Tanium Inc. All rights reserved.

    17 • Graph analysis of AD relationships • Identify pathways to privilege escalation https://github.com/adaptivethreat/BloodHound

  18. Developing a sustainable hunting strategy

  19. Structuring the process Copyright 2016 Tanium Inc. All rights reserved.

    19 External IOCs & reputation data Homegrown IOCs & ad- hoc searches Targeted hunting workflows Continuous & automated analysis
  20. None
  21. None
  22. None
  23. None
  24. None
  25. None
  26. None
  27. None
  28. None
  29. None
  30. None
  31. None
  32. None
  33. None
  34. None
  35. None
  36. None
  37. None
  38. None
  39. None
  40. None
  41. None
  42. None
  43. None
  44. None
  45. None
  46. None
  47. None
  48. None
  49. None
  50. None
  51. None
  52. None
  53. None
  54. None
  55. None
  56. None
  57. None
  58. None
  59. None
  60. None
  61. None
  62. None
  63. None
  64. None
  65. None