Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hunting in the Dark - UNC Cybersecurity Symposium 2016

Ryan Kazanciyan
October 05, 2016
Technology
0
330

Hunting in the Dark - UNC Cybersecurity Symposium 2016

"Hunting" is a key phase of the incident response lifecycle that aims to identify, on a proactive basis, unknown threats lurking in an environment. In practice, many hunting teams focus on searching for public or purchased IOCs­ often representing intelligence that has already been burned. Hunting without specific leads is difficult, and every environment (and incident) has its own unique characteristics. This presentation will provide analytic techniques that can identify generic evidence of post­-compromise activity, with focus on the contemporary approaches that targeted attackers employ for credential harvesting, persistence, and lateral movement in Windows environments. It will illustrate sources of evidence that are ideal for large­-scale anomaly analysis, and provide examples of how to effectively collect data, reduce noise, and minimize dependencies on external threat feeds.

Ryan Kazanciyan

October 05, 2016
Tweet

More Decks by Ryan Kazanciyan

See All by Ryan Kazanciyan
Broken Links - Emergence and Future of Software Supply-Chain Compromises
ryankaz
1
180
(Re)Investigating PowerShell Attacks - BruCon 2018
ryankaz
0
74
The 7 Habits of Highly Effective Hackers
ryankaz
1
520
IOCs are Dead - Long Live IOCs! (CounterMeasure 2016)
ryankaz
0
280
DSCompromised: A Windows DSC Attack Framework
ryankaz
0
88
IOCs are Dead - Long Live IOCs! (RSA USA 2016)
ryankaz
2
240
Desired State: Compromised - BruCon 2015
ryankaz
0
140
Hunting in the Dark - HTCIA 2015
ryankaz
0
710
Investigating PowerShell Attacks - Black Hat 2014
ryankaz
0
130

Other Decks in Technology

See All in Technology
Next'24 事例セッションの紹介とクラウド資格を活用したキャリア形成について語りMuscle
yasumuusan
1
430
反実仮想機械学習とは何か
usaito
PRO
8
3k
ここが嬉しいABAC ここが辛いよABAC #再解説+補足編
masahirokawahara
1
270
継続的な改善 x ⾮連続的な進化
sansantech
PRO
3
130
開発パフォーマンスを最大化するための開発体制
ham0215
1
140
JAWS-UG Bedrock Claude Night
yamahiro
3
540
NgRx Signal Store
rainerhahnekamp
0
140
Oracle Cloud Infrastructure:2024年4月度サービス・アップデート
oracle4engineer
PRO
1
190
検証を通して見えてきたTiDBの性能特性
lycorptech_jp
PRO
6
3.7k
レガシーをぶっ壊せ。AEONで始めるDevRelの話 / Qiita Night 2024-2-22
aeonpeople
3
1.2k
20240418_Google ColabにLLMが搭載されたようなのでPython x データ分析の勉強方法を考えてみる
doradora09
0
120
JSON攻略法.pdf
miyakemito
8
4.8k

Featured

See All Featured
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
17
1.4k
Scaling GitHub
holman
457
140k
Rebuilding a faster, lazier Slack
samanthasiow
73
8.2k
Documentation Writing (for coders)
carmenintech
60
3.9k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
244
20k
The MySQL Ecosystem @ GitHub 2015
samlambert
243
12k
Testing 201, or: Great Expectations
jmmastey
28
6.3k
Building a Scalable Design System with Sketch
lauravandoore
456
32k
Why Our Code Smells
bkeepers
PRO
331
56k
Why You Should Never Use an ORM
jnunemaker
PRO
51
8.6k
A Philosophy of Restraint
colly
197
16k
Designing for Performance
lara
601
67k

Transcript

  1. Hunting in the Dark Ryan Kazanciyan, Chief Security Architect October

    5, 2016

  2. whoami Copyright 2016 Tanium Inc. All rights reserved. 2

  3. Examining an environment, on a proactive or reactive basis, for

    evidence of malicious activity – without specific investigative leads

  4. Goals and success criteria Copyright 2016 Tanium Inc. All rights

    reserved. 4 • Functional at enterprise-scale • Complementary to IOC & threat feed detection • Repeatable over time

  5. My focus for this presentation Copyright 2016 Tanium Inc. All

    rights reserved. 5 • Endpoint-centric • Widely-available data • Techniques, not specific tools

  6. Common Pitfalls

  7. Distinguishing normal, interesting, and bad

  8. Analysts often radically underestimate the noise level of an enterprise

    environment

  9. Your applications are noisy Copyright 2016 Tanium Inc. All rights

    reserved. 9 • Different OS versions and add-ons • User-installed applications • Random / GUID file names & paths • Temporary artifacts of software installers • Updates & patches “How many unique PE files (EXEs, DLLs, drivers) have been loaded across all my systems?”

  10. Your users are noisy Copyright 2016 Tanium Inc. All rights

    reserved. 10 • Maintenance and administration scripts • Ad-hoc troubleshooting • Service and application accounts • Misunderstood native OS behavior “How often do my privileged accounts authenticate across the environment?

  11. Overwhelming yourself with data, “just in case”…

  12. You cannot capture everything, constantly Copyright 2016 Tanium Inc. All

    rights reserved. 12 • OS-level telemetry • Application-level telemetry • Data at-rest • Volatile memory

  13. We’ve been through this already… Copyright 2016 Tanium Inc. All

    rights reserved. 13 Expectation Reality

  14. Falling victim to tunnel vision on “important assets”

  15. Defender bias Copyright 2016 Tanium Inc. All rights reserved. 15

    “…what may be critical to you…may not be the ‘crown jewels’ from the perspective of the adversary...” “You'll find yourself hunkered down in your Maginot Line bunkers, awaiting that final assault, only to be mystified when it never seems to come.” – Harlan Carvey Source: http://windowsir.blogspot.com)

  16. Hacking is graph traversal Copyright 2016 Tanium Inc. All rights

    reserved. 16

  17. Practical example: BloodHound Copyright 2016 Tanium Inc. All rights reserved.

    17 • Graph analysis of AD relationships • Identify pathways to privilege escalation https://github.com/adaptivethreat/BloodHound

  18. Developing a sustainable hunting strategy

  19. Structuring the process Copyright 2016 Tanium Inc. All rights reserved.

    19 External IOCs & reputation data Homegrown IOCs & ad- hoc searches Targeted hunting workflows Continuous & automated analysis
  20. None
  21. None
  22. None
  23. None
  24. None
  25. None
  26. None
  27. None
  28. None
  29. None
  30. None
  31. None
  32. None
  33. None
  34. None
  35. None
  36. None
  37. None
  38. None
  39. None
  40. None
  41. None
  42. None
  43. None
  44. None
  45. None
  46. None
  47. None
  48. None
  49. None
  50. None
  51. None
  52. None
  53. None
  54. None
  55. None
  56. None
  57. None
  58. None
  59. None
  60. None
  61. None
  62. None
  63. None
  64. None
  65. None