Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Threat Hunting: Utilizing threat Intelligence to Hunt the Unknown in Your Networks

Threat Hunting: Utilizing threat Intelligence to Hunt the Unknown in Your Networks

In today’s world, most security teams use threat intelligence reactively, reacting to each sign compromise. While this method is common, we want to pose a question to the attendees – why? Why wait for the unknown to hit you first?  

In this presentation, Jake and Jordan explore what it means to be proactive in your security measures. They discuss how threat hunting and utilizing Threat Intel produced by a threat library built around your environment can allow you to hunt the unknowns in your network.


VerSprite, Inc

July 22, 2020

More Decks by VerSprite, Inc

Other Decks in Education


  1. P R E S E N T E D B

    Y J O D A N Y O U N G & J A C O B N I E D E R E R U T I L I Z I N G T H R E A T I N T E L L I G E N C E T O H U N T T H E U N K N O WN I N Y O U R N E T WO R K S
  2. Objectives • Threat Hunting • Who will hunt? • Tools

    to hunt? • Pyramid of Pain • Where do we hunt? • PASTA • Threat Intelligence • Methodically Hunting
  3. What is Threat hunting? • Reactively pursuing of abnormal activity

    on devices that may be signs of compromise, intrusion, or exfiltration. • Proactively and iteratively searching through networks to detect advanced threat’s that evade existing security
  4. Reactive • Tactical Methodology • Current / Now / “Is”

    or “Has” happened • Driven from present Alerts and Notifications • Incident Response Process
  5. Proactive • Strategic Methodology • Deep Analysis utilizing Threat Modeling

    • Efficiently mature and develop for the long-term results • Utilizes knowledge of • Indicators of Attack • Tactics • Techniques • Procedures • Early warning with actively developing Threat Intelligence
  6. Where do we begin?

  7. Who will hunt? • Critical and Creative thinking (Think like

    a bad guy) • Objective • Analytical Mindset • Diverse (Jack of all trade) • Network Architecture • OS Architecture • Network Forensics • Understand Attack Lifecycle • Offline Investigative Skills • Perspective (Open Minded)
  8. What tool to use? https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html TTP-Based Detection Manual search’s and

    hunting Tool-Based Detection AV/EDR Detections, Yara, tool Specific detectors such as Fireeye IOC-Based Detection Automatic matching of indicators from intel feeds developed into a product
  9. PASTA: What is PASTA? • Process for Attack Simulation and

    Threat Analysis • Authored by Tony UcedaVélez (VerSprite CEO) in 2015 • Provides organizations a guide to assess realistic threats.
  10. PASTA: How does PASTA work? • Organizations establish threats to

    important assets • Organizational Profile: • Important processes • Important hardware and software • Important data • Important roles (of employees) • Important safeguards • Important suppliers • Important proprietaries
  11. PASTA: How does PASTA work? • Map assets onto business

    objectives • Two ways: • Importance of processes • Importance of product or service • Ask: what do the processes, product, or service provide?
  12. PASTA: How does PASTA work? • Build a Threat Library

    • Or, an understanding of possible security threats similar organizations face. • Key word: ‘similar’ • Update your threat library, often.
  13. PASTA: How does PASTA work? • Vulnerability Analysis • Key

    Question: what infrastructural (physical and technical) or computer- based exploits in our organization? • Purpose: to catalogue institutional and system-based weaknesses • Such as: points of entry or escalation
  14. PASTA: How does PASTA work? • Assess findings • What

    attacks worked? • What else could be compromised? • Which suspicious activities should be prioritized? • Which suspicious should not? • Does organizational playbook need to change? • Implement findings
  15. None
  16. PASTA: Main Purpose: Helps businesses identify and prioritize safeguards for

    organizational assets threat actors may seek to target.
  17. What are Threat Models? • Process maps of how threat

    actors could compromise or disrupt and organization. • Purpose: Elucidates possible attack methods threat actors could enact against an organization. By creating maps of possible: •points of entry or escalation threat actors can leverage •informational technology or cybersecurity weaknesses within an organization.
  18. None
  19. How does PASTA and Threat Models Relate? • PASTA provides

    a framework for prioritizing discovered vulnerabilities. • Function of Threat Models remains constant: purpose changes. • Purpose of Threat Models, now, business centric. • PASTA is innovative and state-of-the-art tool-kit. • Can change processes, outcomes, and goals within an organization • High-level: Frameworks, like PASTA, can alter the purpose and significance of Threat Models.
  20. Benefits of Implementing PASTA into Threat Models • New concept:

    Organizational Threat Models • Realistic: data, trends, and outcomes • Sophisticated: planned, organized, tried and true.
  21. Why Threat Hunting utilizing a Threat Library? • Technology advances

    and changes daily • Signature and Heuristic detection methods cannot keep up with evolving trends. • Utilizing Threat Modeling allows us to evolve hunting around a baseline that can be updated and adapted easily, without waiting for movements of a threat to be documented and adapt to current detection methods. • View the organization from the outside in – As a threat actor or hacker
  22. Threat Intelligence In today’s age, Threat Intelligence is marketed as

    a reaction, its developed to be utilized after an event. Threat Intel should be developed for your Threat Library by: • Developed thru ANALYSIS of intelligence feeds– Not purchased • Knowing your surroundings – Both Digitally, Geographically, and Target Markets. • World Events • History • Offline (News – Meet ups – Local Interaction)
  23. Threat Library Development Organization Threat Model • Technology • Business

    Initiatives • Geographical Location • Target Market • Competitors • Suppliers • INDIVIDUALS *** Threat Intel • Technology • Economics • Business • Military • Diplomatic • Infrastructure • Cultural/Professional • Religious Developed Baseline to drive hunts and architecture!
  24. How to hunt?

  25. How do we bring this all together? Create Hypotheses Investigate

    VIA Tools & Techniques Uncover New Patterns and TTPS Inform and Enrich Analytics Threat Hunting Loop
  26. Reactive vs Proactive Hypothesis Hunting Malware Forensics Threat Intelligence Alert

    IR Analysis
  27. Hypothesis Every hunt begins with a hypotheses, but what do

    we hunt for? • Analyze threat library • Apply threat intelligence to the library • Formulate hypothesis of from events associated with the library
  28. Investigation Target • Host Analysis Capability • Adversary Toolkits Infrastructure

    • Log Analysis Adversary • TTPS • Toolkit
  29. Uncover Discover new Patterns and TTPs from Threat Hunt •

    Intrusion Discovery and Response • Attack Tree Analysis
  30. Inform & Enrich • Produce Threat Intelligence from discovery •

    Develop Hunting Techniques • Enhance Security Posture • Update Threat Library
  31. Recap • Threat Hutning • Who is hunting? • Tools

    • What are we hunting? • Threat Hunt Model