Hunting Threats in Your Enterprise

Hunting Threats in Your Enterprise
Hunting Threats In your

Enterprise
Abdulrahman Al-Nimari | BSides Conference , Dubai 27-28, November, 2018 | @nimari | https://www.linkedin.com/in/alnimari/
ü Who am I ?
ü Abdulrahman Al-Nimari
ü 25 Years IT & Infosec Experience
ü Lead Enterprise Security Architect
ü Mantech International Corporation, Riyadh, KSA
ü CISSP, CISM, CCISO, PMP, GCIH, GCIA, GCUX, GREM, GSEC
ü @nimari
ü https://www.linkedin.com/in/alnimari/
ü alnimari@gmail.com
ü Agenda
ü What is Threat Hunting ?
ü Threat Hunting Plan
ü Hunt Cycle
ü Hunting in Action
ü Hunt Maturity Level
ü Measuring Success ( Metrics )
ü Resources
Verizon Data Breach Investigations Report, 2018
https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_execsummary_en_xg.pdf
ü What is threat hunting ?

ü Cyber threat hunting is "the process of proactively and
iteratively searching through networks to detect and
isolate advanced threats that evade existing security
solutions"
( Wikipedia )
ü Cyber threat hunting is “the practice of searching

iteratively through data to detect advanced threats that
evade traditional security solutions”
( sqrrl )
ü Threat Hunting Plan

ü Design Your Network For Hunting
ü Get your Team Ready
ü Know your Enterprise
ü Know Your Adversary TTP
ü Collect Hunt Data
ü Create Hypotheses
ü Start Hunting
Design Your Enterprise for Hunting
Abdulrahman Al-Nimari | BSides Conference , Dubai 27-28, November, 2018 | @nimari | https://www.linkedin.com/in/alnimari/ 7
Abdulrahman Al-Nimari | BSides Conference , Dubai 27-28, November, 2018 | @nimari | https://www.linkedin.com/in/alnimari/ 8
ü Segmentation : Security Zones

ü NTP : Network Time Protocol
ü Protection/Detection : FW/IDS/IPS/DLP/Proxy
ü Tapping : Dump PCAP Data
ü Visibility : Enable Logging as required
ü Know Your Enterprise

ü Identify Assets
ü Know Threats to Your Assets
ü Prioritize ( High Value / Critical Assets First )
ü Baselining – Know what is normal ?
Know Your Adversary - Cyber Kill Chain
A cyber kill chain is a ‘Lockheed Martin’ model that reveals the stages of a cyber
attack from early reconnaissance to the goal of data exfiltration :
Attacks in Planning Attacks in Progress Attacks already Happening
https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf
Know Your Adversary – Mitre ATT&CK
ATT&CK = Adversarial Tactics, Techniques, and Common Knowledge
Collect Hunt Data
Data Domains :
Network Host Application
- Flow Data - NetFlow - AV/EDR/FW - Authentication
- PCAP - Windows/Sysmon Events - Transaction Logs
- DNS - File System - DB Logs
- Proxy Logs - Autoruns - Security Alerts
- FW/SW/Routers
ü Log Data
ü PCAP Data
ü Netflow
ü Threat Intelligence Data
ü Threat Intelligence Feeds ( Open Source )

ü https://otx.alienvault.com/
ü https://www.iocbucket.com/
ü https://abuse.ch/
ü https://www.blocklist.de/
ü https://www.virustotal.com/
ü https://malwr.com/
ü ……
Creating Hypothesis
Hypotheses Data ( Where to Hunt ) What to look for ?

Data Staging/Exfiltration ? PCAPS, NetFlow Compressed Files
Lateral Movement ? PCAPS, Logs PSEXEC, Powershell
Fileless Malware ? PCAPS, NetFlow Powershell, WMI
Command & Control (C2) ? HTTP, Bro Logs MaliciousURLs/Domains/User agent/DNS
………
Hunting Cycle
Iterate aggressively
through this cycle
https://sqrrl.com/the-threat-hunting-reference-model-part-2-the-hunting-loop/
Hunting Maturity Model
https://sqrrl.com/the-threat-hunting-reference-model-part-1-measuring-hunting-maturity/
Pyramid of Pain
HMM2,3,4
HMM1
HMM0
http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
Hunting in Action #1
Malicious IP
Network Flow Internal IP
Address(es)
Network
Anomaly Time Stamp
Flow
Investigate
PCAP/Logs
Deploy Compare to
Collect Results
autorunsc.exe to Baseline/VT
in SIEM
EP Hash DB
Anomalies Invistigate Automate
ü Measuring Success ( Metrics )

ü Number of Incidents by severity
ü Number of Compromised Hosts
ü Dwell Time of Incidents Discovered.
ü Logging Gaps Identified and Corrected
ü Vulnerabilities Identified
ü Insecure Practices Identified and Corrected
ü Hunts Transitioned to Analytics
ü New Visibilities Gained
https://sqrrl.com/media/Your-Practical-Guide-to-Threat-Hunting.pdf
ü Resources
ü https://www.threathunting.net/
ü https://threathunting.org/
ü https://intel.criticalstack.com/
ü https://www.mitre.org/
ü https://www.elastic.co/
ü https://github.com/Cyb3rWard0g/ThreatHunter-Playbook
ü https://nxlog.co/
ü https://docs.microsoft.com/en-us/sysinternals/
Q&A
Thank You

Hunting Threats in Your Enterprise

Uploaded by

Copyright:

Available Formats

Hunting Threats in Your Enterprise

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Hunting Threats in Your Enterprise

Uploaded by

Copyright:

Available Formats

Hunting Threats in Your Enterprise

Hunting Threats In your

Verizon Data Breach Investigations Report, 2018

ü What is threat hunting ?

ü Cyber threat hunting is “the practice of searching

ü Threat Hunting Plan

Design Your Enterprise for Hunting

Design Your Enterprise for Hunting

Design Your Enterprise for Hunting

ü Segmentation : Security Zones

ü Know Your Enterprise

Attacks in Planning Attacks in Progress Attacks already Happening

ATT&CK = Adversarial Tactics, Techniques, and Common Knowledge

ü Threat Intelligence Feeds ( Open Source )

Hypotheses Data ( Where to Hunt ) What to look for ?

Hunting Maturity Model

Anomalies Invistigate Automate

ü Measuring Success ( Metrics )

You might also like