Free Webinar: How to Hunt for Security Threats

1
How to Hunt for Security Threats
Tom Updegrove NetCom Learning
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
2
Agenda

• What is Threat Hunting
• Preparing for the Hunt
• Hunting
• Mastering Hunting
• Tips for improving your THSS

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
3
What is Threat Hunting
The Definition
"The process of proactively and iteratively
searching through networks to detect and isolate
advanced threats that evade existing security
solutions."
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
4
Understanding Threat Hunting

• Security Threats
• Motivations
• Hackers, Crackers, Hacktivist, Nation State, etc.
• Methods
• Intuition
• Analysis Hypothesis

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
5
Types of Hypotheses
There are three types of hypotheses Analytics-Dr
iven "Machine-learning and UEBA, used to develop
aggregated risk scores that can also serve as
hunting hypotheses" Situational-Awareness
Driven "Crown Jewel analysis, enterprise risk
assessments, company- or employee-level trends"
Intelligence-Driven "Threat intelligence
reports, threat intelligence feeds, malware
analysis, vulnerability scans"
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
6
There are two types of indicators
Types of Indicators

• Compromise
• Concern

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
7
Detection Maturity Level (DML) Model

• High Semantics
• goal and strategy, or tactics, techniques and
  procedure.

Low Semantics

• IP addressing, network anomalies
• AI, SIEM ELK

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
8
Five Levels of Maturity

• Initial - level 0 An organization relies
  primarily on automated reporting and does little
  or no routine data collection.
• Minimal - level 1 An organization incorporates
  threat intelligence indicator searches. It has a
  moderate or high level of routine data
  collection.
• Procedural - level 2 An organization follows
  analysis procedures created by others. It has a
  high or very high level of routine data
  collection.

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
9
Five Levels of Maturity

• Innovative - level 3 An organization creates new
  data analysis procedures. It has a high or very
  high level of routine data collection.
• Leading - level 4 Automates the majority of
  successful data analysis procedures. It has a
  high or very high level of routine data
  collection.

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
10
Dwell Time

• Cyber-attackers operate undetected for an average
  of 99 days, obtain administrator credentials in
  less than three day.
• Mandiant M-Trends Report
• The study also showed that 53 of attacks are
  discovered only after notification from an
  external party

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
11
Mean Time to Detection

• The average company takes 170 days to detect an
  advanced threat.
• 39 days to mitigate.
• 43 days to recover
• Ponemon Institute

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
12
Difference Between Threat Hunting and Pen Testing

• What threats are hunted
• The development of threat hunting
• Co-Existence
• Man Computers
• The Big Picture
• Intruders
• Data exploitation
• Knowing the enemy

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
13
Preparing for the Hunt

• The Team
• Finding the Time
• Training
• Processes

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
14
Threat Hunting
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
15
The Technology of Threat Hunting

• Endpoints
• Network detection
• Threat Intelligence
• Data Correlation

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
16
The Baseline

• What is normal and what isnt
• What are the High Value Targets
• Reverse engineering the attack

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
17
How to Prepare for Threat Hunting

• Where to start
• Filtering out legitimate traffic
• What is suspicious
• Diving deeper
• Impact
• Remediation

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
18
Mastering Threat Hunting

• Research
• Intuition
• Educated hunches
• OODA
• Developing tools traps

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
19
Perfecting the Technique

• Know your Environment
• Think like a Hacker
• Develop the OODA Mindset
• Apply sufficient resources to the Hunt
• Deploy endpoint intelligence throughout the
  network
• Collaborate
• Log results
• Develop your skills
• Keep up to date on Attack Trends

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
20
Threat Hunting
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
21
Threat Hunting
Articles (Quick Start)

• Incident Response is Dead Long Live Incident
  Response, Scott Roberts
• Straight talk in plain language about the idea of
  hunting, why your organization should be doing
  it, and what it takes to create a successful
  hunting program. Read this one first!
• Demystifying Threat Hunting Concepts, Josh
  Liburdi
• A strategic look at the importance of good
  beginnings, middles and ends of the hunt.
• A Simple Hunting Maturity Model, David J. Bianco
• Proposes a practical definition of hunting, and
  a maturity model to help explain the various
  stages of hunting capability an organization can
  go through. The HMM can be viewed as a roadmap
  that an organization can use to describe their
  current capability and plan for improvement.
• The Threat Hunting Reference Model Part 2 The
  Hunting Loop, Sqrrl
• Building on the HMM, this describes the
  hypothesis-driven cycle that successful hunters
  must iterate through
• The Who, What, Where, When, Why and How of
  Effective Threat Hunting, Robert M. Lee Rob
  Lee, The SANS Institute
• A very comprehensive discussion of many aspects
  of hunting, which a special emphasis on how it
  fits within the overal security program
• and the active cyber defense cycle.

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
22
Threat Hunting
Articles (Quick Start)

• Generating Hypotheses for Successful Threat
  Hunting, Robert M. Lee David J. Bianco
• An in-depth discussion of the different types of
  hunting hypotheses and how to create good ones to
  get your hunts started right.
• Building Threat Hunting Strategies with the
  Diamond Model, Sergio Caltagirone
• The first part of this article is all about how
  to organize and prepare for your next hunt. It
  introduces the 4 hunting questions you must
  answer before you begin. The second part presents
  a framework for categorizing different hunting
  approaches based on the Diamond Model of
  Intrusion Analysis (of which Mr. Caltagirone was
  a primary author).
• Cyber Threat Hunting (1) Intro, Samuel Alonso
• Another good intro to threat hunting. Offers a
  slightly different viewpoint on hunting than some
  of the other items in this list.
• Cyber Hunting 5 Tips to Bag Your Prey, David J.
  Bianco
• Who doesnt like a good Top N list?? This one
  offers 5 quick bullet points to help you think
  about how to get your team started hunting.
• Threat Hunting Open Season on the Adversary, Dr.
  Eric Cole, The SANS Institute
• The recent SANS threat hunting survey is probably
  the most authoritative source on how real
  practitioners and security executives view
  hunting, their own hunting programs, and their
  wants needs for improvement.

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
23
Threat Hunting
Books Huntpedia, Richard Bejtlich, Danny Akacki,
David Bianco, Tyler Hudak, Scott Roberts, et
al. A collection of essays and how-to articles
on threat hunting put by Sqrrl. Its not tied to
their product, though, and is a great reference
for both beginners and advanced threat hunters.
The first section talks about hunting theory and
practice, while the second focuses on providing
detailed, concrete examples of actionable
hunts. Data-Driven Security Analysis,
Visualization and Dashboards, Jay Jacobs Bob
Rudis A wide-ranging look at many aspects of data
analysis and presentation fundamental to many
hunting techniques. Includes lots of code in R,
but also Python. Its great for learning the
basic ideas behind data analysis and using the
results to make decision and drive changes in
your security program. Network Security Through
Data Analysis Building Situational Awareness,
Michael Collins Covers many (free!) tools for
collecting and analyzing large amounts of data,
primarily to find potential intrusions. The
book takes a heavily hands-on, practical approach
with extensive examples written in Python. Other
Resources Windows Commands Abused by Attackers,
JPCERT/CC Using data drawn from actual attacks,
this article shows the most common Windows
commands used and abused by attackers once they
gain access to a system. The commands are
organized into Initial Investigation,
Reconnaissance and Spread of Infection
(Lateral Movement). There are no actual analytic
techniques discussed here, but the data will be
quite useful as the basis for generating some
hunts based on Windows command usage.
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
24
Recorded Webinar Video
To watch the recorded webinar video for live
demos, please access the link https//bit.ly/2McH
kOy
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
25
About NetCom Learning
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
26
Recommended Courses
Certified Information Systems Security
Professional (CISSP) Certification - Class
scheduled on Aug 20 CompTIA Security
Certification - Class scheduled on Aug 20 CISA
Certification - Class scheduled on Sep 10
EC-Council CEH Certified Ethical Hacker v10
CNDA Certified Network Defense Architect - Class
scheduled on Sep 10 CompTIA PenTest
Certification - Class scheduled on Sep 17
CompTIA Advanced Security Practitioner (CASP)
Certification - Class scheduled on Sep 17
CompTIA Cybersecurity Analyst (CySA)
Certification - Class scheduled on Oct 29
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
27
Creating Social Media Graphics in Photoshop CC
Office 365 Design Insights Project Management
Developing Project Schedules and Budgets How to
Configure Networking in Windows 10 Devices
ASP.NET Functions on Microsoft Azure Getting
Started With CompTIA PenTest PowerPoint 2016
10 Tips to Master Presentations Hands-On Power BI
for Data Visualization
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
28
Promotions
From Cloud to Security, to Data and AI, to
Networking, to Application Development, to
Design, to Business Process Application all
classes delivered by top-notch instructors in
in-person Instructor-led Classroom or Live
Online. And after you train, treat yourself with
Gift Card rewards. Learn More
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
29
Follow Us On
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
30
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
31
THANK YOU !!!
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266