Threat Hunting

© Fidelis Cybersecurity

IntroductionJustin Swisher

Threat Hunter – Fidelis

Previous Jobs:

Threat Intelligence

NSM

USAF Intelligence Analyst

© Fidelis Cybersecurity

Threat Hunting Overview

Hunting with Endpoint

Hunting with Network

Questions

Agenda

© Fidelis Cybersecurity

What is Threat Hunting?

© Fidelis Cybersecurity

Which is Hunting?

DiscoveryDetection

Alerts

Signatures

IOCs

Artifacts

Behaviors

Patterns

TTPs

Anomalies

Outliers

© Fidelis Cybersecurity

Methodology

3 Fundamental Types of Hunting

Workflows

3 Processes for Hunting within the Types

Implementation

Hunting practices vary between individuals

The blending of "art" and "science"

Fidelis Hunting Strategy

© Fidelis Cybersecurity

“Hunting is the discovery of malicious artifacts,

activity, or detection methods not accounted for in

passive monitoring capabilities.”

© Fidelis Cybersecurity

Getting Started

1. Have a Framework

a) MITRE ATT&CK

b) Pyramid of Pain

2. Internal Intelligence

a) Data Sources

b) Tools

3. External Intelligence

a) Threat Research and Reporting

b) Incident Reports

4. Create a Hypothesis

Open Source

Threat Feeds

ThreatResearch

Internal Intel

© Fidelis Cybersecurity

Frameworks

© Fidelis Cybersecurity

Internal Intelligence

© Fidelis Cybersecurity

Internal Intelligence

Investigative Capabilities

Forensics Capabilities

Deployment

Data Retention

Hunting Abilities

Analytic Support

Tools

© Fidelis Cybersecurity

External Intelligence

Threat Intelligence Reports

Leverage TRT blogs and reports

Newly discovered vulnerabilities

CVEs

Proof of Concept code

Incident Response

Newly uncovered artifacts

Potential new patterns of activity

© Fidelis Cybersecurity

Hunting Workflows

Hypothesis Driven Hunting

Starts with a question

"Are adversaries doing X in my environment?"

Intelligence Driven Hunting

Starts with newly reported intelligence

Indicators, Artifacts, or Behaviors

Continuous Operational Hunting

Based on behavioral triggers

Sometimes an outcome of the other two workflows

© Fidelis Cybersecurity

Hypothesis Driven Hunting

Brainstorm Session:

▪ Statistical Analysis

▪ Frequency Analysis

▪ Technique/Kill Chain

Align with environment:

▪ Do we have the right tools?

▪ Do we have the visibility?

Pick 1 Hypothesis:

▪ Backlog the rest for future

hunts

Hunt!

▪ Collect data (queries, scripts, etc.)

▪ Analysis: statistical, data science

models, etc.

Malicious Activity

▪ Report findings

▪ Pass IOCs/Behaviors to

Intelligence

No Malicious Activity

▪ Did we get the right data?

▪ Do we need different data? Find a visibility gap?

▪ Can we run this hunt again at a different time and

expect new results?Purple Team Exercise

© Fidelis Cybersecurity

Benefits of HuntingIdentification of attack methods

Reduced time “Actor” is in environment

Another layer of protection

What was not identified by current security stack

Provides information to build better alert rules and new procedures

© Fidelis Cybersecurity

Finding the UnexpectedMisconfiguration of servers for protocols/certificates

Passwords in the clear

Self-signed and other certificate situations

Circumvention of corporate DNS, Web Proxy, and Email Servers, etc.

Non-compliance with corporate policy

Illegal activity

© Fidelis Cybersecurity

Fidelis: The Threat Hunting Tool

Benefits

One Platform

Metrics

Scanning

Forensics

Real-Time Data Collection

© Fidelis Cybersecurity

Traditional Hunting Network?

Limits visibility only to network traffic

Lack of visibility to identify post-compromised behaviors

Legitimate services controlled by “actor”

Web services

Encrypted communication

This Photo by Unknown Author is licensed under CC BY-SA

© Fidelis Cybersecurity

Network Always Leads to Endpoint!

Hosts Involved/Compromised

Accounts

Objective

TTPs Used

© Fidelis Cybersecurity

Two Potential Tracks to Follow

Credential Access Lateral Movement

© Fidelis Cybersecurity

Credential TheftGolden Ticket

Event ID 4769

Remote Users

Simultaneous Logins

4624

Login type 2,3,9,10 and status success

Deception to enable hunting for credential accessCreate fake admin accounts with no login privileges, alert for login attempts against that user

© Fidelis Cybersecurity

Lateral Movement Remote Log-on (Already Executed)

Event ID 5140

Event ID 4697 and 7045

Event 4688

Event ID 5145

PsExec

Commandline

DCOM – ATT&CK T1175

© Fidelis Cybersecurity

DCOM – ATT&CK T1175Windows Distributed Component Object Model

Uses RPC (Remote Procedure Call) for network communication

Limited to Administrator privileged accounts

Can be used via

Powershell

Office Dynamic Data Exchange

Launch processes or execute shellcodeTarget Machine

cmd used to launch calc

Thank You