Upload
endgameinc
View
580
Download
1
Embed Size (px)
Citation preview
1
Hunting Before a Known Incident
Mark DufresneDirector of Malware Research and Threat Intelligence
Endgame
2Agenda
• Who am I?• Assume you are compromised– Defenses fail. All the time.
• Be Proactive, Think Offense: Hunt!– What is hunt– Hunt techniques– Benefits of hunt
• Hunt vs. traditional IR• Challenges of hunting and how to overcome• Hunting best practices
3About Me
• Previous Experience– 13 years at NSA
• Mix of offense and defense • Currently– Director of Malware Research and Threat Intelligence at Endgame
4
The cycle isn’t working: prevention, detection, triage, response
Today’s Reality
• Prevention is important but will be bypassed• Search and signature-based detection is always behind• Often, notification is external• Often, additional adversaries are already active while
a known incident is closed
5Why Does Search/Signature Detection Fail?
• On your network– Encryption– Cloud services – staging, C2, exfil…blends in – Tailored and/or ephemeral attack infrastructure
• On your endpoints – Polymorphism– Malware customization and diversification– Use of legitimate creds and admin tools - Malware as last resort
• Assume compromise!– Someone else’s IOCs might not help you– Signatures won’t find everything
• They won’t find what hasn’t been seen before
Attacks are changing
6Be Proactive, Think Offense
• Adversaries are eating your lunch• You can’t afford to wait • Offensive, proactive discovery must be the
response– Search is necessary but insufficient– Look for techniques used by attackers– Look for patterns in the right data
Hunt within your networks, a.k.a Continuous IR
7Hunting
• Hunting is the proactive, stealthy, and methodical pursuit and eviction of adversaries inside your network without relying on IOCs– Detect and eliminate known as well as never-before-seen adversaries
• Adversaries operate on your systems. They leave a trail– Understand what actions they take in the OS: chokepoints– Understand breadcrumbs they leave on and across systems: patterns and
anomalies.• Gain the right visibility, collect the right data, analyze, detect, and
respond– Lock down systems while you’re doing it– Be stealthy
8Common Hunt Methods and Techniques
• Indicator of Compromise (IOC)• Network• Endpoint• Manual vs. scheduled vs. continuous• Outliers/oddities vs. anomaly detection
9Indicator Hunting? (Searching)
• What’s search good for?– Will help you react to an external notification– Will help you find well-known campaigns– Will help you consistently find unsophisticated threats– Will help you pivot on IOCs you find in your own network
• Determine the extent of an incident• Your hunt platform needs to facilitate search– Search is today’s security muscle memory– But a hunter needs to do more
9
If you know what you are looking for, it is not hunt, it is search
10Hunting on the Network
• Network data is more noisy than host data– But, it’s still valuable– Best if you can tie to process
• Listeners– What ports are listening only a few systems?– What processes have listening sockets on only a few systems?
• DNS resolutions– What looks like it could be DGA?– What looks like it’s trying to masquerade as a real site?
• Beaconing– What connections look like they could be malware beacons?
• Choose where to focus hunt, collect, analyze, detect, respond
10
11Hunting on Endpoints
• Autoruns locations– What’s persisting on only a few hosts?– What’s executing out of a strange location?
• Running processes– What has a hash mismatch across hosts?– Which process has a loaded module not present on other systems?
• Execution artifacts– What strange powershell commands have been run?– Where do I see unusual remote process executions?
• Many other possibilities• Again - choose, collect, analyze, detect, respond
11
12Benefits of Hunt
• Reduce dwell time before discovery Reduced costs– Shorter dwell time usually means reduced incident complexity– Shorter dwell time usually means less loss or damage
• Break the cycle of reactivity• Build new security muscle memory– By continuous hunting, one gains an ability to see and react to
patterns and anomalies
“Organizations that proactively work to discover incidents — ‘hunt’ for them — have a better chance of finding them and effectively reducing their impact” Gartner 2016
13Hunt and Incident Response
• Very similar methods and skills required• Similar tools and techniques• Different starting point – Hunt: Assume breach and find it– IR: Known (or suspected) penetration
• Steps after discovery are remarkably similar• Don’t wait for the incident. Go find it.– IR teams can be the hunters– So, consider hunting
13
14Hunt Challenges and Solutions
14
Challenge Solution
Lack of resources Start with free tools(Hunting on the Cheap)
Difficulty hiring skilled huntersLack of time
Automate analysisGenerate detections based on hunt techniques
Drowning in data Data science and machine learningStart small and limited in scope
Tipping off the adversary Stealth tools and techniques
To hunt effectively, consistently, and at scale in any organization, you need a platform that augments and assists your team
15Endgame AdvantagesMulti-Mode OperationBuilt-in options for discovery, on-demand deployment, and persistence
StealthPrevents adversary disruption and evasion
IOC-Independent DetectionDetect never-before-seen and unique attacks
Tailored & Surgical ResponseThread-level response prevents disruption of normal business
AutomationEmpowers Tier 1& 2 analysts & minimizes time to remediation
Intelligent CollectionReal-time Automated answers to critical questions
16Summary
• The current detection and IR cycle doesn’t work• Transform the IR cycle into a Hunt cycle• Start hunting now• Automate, automate, automate
16
Stop by Endgame table for a demo!