Professional Documents
Culture Documents
Launching Threat Hunting From Almost Nothing PDF
Launching Threat Hunting From Almost Nothing PDF
2018.09.06-09.07
Wayne Gretzky “The Great One”, the greatest hockey player ever
Threat
Hunting
Techniques
Threat
Hunter
Security Operations in the enterprise
4 SANS Threat Hunting & IR Summit 2018
Why I am here today
https://sqrrl.com/media/Framework-for-Threat-Hunting-Whitepaper.pdf
“Communicative”
“Collaborative”
“Creative”
“Threat Awareness”
“Critical thinker”
“Business knowledge”
https://searchcio.techtarget.com/definition/threat-hunter-cybersecurity-threat-analyst
1 INNOVATIVE
0 PROCEDURAL
MINIMAL
INITIAL https://sqrrl.com/the-threat-hunting-reference-model-part-1-measuring-hunting-maturity/
CSIRT CSIRT
Manager
Incident Threat
SOC
Response Research
Team
Team Team
Protection Malware
NEC groups
Operation Analysis
ca. 110,000 employees
Team Team
ca. 190,000 devices
SOC
Team
Alerting System (IDS) Report from employee
Protection
Operation
Team Perimeter Network Patch Information
defense Isolation Management Sharing /
(Proxy, FW) (SDN) System (NCSP) Enlightenment
*NCSP: NEC Cyber Security Platform
Incident
Response
Team Forensic Tool Log Management
Malware
Analysis
Team
Malware Analysis Tool Malware DB
Security
Vendors Threat
Research
Commercial Threat Team Threat Intelligence
Feeds / Report Platform (TIP)
Community
Stack
Searching Clustering Grouping Counting
https://sqrrl.com/media/ebook-web.pdf
IOC searches
Indicators Proxy log ???
{IP address, URL} {IP address, URL}
0 (zero) matched.
17 SANS Threat Hunting & IR Summit 2018
Let’s confirm definition, again
“Threat Hunting
is the PROCESS”
0
IOC searches
Indicators Proxy log
{IP address, URL} {IP address, URL}
PROCESS or TECHNIQUE
19 SANS Threat Hunting & IR Summit 2018
Building Threat
Hunting Operations
Hunting Stack
Procedures Searching Clustering Grouping Counting
Challenge 1:
“for what?” and “so what?”
Challenge 2:
“workable operations”
UNCOVER
New Patterns
& TTP’s
https://sqrrl.com/the-threat-hunting- - Threat Research
reference-model-part-2-the-hunting-loop/
Challenge 1:
“for what?” and “so what?”
Challenge 2:
“workable operations”
- Experiment
Find - Working (Yes/No) Find
“how” and “query”
- Troubleshoot
https://www.first.org/resources/papers/conf2017/Building-
a-Threat-Hunting-Framework-for-the-Enterprise.pdf
Incident Threat
SOC
Response Hunting
Team
Team Team
http://www.xxx.com/{path1/path2/path3/xxx.html}
?emexg=3YXMgc2FtcGxlMS4gVGhhdCB3YXMgc2FtcGxlMyFtcGxlMS4gVG
http://www.xxx.com/{path1/path2/path3/xxx.html}
?eprinuf=a29yZWhhIHNhbXBsZSBkZXN1MS4hhIHNhbXBBkZXN1Mi4ga29yZW
*It’s sample of patterning.
Each value are not
Variable Host name Parameter original one, but replaced.
Threat
Hunting
Team Asset, Internal System, Internal CTI (Observed Hunting Scenario
Directory DB & Analysis) DB System (STIX)
Hunting
Operation
Team Log Analysis & User Inquiry
Dashboard EDR / NCSP System
Incident
Response
Team Threat Intelligence Threat Analysis
Forensic Tool Log Management Platform (TIP) System
66 SANS Threat Hunting & IR Summit 2018
Threat Hunting System Architecture Overview
Hunting Operation
Incident User Inquiry
Response Team Team
System
67 SANS Threat Hunting & IR Summit 2018
Threat Hunting
Operations
Framework
68 SANS Threat Hunting & IR Summit 2018
Values of Hunting Operations
1 2 3
Look for Look for logic
Close attack
uncovered threat such as signature,
surface as part of
or ongoing threat detection rule to
hardening
that evade detect uncovered
activities to
existing security threat, and apply
enhance current
solutions, and to existing
security posture
mitigate and security solutions
together with Red
remediate it as to close detection
team.
soon as possible. gaps.
69 SANS Threat Hunting & IR Summit 2018
Threat Hunting Operations Framework
Value 1 Value 2 Value 3
Look for Look for Close attack
Hunting Team’s
Objective Statement 1 uncovered
threat
2 detection
logic
3 surface as
hardening
Trailhead Trailblazing
Hunting Stack
Procedures Searching Clustering Grouping Counting
1 2 3 1 2 3 1 2 3
A B C
Managed
Level - 1 Define your standard hunting process
and defined
1 3 2 2 3 1 1 2 3
A B C
FOLLOW Level - 2
DEFINE Level - 1
ADHOC Level - 0
0 1 2 3 4 HMM
INITIAL MINIMAL PROCEDURAL INNOVATIVE LEADING
74 SANS Threat Hunting & IR Summit 2018
Conclusion