Workshop on

Threat Hunting
THE MINDSET OF A CYBER THREAT HUNTER

Shomiron DAS GUPTA - Founder, CEO

NETMONASTERY Inc.

© Copyright 2017 NETMONASTERY Inc

Photo by Quentin Dr on Unsplash 1
Agenda
NEXT 80 MINS

■ Threat Hunting - and what does that mean?

■ The process - planning, execution and follow through
■ Tools and techniques
■ Resources - where do we continue to learn from
■ Case 1 - DNS Tunneling
■ Case 2 - Webshells

© Copyright 2017 NETMONASTERY Inc 2

So, What is Threat Hunting?
QUICK INTRO TO MY VERSION

It’s the Continual Improvement process we have been waiting for!

■ Improvement in the state of awareness

■ Improvement in detection capability

■ Improvement in response and process

■ Improvement in collaborative threat intelligence

© Copyright 2017 NETMONASTERY Inc 3

So, What is Threat Hunting?
QUICK INTRO TO MY VERSION
THREAT
EV FEEDS
EN LOOKUP
T S SERVICES

A Continuously Learning
BIG DATA
CORRELATED and Adapting Cyber
RULES SIEM
ANALYTICS ACTIVE IOCs
ENGINE THREATS Security Operations
Center
T
YS
N AL
A

© Copyright 2017 NETMONASTERY Inc

THREAT HUNTER 4
We all hear about it
THIS IS WHERE IT STARTS

HOW IT WORKS

WHAT TO LOOK FOR

© Copyright 2017 NETMONASTERY Inc
5
Building the Hunt Plan
THE CHECKLIST FOR THE HUNT

NEW FILE EVERY WEEK Build a weekly hunt plan, include

1. Detection techniques
2. Indicators
3. Response guides

Execute the hunt

1. Look for indicators
2. Look for symptoms

Respond and Learn from the

exercise….. repeat
© Copyright 2017 NETMONASTERY Inc
6
But, how does it work exactly!
PLAN, EXECUTE AND FOLLOW THROUGH

HUNTER PROCESS SOC OPS

Monitor external feeds Understand threats
Look for local symptoms React - FP filtering
Hunt for indicators Respond
Build content Resolve
Write process Metrics Improvement
Handover and review Case Retirement
© Copyright 2017 NETMONASTERY Inc 7
Tools and Resources
WHAT DO YOU NEED TO GET STARTED

1. Threat intelligence feeds - start with open source / think strategic paid feeds -
Symantec, McAfee, TeamCymru, FireEye iSight, CriticalStack, SeQtree (INDIA)
2. Lookup sources - ThreatCrowd, VirusTotal, PDNS, WHOIS, GeoIntel,
DomainTools, Intel 471, CrowdStrike, PhishMe, RecordedFuture
3. Access to threat intelligence platforms viz Alienvault OTX, ThreatConnect,
Anomali, CertIn, Regional / Sectoral Certs
4. Tracking of developing standards - CAPEC, ATTACK, Threat Hunters Playbook
5. Analytics platforms that integrate viz Splunk, ELK, DNIF (INDIA)

© Copyright 2017 NETMONASTERY Inc 8

CASE 1
HUNTING FOR AN
EXFIL SOURCE

9
We found our data being sold
THE SELLER PROMISED MORE RECORDS

Questions from the customer -

1. Is the exfil still on?

2. If yes - find out how
3. Which systems were compromised

We only have firewall data for the last 3mths

© Copyright 2017 NETMONASTERY Inc 10

The Context, key Questions
INITIAL THOUGHTS

© Copyright 2017 NETMONASTERY Inc 11

POSSIBLE EXFIL SOURCES
HUNTING PLAN

So how did we learn

about DNS Exfiltration?

© Copyright 2017 NETMONASTERY Inc 12

Running a Profiler
IDENTIFY NORMAL ACTIVITY

1. Index data from the past

2. Run a baseline / profile / link map on outbound DNS requests
3. Identify outliers with outbound baselining
4. Sample of hunting from that point on ….. DEMO

© Copyright 2017 NETMONASTERY Inc 13

Some Takeaways
WHAT DID WE LEARN

Hunting is not easy, clearly

You need to have a firm grip / understanding of the space

Hunting is long and winding - 18 queries at an average to prove your hypothesis

Log data is critical, can’t work in an straight jacketed environment

© Copyright 2017 NETMONASTERY Inc 14

CASE 2
HUNTING FOR A
MALWARE CALLBACK

15
SOAR Capabilities
THROUGH AN EXAMPLE

© Copyright 2017 NETMONASTERY Inc

Machine Learning
with Analytics
BIG DATA ANALYTICS AND ITS USE IN CYBER SECURITY

Shomiron DAS GUPTA - Founder, CEO

NETMONASTERY Inc.

© Copyright 2017 NETMONASTERY Inc

17
Photo by Viktor Jakovlev on Unsplash
Agenda Items
NEXT 60 MINS

1. 2 lines on analytics
2. How the bot functions - a part of it
3. Real life scenario
4. Technique of detection (now called hunting)
5. Why is it impossible to do without analytics
6. Repeat step 2 to 5, 5 times
write this line in code within 12 chars

© Copyright 2017 NETMONASTERY Inc 18

Tools of This Trade
PERSPECTIVE SLIDE

BIG DATA ANALYTICS FOR CYBER SECURITY

© Copyright 2017 NETMONASTERY Inc 19

SIEM v/s BDA
BIG DATA ANALYTICS

SPEED SCALE INTEGRATION ANALYTICS SOAR

SIEM
MF ArcSight, IBM Qradar,
Intel NitroSecurity

BDA
Splunk, ELK, DNIF

© Copyright 2017 NETMONASTERY Inc 20

Detecting Botnets with
Machine Learning

21
 DELIVERY -
An Attractive Phishing Target PHISHING -
FOLLOWING EMAILS, DISCOVER CAMPAIGNS

1. Email analyzer reports an email ■ DID SOMEONE CLICK

2. Sentiment is “luring” - 620 hits / day Webproxy logs - look for outbounds
3. It’s a one on one conversation Software installs + OSSINT
4. Explore outbound links ■ NEW FOUND MODEL
5. Hits a bulletproof hosting provider Model on luring + bulletproof +
6. Downloads an exploit kit download + OSSINT / AV Quarantine
■ Regression on past 3 months -
13 hits across 3 individuals

© Copyright 2017 NETMONASTERY Inc 22

 INSTALLATION -
Outbreak - Home of the Zero Day OUTBREAK -
IN AND OUT TRAFFIC SPIKES NO HITS REPORTED

1. Switches are choking up, 50mins later ■ LOOKBACK

everything is back to normal - can't
recreate the scenario
2. Analyze - Bump in outbound tcp/25
3. Looking for installs, clueless moment!
4. NSA Leak - EnternalBlue
5. Exploit kit match
© Copyright 2017 NETMONASTERY Inc
Intel match - IP, FILENAME, HASH
Software installs
■ NEW FOUND PROFILE
Profile on HASH + PE Strings +
FILENAME / HASH
■ Run profiler on the new
packages in the last 6months - 3
unique *wares, total 49 infections
23

Finding the Controller in Us
HUNTING FOR A C&C IN A DATACENTER
1. Several C&C’s have been found
2. Mirai variants - ssh bruteforce
3. Dissimilar known patterns, but http
4. DC wide scan of web endpoints
5. Large vol of endpoint aggregations
6. Inbound URLs with similar variables
7. Model to analyze aggregations of urls
© Copyright 2017 NETMONASTERY Inc
COMMAND AND CONTROL -
PING BACK -
■ AGGREGATIONS
Aggregate unique URLs - variables
Web endpoint scan for hosts
■ RELEARN URL PATTERNS
Regression Model - variables used +
endpoint hit count / hr + str length of
data points
■ Run the model daily - found an
average of 12 new C&C’s / month
24

Flow Analytics or Packets (even worse)
LOOKING FOR SYMPTOMS ON THE WIRE
1. Broadband provider - dropping repute
high # of infections reported
2. Looking for download sites
3. Available model for detecting delivery
centers using network packets
4. SIEM breaks under flow data
5. Real-time packet analysis is far from
possible
© Copyright 2017 NETMONASTERY Inc
DELIVERY -
INFECTION -
DRIVE BY DOWNLOAD -
■ PICKING DOWNLOAD SITES
Complex Model - # of out calls +
consistency of download size +
variation in calls to host + regression
■ CHALLENGE
Run this model over real-time flow
data or packet samples
25
 ACTIONS ON OBJECTIVES -
Threat Intel MATCH! EXFIL -
LOOKING BACK IN TIME FINDING A DORMANT VIRUS

1. AV Detects a file virus, soon turns to ■ SEARCH

be an outbreak with 30% of hosts
2. First instance 4 months back
3. Cold trail - similar variant but no clues
4. VT match triage with a domain
5. Exfil packets detected on the domain
6. Domains were being switched
Outbound packets from known
infected sources
■ MODEL BUILD
Complex regression DGN (relearnt) -
days active, known registrar,
availability + frequency of outbounds
+ variance of domains

© Copyright 2017 NETMONASTERY Inc 26

Automation

27
Cyber Threat Hunting
The what and the why

■ Constant “churn” of events in the cyber space

■ Burden of a static rule set in a dynamic world
■ Overload of information pouring out of the fire hose

“Actively going out to hunt for a security breach or a

symptom of attack or vectors of the latest threat” Constant Stress About -
What is that we do not know..
Did we miss something important
Daily Weekly Monthly
Do we have a false negative?

© Copyright 2017 NETMONASTERY Inc 28

Outcome of Threat Hunting
What to expect from a threat hunting exercise

■ New rules for the SIEM

■ Validation procedures
■ Response process
■ SOC Training / Upgrade
Cyber Threat Hunting
■ Posture review
Typical Expectations

© Copyright 2017 NETMONASTERY Inc 29

Sample Threat Hunting
The sequence of events...

Looking for inbound infections (cnc, infected downloads) - maybe malware

Get outbound access from proxy with threat intell hits -- last 10 days

Wow - we have a 12k hits, need to narrow down

Get only ones with allowed access - ignore the denied (safe) -- last 10 days

Yikes - we still have 4k hits, have to pull it down further

Let’s look for the ones with file downloads only -- last 10 days

OK - we have 6 hits… good place to start

Let’s check if these were picked by the AV -- lookups

© Copyright 2017 NETMONASTERY Inc 30

Sample Threat Hunting……… …. … contd.
The sequence of events...

Damn - I have no matches on the AV, look somewhere else

Look for file / content / hash match on Virustotal -- Lookup

I have one confirmed match - yay, where did this come from
Look for failures - share, auth etc -- X minus 60 days

14 queries later...

Bingo - it was spoofed email from the team lead - clicked… infected
Now - let’s figure out to automate detection for this -- process update

© Copyright 2017 NETMONASTERY Inc 31

Tools / Resources
What do we need

TOOLS RESOURCES

Avg 231 Queries in a hunting session Outsourced resource - partner

2.47s Avg Response time per query 3 - 5hrs of hunting per week

Equals = Lost thought for the analyst Handoff meetings with the SOC

Equals = Death of your logger Training of operations staff

SOAR to the rescue

© Copyright 2017 NETMONASTERY Inc 32

Phases of SOAR
THREE KEY PARTS

Enrichment - GeoData, Threat Intelligence, Local Context

Validation - Third Party Validators (Symantec / VirusTotal), UEBA

Automation - Endpoint (Choke), Proxy, Firewall, Feedforward, ITMS

© Copyright 2017 NETMONASTERY Inc 33

SOAR Capabilities
THROUGH AN EXAMPLE

© Copyright 2017 NETMONASTERY Inc

Thank You
email: shom@dnif.it

© Copyright 2017 NETMONASTERY Inc

35