1 / 21

Network Threat Hunter's Runbook

Network Threat Hunter's Runbook. What We Will Cover. Building your threat hunting capability Identify & document processes Hands-on lab for next week. Where do I even start?. Think about what "problems" you want to solve Identify internal systems that are compromised

gartner
Download Presentation

Network Threat Hunter's Runbook

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Threat Hunter's Runbook

  2. What We Will Cover • Building your threat hunting capability • Identify & document processes • Hands-on lab for next week

  3. Where do I even start? • Think about what "problems" you want to solve • Identify internal systems that are compromised • Solve the problem in smaller chunks • What should the architecture look like? • What hardware will you need? • What software will you need? • What processes should you use?

  4. Basic steps for deployment • Identify architecture • Source hardware • Select tools • Define process • Iterate • Automate • Iterate • Document

  5. Architecture • Need to see all traffic passing to Internet • Capture in a format for later review • Pcaps • Zeek logs • Signature IDS not a good fit • Need a way to automate first pass • Hunting can be time consuming • Automation reduces the repetitive workload • Start manual, then automate

  6. A simple setup

  7. Dealing with special cases

  8. Proxies • Outbound traffic originates from the proxy • Makes identifying beacons a challenge • Transparent proxy • Monitor prior to proxy • Non-transparent proxy • Data may not be useful • Monitor non-proxy traffic • Even if you think everything is proxied • IoT devices

  9. Can I work around special cases? • Example: • All DNS forwarded to external resolvers • This breaks detection of C2 over DNS • Possible solutions • Can I sniff traffic at the internal forwarders? • Ignore DNS from forwarders at perimeter • Review these captures separately • Can I log DNS query/responses? • Can still be used for beacon detection • May lose visibility on external C2

  10. Server to sniff 1 Gbps • 1 Intel Xeon E5-2650 v4 2.2ghz, 30M cache, 12C/24T • 8x 16GB Performance optimized 2666 MT/s Dual rank rdimms • Perc H730 raid controller with 1GB NV cache (drives arranged as raid 1) • 2x 960GB Sata mixed use SSD's SM863a • Intel ethernet I350 Quad port 1gb network daughter card • Cost is $8,000 - $12,000 US

  11. Next move on to software • Remember the threat hunting steps • Identify communication channels • Analyze the protocol • Identify the internal host • Scrutinize the reputation of the destination • Disposition • What tools will you be using for each?

  12. Example • Need to identify beacons and long conns • Zeek to record traffic • RITA to process Zeek logs • Will identify beacons • Will identify long connections • Shameless plug • AI-Hunter does this too, but with: • A graphical interface • More automation • Alerting

  13. Threat rating/weighting • Identifying the communication channel is your baseline threat activity • This generates the most weight in determining if an internal IP is a threat • Protocol analysis is a major modifier • Reputation is a minor modifier

  14. Whitelisting • You need a way to filter false positives • Benefits: • Reduces the workload • Reduces the noise • Saves time for other hunters • Example • Zeek is being used to collect data • Create a BP filter that ignores false positives

  15. What next? • Next step is protocol analysis • Can you build off of previous data? • Identify tools and process • Don't spend a lot of time on documentation • Yet… • Expect process to iterate • Some tools/steps may change • Repeat for remaining hunting steps

  16. Move on to process • Identify frequency • Daily? Weekly? Monthly? • Start manual • Does not scale, but easier to iterate • Once process is vetted, automate • Goals: • Integration into existing SOC processes • Create a written runbook of steps • Simplify so junior analysts can run point

  17. A word on frequency • Bad guys will run wild until you catch them • How much risk can you absorb? • Ideal world - threat hunt every day • Real world - Weekly or monthly • Pick a random day or two for review • Review the full 24 hours of each day

  18. Practice, practice, practice • Think you get the point ;-)

  19. Hands on lab • Let's do a lab! • Pcap available at the URL below • Just over 3 GB in size • 24 hours worth of data • Pretend this is data collected from your net • Use this to start creating your process • Anything of interest in the file? • Show your results! https://drive.google.com/open?id=1f-ebgU4ZNID3I1ojrnMOxU9w3OxRB-nX

  20. Summary of what's in the file

  21. Wrap Up • Threat hunt the pcap for next week! • Questions? • Content feedback? • Please email: courses@activecountermeasures.com

More Related