Agenda Introduction to Threat Hunting Security Automation Start the journey Use Cases: 1) Ingest fresh IoCs from Twitter 2) Reduce alert fatigue Conclusion What is Threat Hunting? “The process of searching through environments to detect advanced threats which evaded existing security solutions.” Why do we hunt? Distillation 1,000,000s of telemetry points Triage 100s of items Logs Investigation 10s of LEADS Response 1s of INCIDENTS Alerts Events Notifications Warnings Types of Hunts 1 2 3 Intelligence-Driven Atomic Indicators TTP-Driven Behavioral & Compound Indicators Anomaly-Driven Generic Behaviors • • • Low-hanging fruit hunts Known threats Security controls bypass • • • TTP’s: tactics, techniques, procedures Methodologies used by advanced attackers Systematic approach for discovering unknowns • • • Low-prevalence artifacts Outlier behaviors Unknown threat leads Intelligence-Driven Threat Hunting { { "type": ”firewall", "observables": [ { "type": ”ip", "value": "43.252.106.218" } ], "observed_time": { "start_time": "2022-07-15T20:01:27.368Z" } Cross Reference } } Internal Collection • • • • • • • EDR events Firewall alerts Flow data Vulnerability scans Sandbox results DNS logs Etc. "observable": { "type": "ip", "value": "43.252.106.218" }, ”threat_rating": "Malicious", "priority": 95, "severity": "High", "tlp": "green", "timestamp": ”2022-07-15T20:01:45.531Z", "confidence": "High" Threat Intelligence Course of Action • • • Block X Isolate Y Etc. • • • • • • Past intrusions Threat intelligence feeds Malware analysis Blogs Twitter Etc. The Hunting Maturity Model (HMM) Agenda Introduction to Threat Hunting Security Automation Start the journey Use Cases: 1) Ingest fresh IoCs from Twitter 2) Reduce alert fatigue Conclusion Security Automation Risks • Security no longer in focus • Busy coding • Maintaining infrastructure • Secrets, keys, and tokens • • • • How and where to store securely Shared credentials Overly permissive Key rotation/revocation • Supply chain • Vulnerable library/dependency • DevSecOps • Specialized skillset Security Automation Tools Agenda Introduction to Threat Hunting Security Automation Start the journey Use Cases: 1) Ingest fresh IoCs from Twitter 2) Reduce alert fatigue Conclusion Map your journey 1. Document the procedure 2. Visualize the dataflow 3. Determine workflow categories DOCUMENT THE PROCEDURE A new tweet has been posted with a fresh C2 domain. 1. Our SOC likes to review Twitter for observables. 2. L1 security analysts will take the observables and enrich the data using threat intelligence. 3. If the threat rating is Malicious or Unknown, they will search logs and events. 4. If requests were made to the C2 domain then an incident is created with the timestamp and hostname. 5. Our L1 analyst notifies the rest of Security Operations team using chat-ops. 6. Senior security analysts investigate and determine the best course of action. Visualize the dataflow Retrieve last tweets from #OPENDIR (or other) hashtag Parse and clean Tweets. Observables in Tweet? Skip this Tweet. Enrich observable using Threat Intelligence Threat rating malicious or unknown? Skip observable Check for observable in logs and events Sightings present? Skip observable Create an Incident Post incident number and link in chat Workflow categories Hunt Correlate Track • Search for Indicators of Compromise (IoC) and check for related (security) events • Correlate findings per device/user (e.g. hostname, AD-username) • Keep track of number of events per target device/user Document Notify Respond • Document findings in incident manager / ticketing system • Send out notification via link to doc via IM / email to SOC • Take response actions based on severity of incident (e.g. isolate device) CISO: In these dark times, how does a security engineer automate Threat Hunting? SOC: With strange magic, sorcery, and APIs Agenda Introduction to Threat Hunting Security Automation Start the journey Use Cases: 1) Ingest fresh IoCs from Twitter 2) Reduce alert fatigue Conclusion Agenda Introduction to Threat Hunting Security Automation Start the journey Use Cases: 1) Ingest fresh IoCs from Twitter 2) Reduce alert fatigue Conclusion • Threat Hunting is about finding threats that evaded security solutions • Threat Intelligence is about enriching data and making decisions • Security Automation tools reduce risk and complexity Thank you GitHub: NetflowNinja LinkdIn: towne-besel towne.besel@gmail.com