Agenda
Introduction to Threat Hunting
Security Automation
Start the journey
Use Cases:
1) Ingest fresh IoCs from Twitter
2) Reduce alert fatigue
Conclusion
What is Threat Hunting?
“The process of searching through
environments to detect advanced threats
which evaded existing security solutions.”
Why do we hunt?
Distillation
1,000,000s of telemetry points
Triage
100s of items
Logs
Investigation
10s of LEADS
Response
1s of INCIDENTS
Alerts
Events
Notifications
Warnings
Types of Hunts
1
2
3
Intelligence-Driven
Atomic Indicators
TTP-Driven
Behavioral & Compound Indicators
Anomaly-Driven
Generic Behaviors
•
•
•
Low-hanging fruit hunts
Known threats
Security controls bypass
•
•
•
TTP’s: tactics, techniques, procedures
Methodologies used by advanced attackers
Systematic approach for discovering unknowns
•
•
•
Low-prevalence artifacts
Outlier behaviors
Unknown threat leads
Intelligence-Driven Threat Hunting
{
{
"type": ”firewall",
"observables": [
{
"type": ”ip",
"value": "43.252.106.218"
}
],
"observed_time": {
"start_time": "2022-07-15T20:01:27.368Z"
}
Cross Reference
}
}
Internal Collection
•
•
•
•
•
•
•
EDR events
Firewall alerts
Flow data
Vulnerability scans
Sandbox results
DNS logs
Etc.
"observable": {
"type": "ip",
"value": "43.252.106.218"
},
”threat_rating": "Malicious",
"priority": 95,
"severity": "High",
"tlp": "green",
"timestamp": ”2022-07-15T20:01:45.531Z",
"confidence": "High"
Threat Intelligence
Course of Action
•
•
•
Block X
Isolate Y
Etc.
•
•
•
•
•
•
Past intrusions
Threat intelligence feeds
Malware analysis
Blogs
Twitter
Etc.
The Hunting Maturity Model (HMM)
Agenda
Introduction to Threat Hunting
Security Automation
Start the journey
Use Cases:
1) Ingest fresh IoCs from Twitter
2) Reduce alert fatigue
Conclusion
Security Automation Risks
• Security no longer in focus
• Busy coding
• Maintaining infrastructure
• Secrets, keys, and tokens
•
•
•
•
How and where to store securely
Shared credentials
Overly permissive
Key rotation/revocation
• Supply chain
• Vulnerable library/dependency
• DevSecOps
• Specialized skillset
Security Automation Tools
Agenda
Introduction to Threat Hunting
Security Automation
Start the journey
Use Cases:
1) Ingest fresh IoCs from Twitter
2) Reduce alert fatigue
Conclusion
Map your journey
1. Document the procedure
2. Visualize the dataflow
3. Determine workflow categories
DOCUMENT THE PROCEDURE
A new tweet has been posted with a fresh C2 domain.
1.
Our SOC likes to review Twitter for observables.
2.
L1 security analysts will take the observables and enrich the data using threat intelligence.
3.
If the threat rating is Malicious or Unknown, they will search logs and events.
4.
If requests were made to the C2 domain then an incident is created with the timestamp and hostname.
5.
Our L1 analyst notifies the rest of Security Operations team using chat-ops.
6.
Senior security analysts investigate and determine the best course of action.
Visualize the dataflow
Retrieve last
tweets from
#OPENDIR (or
other) hashtag
Parse and clean
Tweets.
Observables in
Tweet?
Skip this Tweet.
Enrich
observable
using Threat
Intelligence
Threat rating
malicious or
unknown?
Skip observable
Check for
observable in
logs and events
Sightings
present?
Skip observable
Create an
Incident
Post incident
number and
link in chat
Workflow categories
Hunt
Correlate
Track
• Search for Indicators of
Compromise (IoC) and
check for related
(security) events
• Correlate findings per
device/user (e.g.
hostname, AD-username)
• Keep track of number of
events per target
device/user
Document
Notify
Respond
• Document findings in
incident manager /
ticketing system
• Send out notification via
link to doc via IM / email
to SOC
• Take response actions
based on severity of
incident (e.g. isolate
device)
CISO: In these dark times, how does a
security engineer automate Threat Hunting?
SOC: With strange magic, sorcery, and APIs
Agenda
Introduction to Threat Hunting
Security Automation
Start the journey
Use Cases:
1) Ingest fresh IoCs from Twitter
2) Reduce alert fatigue
Conclusion
Agenda
Introduction to Threat Hunting
Security Automation
Start the journey
Use Cases:
1) Ingest fresh IoCs from Twitter
2) Reduce alert fatigue
Conclusion
•
Threat Hunting is about finding threats that evaded security solutions
•
Threat Intelligence is about enriching data and making decisions
•
Security Automation tools reduce risk and complexity
Thank you
GitHub: NetflowNinja
LinkdIn: towne-besel
towne.besel@gmail.com