PG - I’m a hunter! Cyber Intelligence in the New(ish) Frontier - Yasmine Johnston-Ison

hello everyone I am yes I'm a threat hunter thank you for coming to my talk today small disclaimer I might accidentally slip up and use the term guys I mean it as a gender-neutral term and not to be offensive to anybody I'm really nervous I have a disability it's triggered by stress so hopefully we all walk out alive yeah that was my TED talk thank you for coming y'all did great let's go get some drinks now just kidding let's move on to why y'all are here y'all are here to walk away with a better understanding of threat hunters and threat hunting which includes common types of hunters what a threat hunter might add to incident

response and Prevention skills us hunters might have and how they might help common tools that we use a method to our madness why organization should care about their threat space and some helpful learning aids so first a little bit about me I started tinkering with webpage vulnerabilities when I was around 17 years old nothing major just changing things in the address bar and changing you know code on pages that I've published nothing too big I was purposefully infecting my own system soon after that with spyware simple things like catching keystrokes and capturing screens and sending them to my email because I thought it was fun and I didn't have a lot of friends but unfortunately I was a real newb I didn't

know what I was doing and I had no clue that was a real job because like really who would pay for someone to do this so I did what most people do and I joined the military I was about 19 and I joined as a signals intelligence analyst and about 2003 so yeah I was one of the bodies I ended up going into sorry though is signals intelligence in the National Guard then I went active duty in 2005 and in my time in 2018 and the Army National or the Army Reserves sorry eventually ended up at Department of Energy as their senior reverse engineer and while I was there I had a great team lead who would continually push my

technical skills at every chance that he had oh and then soon after that I went to silence and I continued to grow and now I'm at Fidelis as their equines senior threat researcher yay so as you can see my career and basically my adult life grew up in the shadows of digital conversations I live for hunting this is my jam I can talk forever discovery of the unknown while staying unknown I learned weaknesses and my targets and how to exploit them I was trained to become an area in the assigned sorry I was trained to become an expert in the area I was assigned sometimes I unfortunately knew my targets better than my family a

target is a target and I had better have my facts straight people's lives were dependent on my ability to put that puzzle together a network is a network human or digital's and the shadows they're one in the same so now I'm just going to give y'all some examples of my work life from tracking Man 1 and getting into their use of hasit or to tracking targets who are bad with OPSEC having too much information and finding possible new act actors but first we go to the macros something people tend to notice about me is that I'll sometimes be way too into macros and Man 1 was no exception there sorry I had a lot of fun taking apart their

macro and their use of hasit or pancit or is a downloader and it aims to put secondary malware on the system I would look by I would start by looking at API calls just to get an idea of where the good stuff might be hiding and you can see on this macro that it's going to check what operating system we are on you can also see that it will be freeing up some space possibly to move code around via no kernel32 virtual luck I would locate this API call and put a breakpoint on there and then we could see that I was using XOR to hide the payload and it was hollowing out some space and running explorer.exe just

before injecting into it there is also a specific string that was used pol a it was used as a marker to indicate work the sari unencoded code was in the binary right before it was going to be injected into the running explorer.exe I loved this macro it was one of my favorites and those little Easter eggs like that that you would find in the code those little strings and markers would just continue my passion to want to dig deeper and see what else this macro had to hide and while I would love to take you deeper that's not why we came and we have a limited time so this is some bonus material yay bonus scenes we all

love them this first example is going to be an overview of a hunt I was on and it started when I was checking low level alerts for false positives and I stumbled upon something odd it was this weird get request and I was wondering are they scanning us are they trying to own us do they think they're going to get somewhere like what's really going on so I looked up the information in our pcap system and I saw this post and these people were noobs they weren't waiting for any type of response from our network they just kept going kept uploading and soon they were uploading backdoors yeah it was great but it was a

failed mission from the start they were trying to exploit a vulnerability that aloes allows for arbitrary file upload and remote code execution but we weren't vulnerable so they were just wasting their time and giving us their files and we laughed at him this next example is coin hive I was again looking through low-level alerts this was kind of a morning ritual I had I would come into work go through these alerts that happened to the last 24 hours to make sure that we weren't missing anything that we should be looking into and I noticed something odd this day as well I noticed an alert for a possible crypto minor infection but when I trick check the traffic it

was just coin hive it was there this wasn't an infection it was just evidence of crypto hijacking the crypto mining code was placed on a website the user went clicked on the site and he was unknowingly mining for codes while visiting this site so when he clicked off it was done it was over so there was nothing I could do it was just annoying luckily I did some research and it looks like coin hive is no longer a service so y'all shouldn't be seeing it anymore alright let's get on to OPSEC fails like the way analysts track North Korea aka hitting Cobra this is just a small chart I put together during my malware but

during my analysis period so hitting Cobra is known for not changing the code they use they are known for using Google Drive they are known for leaving their files in Google Drive for leaving victim files in Google Drive for leaving their own files in Google Drive leaving the password and credentials to the Google Drive in malware they're sending out to victims so that when researchers get it we now have credentials to their Google Drive yeah it's great so sometimes if you're monitoring your network you might also see the red star operating system pinging your network and you're like who's this scanning as it's hidden Cobra because they don't hide who they are and if you look up red star you'll see it's

their operating system fun times so in this field it's easy to get way too much information and we all don't have the time to do everything this is just an example of an information stealer I didn't recognize right away so I took all the information that I had I put on a share point that I created for my old team and I was hoping that somebody would be able to get back to it later to possibly identify it so we're going to get into talking about hunters now and this is just going to be big overview from lessons learned and experiences the first type of hunters are those who hunt on endpoint management systems and large data

collection systems they typically sit in IR teams in socks they're looking for things that might have been missed they are looking for known IOC s they are looking for patterns that might indicate a possible intrusion or infection and sometimes they might just be looking for things they recently have read or heard about to see if their organization is affected these hunters might also use that data to create signatures to help you up their organization's security the next type is a threat hunter a threat researcher these researchers are less likely to sit on IR teams and more likely to sit in cybersecurity companies government agencies and of course the military these type of researchers might be

assigned an area of operation or a threat space or they might be researching on their interest or organizational needs both of these researchers are hunting threats based and gathered on open source intelligence and some or both might have client data to work with or big data as well they are both most likely tracking malware evolution apt TTP's and new CVEs so they can try to stay one step ahead and of course we know that even a little vulnerability can be a dangerous thing at least you push the right button hunters know their enemy's weaknesses their knowledge of their threat space gives them the upper hand so why is this an important field imagine you're planning to go to war instead of using

all the data that you have and all the intelligence you just start checking people at it well this didn't work well for the mother of dragons even though she had the intelligence she needed she didn't use it yeah they did nothing to stop the White Walkers hey was one person who understand understood the enemy's weakness that took down that threat it was Aria she essentially killed the chain of attack she was a skilled hunter who knew her threats when dealing with many threats of all shapes and sizes there's no magic button or software that's going to fix it all and being reactive instead of proactive can cost time and money all right so you might be wondering well what does a

hunter do in IR and how do they help an IR in prevention well the hunter is proactive they're aiming to understand their threat space so well that they can stay one step ahead they are the breaker of chains having someone who knows the changes of malicious campaigns the newest ransom where's how intrusion chain of attack works and how it looks like what the malware chain of attack looks like and how it works being able to create signatures and is able to look for undiscovered threats on your network will no doubt help move you from reactive to proactive alright so now we're getting a better idea of threat intelligence and hunters let's talk about some skills that we might have and

this section again is put together from experiences and lessons learned it's not meant to be the be-all end-all list with that said I think above all the top skill that an analyst can have is the ability to continue to learn threats are ever-changing and so the analyst must be on the lookout for that technologies tactics and techniques and procedures they change too and so must the analyst we're going to start with malware analysis because it's the most basic one that these analysts should have they need to understand how things behave both on the system and on the network and while they might not be Co deep or assembly deep they can still gain a great amount of information about their

threats they don't have to be an expert to be doing malware analysis this is sometimes where analyst might step into cyber intelligence field or reverse engineering field there's always a chain of attack and these malware analysts can start identifying and breaking down that chain so we're going to move on to reverse engineering because it's another great skill to have in this field being able to take things apart in order to know how things work how to protect against them whether that is by creating more rules or by blocking infection chains for example and or how to find similar threats files or possible infections reverse engineering can also lead to finding little easter eggs like the ones I mentioned in the earlier

examples little things that are left behind in code that might help us to uncover common techniques used by these attackers or malware developers reverse engineering can also help find IOC s that were not seeing in behavior analysis well not the last skill that an analyst needs to have but the last skill we're going to cover today it's understanding the hacker mindset and there's no better way than actually becoming a hacker even if for like a day or a minute CH courses are a great way to get inside the head of a hacker the analyst will learn networking on a deeper level and that can help them hunt in the future for possible intrusion attempts on the network they will learn

more about exploits vulnerabilities and the chain of attack the information they learn from taking ceh courses will make them more more prepared to hunt on endpoints track bed actors and understand what a threat actor might go through to infect or attack a victim alright bear with me we're getting there now I'm going to talk about some tools some common tools and more basic tools of the trade I'm just going to list these out for you guys so just bear with me network analysis tools like Wireshark Network minor threat minor and robotex malware analysis tools such as PE studio PE ID nor bian and ida pro vulnerability analysis tools such as oli debug and map burp suite and Metasploit link analysis

tools such as analyst Notebook multigo Palantir lucid charts dark web analysis tools such as tor not evil search engine digital shadows and tails and there's like a whole bunch more but that might make this a training and nobody's here for that one all right so now that the analyst has the data the intelligence the tools what now what's the method well first we need to get get it sorry first we need to get a defined area of operation so that our scope is narrowed and not a rabbit hole and this will let us know what data is important and what data is supplemental the information that we keep might come from the scope of the assignment tickets are

a little easier on analysts as everything that they need to know and give back are predefined in the ticket if you're a hunter and you're hunting based on research the information that you need to keep might be more involved in organizational dependent so we're how do they start well some analysts might start in something like link analysis to link analysis tools such as analyst notebook lets you go a Visio and some might started something like OneNote where they're tabulating out the different data collection types similarly they might use Excel in the same way ticket or IR based hunting they might use something like JIRA either way the analyst needs to have a place where they can put the data and grab the data

back out without it being an issue oh sorry so sharing the information depends on many things I our ticket based hunting they might only be sharing that data internally or during an ir response they might only be sharing it with a client researchers might be using that data to publish blogs or they both might be using it to help create endpoint signatures or yaar signatures to give back out to the community very y'all if you can tell by now cyber intelligence and the threats aren't new the data the analysts and the threats have always been here so why does it seem like this is like the new buzzword and its brand new because no one was

listening to us before before sexy things like ransomware and breeches weren't grabbing headlines on outlets beyond Twitter in the small cyber cyber sex face we were just nerds no one really cared so why should a company care about their threat space probably for the same reason that you would care about crime rates when you're moving into a new neighborhood everyone company and organization doesn't have the same type of threat department of energy's no doubt going to have different types of threats than Bank of America a power company might have attacks more focused on taking down a power system or a great system and a hospital might have attacks more focused on locking up everything and demanding a ransom we're

understanding these threats will help an organization create a more tailored approach to their cyber security needs cyber intelligence helps fill the gaps that antivirus vendors and endpoint systems cannot do alone cyber intelligence and the hunters are weapons against past threats and future threats because we know sometimes old now where it likes to come back alright we're getting so close now the next couple of slides are some learning aids for those interested not sponsored the first one is a YouTube where I go to malware for hedgehogs he's great he has everything from beginner to advanced and doesn't try to talk over your head so it's a great learning place some books that I have nearby for references are learn

malware analysis practical packet analysis and Red Team Field Manual two websites that I frequent Rd der Stevens he creates tools and blogs and sometimes he'll blog about his tools so you can kind of get a lot in one site the second is the woman's society at cyber jutsu it's a nonprofit organization who whose aim is to empower and help advanced women in cyber security and they were there for me when I was getting snubbed by my male counterparts trying to learn more so they got a special place with me still not sponsor y'all I'm not going to try to read out these Twitter handles you don't want me to the first one is a matter of

researcher who often tweets about hitting Cobra and other cool tidbits y'all I was really into hitting Cobra because they are funny y'all should look up all their OPSEC fails there's a whole speech on them the second person is also malware researcher and she tweets about many topics to include malware the third person is a well-rounded kick-ass cyber professional who I fought for a long minute before learning that she was my mentor and I had one of those fangirl moments like therefore Twitter account he tweets about cyber intelligence topics it's kind of like my place to get news the fifth person is cool she bat that tweets you'll have to look her up to understand what I mean and last but

not least is the youtuber that I mentioned he he posts about really good reverse engineering topics like he's a good person to follow especially if you're new to this he'll put out great tutorial like once all right we made it we did it y'all survived I survived no one threw up no one ran away thanks for coming appreciate it you