Pretty Easy Threat Hunting

alrighty welcome back to attract two as a reminder if you'd like to interact with others in the session please join us on the discord server under the channel track two in the beginning and i'm gonna hand this over to nick awesome thank you can everybody hear me okay uh could i get a quick just uh ping maybe on discord there

i think he said it's about a 10-15 second delay so all right good to go all right guys i appreciate it um today um i was just you know you know talking to the the organizers that you know hey the this talk is usually kind of a longer talk uh so i've i've drilled it down to really just a high level summary of how to use some basic concepts um i think you all probably read the the uh the quick summary abstract but as you can imagine in 20 25 minutes it's very difficult to go into any detail around you know some of the concepts when it comes to threat hunting so you know today is really meant to be

a just kind of intro into you know how you can leverage some of these frameworks and stuff but you know definitely feel free to reach out after this i love to i love to talk about this stuff so if you want to see any more examples or talk you know deeper around the subject you know please let me know so to start off um you know i'm nick sweet uh i lead our solutions architecture uh team at a company called avertium uh we're a cyber security consulting firm that also does manage security services i've been there for a few years i actually led our managed security practice where a lot of our threat hunting and stuff uh actually comes out of uh so

that's where a lot of the things that you're gonna see today uh where the where the topics come from some of the things that we meet with our customers on a day-to-day basis about these are the concepts and things when we're working with them to build out you know a really mature and capable threat hunting program what are the things that they need to be looking at and not just looking at it necessarily from the the very technical tactical standpoint but also from a from a program level standpoint and i think you know that is where if you i'm sure if you guys are aware of threat hunting i'm sure you've seen a lot of the great work that you know like

you know the cyber war dog and some of the things that he's done around you know the through threat notebooks and and help and a lot of that this is really meant to take it up a level because i think there's a lot of great stuff that's happened in the industry around you know the technical pieces from atomic red team testing to you know all of those sort of you know very tactical using things like uh you know sigma rules and stuff for sim detection so today's really is how do you take that information show value and what's what's important about that is you know if you think about it you know this audience who the audience is for this is really

for the maybe the leader of this you know cyber threat intelligence group or the leader of a threat team as you know you're when you're trying to figure out what type of value are we showing in the organization um just like with anything it can be i t it could be you know the sim like what values the sim providing what value is your edr providing like you have to have metrics you have to have reporting and you have to have some way to tie this back to the business um so today hopefully you know since this is only a 20 minute talk it has to be high level i do like i said i do more technical

talks um but i will there will be some technical excerpts in here that you'll be able to see around how to leverage that so quick outline you know so quick history intro that's kind of what we're doing now um you know how do we you know clean up our thread hunt reports you know and why is that important uh you know what are notebooks and you know how are they helpful um what and how do we use those internally in a verdium to do that you know it could be different for you guys if this is an internal type of threat hunting program but as you can imagine you know we have hundreds of customers that we monitor on a daily

basis so we have to have like a pipeline and a way to operationalize this so hopefully you'll be able to get you know some quick you know kind of pointers recommendations or maybe a new unique way of thinking about how you can operationalize your thread hunting within your organization okay so starting at the top right so for us you know we we like to look at everything as a you know some type of maturity model some type of way of measuring success and you know what we're going to be talking about today is really on the higher level of how are you you know optimizing and quantize you know think about how are you managing

the day-to-day operations within your threat programs you know you could be today in the initial stage where it's just kind of ad hoc routine type of threat hunts but you can still even in those early stages put some polish to that so the whole talk to this right about being pretty and easy right is that's what this is meant to do is to even if you're in an initial phase you're just starting to build that program out is just taking that extra five minutes to put a little bit of polish on that so that when you're doing the threat hunts within your environment that you already have pre-built templates you already have pre-built ways that you're going to be

taking these reports handing it off to management to show what you're doing on a day-to-day basis so starting at the beginning you know all of this is going to be built around you know a lot of great um things are out there today right so we know about moderate attack uh miter shield this could be kpec you know there's a lot of good things out there around you know what are the bad guys doing this could be threat advisories that you're getting from the nsa fbi or seaside or or you know talos or any of these other great groups out there that are releasing uh threat reports it's like how do we take that information

and then build that pipeline and then it's like taking that that routine threat hunt process and you know i'm sure you've seen some type of example of this this is just you know a high level you know kind of what does a typical threat hunt look like and this is the operational kind of the the the actual threat hunter themself the tactician that's in the weeds doing this you're like what do they have to do you know collecting that data formulating those hypotheses how do they perform those hunts on a day-to-day basis and then how do we refine those detections find the actual you know threats that are in that environment and then how do we triage and remediate

that so this is kind of where i think most people stop and so what today i want to challenge is is how do we take that a step further so not just doing the threat hunt just doing it opening a ticket up with maybe the sysadmin or the web app team or you know the dev ops team to go in and you know remediate whatever you might find but putting some polish to that so then instead of just sending over some raw text or screenshot can i operationalize that to show intelligence through the entire organization and so this is where jupiter notebooks comes in for us um i don't know how many of y'all have used

jupiter notebooks uh this is one of the things that you see a lot of times in like data science communities i know a lot of people in security use them um a lot of you know just in science in general a way to you know come up with you know templated ways of doing analysis over data sets and everything else and what's really good about these is once you build them once you can almost build them in templates so you can make them that you know doing them right the first time you're able to make them pretty put pretty graphics put those beautiful charts in there some of the things we'll show here in a little bit

that allows you to when you do those threat hunts instead of it just being a one-time and done thing it's actually something that you can take and use again later right and we'll talk about how you do that in just a second all right so so why not make them pretty right you know first off you know for me it's a pretty easy way of you know getting information out within the organization and if you think about threat intelligence you know we i want to look at it at kind of the higher level right you know a threat hunt is only a part of a larger threat intelligence program right you have threat intelligence coming in this could be ttps from minor

ttps from you know threat intelligence reports it could be some a list of iocs from a threat feed that you might have from some type of data feed provider and it's like how do you take all that information and then put it into a report so what you'll start seeing in here on the right here on on these slides are some examples of how we've taken that and actually turned it into a pretty deliverable so you're still doing the the day-to-day threat hunting but by using notebooks and stuff like this you pre-build these have these already there so you can hand them out to your you know level three analysts your threat intelligence team and then they can go in and actually

just use these notebooks over and over again and it just gives you a really nice deliverable so that you know you're actually showing the value to your team and this is really important for managers of socks or sock directors or cso's or whatever anybody else is like as you're trying to show value with your team you're the threat analyst probably doesn't care too much about that they might just want to do the they just say i don't want the fluff i just want to do the hunt like i want to get in there i want to fight the bad guys but we all know if you can't show the value that you're doing on a day-to-day basis

a lot of that can be lost so that we use this as a tool for our customers to be able to show value right is just saying yes we're doing threat hunting is one thing but they want to see something pretty on the other end of that right just saying hey we found this ip address in your computer and it looked bad it's just not a really good thing so what we try to do is just put some intelligence behind it where did that ioc come from did it come from a threat fee did it come from a threat intel report that we looked at and then we give them a nice deliverable that then they can take and then

actually hand it up to their leadership to show that value on a day-to-day basis so moving on here so i know we got about nine more minutes here is you like first off the grass and charts so within notebooks there's a lot of great things that you can do directly in that so once you establish that pdf establish that structure being able to have you know i gave you a couple screenshots here of having kind of the raw queries the raw things for the technical group and the crowd and then you can have kind of the graphs that shows you know what did you see when you were doing that threat hunt when you're doing that

analysis did you see any powershell um you know what browsers if you were doing say maybe you got brought in to do a threat hunt against some type of application because you saw maybe something weird was going on being able to look through that data see what's being seen there and then be able to see what i p addresses are there and being able to really show you what's actually in there and then be able to relate that back to the business and you'll start seeing here in just a second these independent screenshots actually get built into kind of modules and i've given a little bit of a framework that you all can use and maybe

take a screenshot of here in just a second that you can take in and kind of maybe build from but then taking that data and relating it back to the business right so when you do that threat hunt and it was some type maybe you read you know the whole colonial attack and you know dark side and all the tactics and techniques that were used there is all right you know instead of me just sending over that hey we saw x in your environment it's like hey we saw x and this is a ioc or a ttp that's seen in these particular apt groups so being able to take that and put in context around that

and then be able to layer that information into a story which is really important right is is is being able to say what's the why or the so what it's like why is that important it's like hey i know you guys are doing these great threat hunts day in and day out but you know why is that important like why should a ceo why should a cfo or an executive or a board member really worry about those sort of things so this gives you all the ability as like threat hunters or sock analysts to really be able to take you from that that very traditional just in the weeds type of person and now elevating your skill sets and

elevating the things that are happening in your in the environment and really relating this to business risk within the environment and you would be surprised what type of funding people get when they do this type of thing because just sending over hey i did a threat hunt last week doesn't show the value if you start doing these sort of things it really helps you tell a good story and the next time you're going for that budget ask it's like oh hey you remember those five or six reports that we sent over well that's why we need to make this investment within this particular area within our company all right and here starting with you know kind of this is a just a quick

little high level thing that what we usually put within our our modular approach to our threat reports and there's usually a pipeline to this and you know and i'll actually show you some examples on the next few screens here is you know like what do you actually put into this so the having the you know kind of the important pieces up front right so the document info you know what where did when was the report done you know when was it prepared when did you did you do a hunt when was the hunt you know done and with these you know as you build these what you come to find out is these hunts is they can actually be done multiple

times right as you know a lot of the ttps get borrowed across you know different threat reports you know if people are using power shell or living off the land techniques that's just not one threat group you know your those ttps you build those notebooks you build those thread hunts one time and all of a sudden you're actually able to pull in work that you've done in the past you're just relating it now to a new ttp or a new threat group or whatever else so starting at the top having that document info talking about the objective of this having an abstract of what you're looking for what data did you use do you have a sim do you have an edr uh

maybe you just have a a syslog box that you're sitting sending logs to right there's nothing wrong with that you know so being able to go and look at that data on those systems and then actually be able to run those queries then actually having the context around you know hey the threat information itself you know having that summary that you saw about the dark side having those tactics and techniques and the procedures that are there what recommendations or references do you have to that and then what you see here now is you're building this nice playbook that you can use over and over again and just show you a few examples here i know we

got about five minutes before we'll open this up to questions is here's an example of that right so if you are familiar with jupiter like these are things that you can pre-build in there so that when you hand and you build these templates off your threat you know your analysts or whatever know what information they need to put in here what if the objective is i need to put the date in because i'm doing this today then the next section is hey that that contextual information we were talking about so having that dark side thread intelligence report in there that says this is why we're doing this threat hunt and why it's important then being able

to show you know what what were those recommendations what are the mappings to miter attack that we're doing as part of this threat hunt and then actually going in and doing the actual threat hunt itself against that data right so here are some rough examples right you know hey i have some power shell that i'm looking for within this environment because i know these are the own iocs how many of these are threats how many of these are benign this is actually an example of an mlai engine that we developed that helps with some of this then it's like you know hey going back to the apache log thing and say you know what we don't have our

application logs going to our sam or anywhere just because you know hey we can't afford to pay the mps or the log ingestion or whatever that is to a security company to do that but what if an incident happens or you need to go and look at those logs you can use these notebooks also in those dfir type of engagements to where hey just hand me over those you know apache logs i'll be able to throw this in here i'll be able to parse that data and get the information back to be able to do that and then the final piece is be able to do kind of a heat map against mitre and the ttps that you found in that

to show risk to the organization so i don't know if you all have a way to do risk ratings against modern attack and that sort of thing but there's ways that you can take that and say hey if one of the ways for initial access that this ttp group or this apt group uses is say drive by compromise or maybe you like to use spear phishing is what's our risk to that so establishing initial risk around you know hey do we have the appropriate email protections in place are we training our users do we have any detections in place for that can we you know do we have a sam do we have edr to help us that

what's our response look like do we have an instant response plan do we have the appropriate people and staff to help us when an incident happens so do we have a dfr retainer that we can pull that in and as you go across this be able to map this back to a threat group if you know that certain threat groups like to hit your vertical or your industry is if these particular ttps get used more in those particular groups maybe we should do a little multiplication on that let's double that and say hey if if it's anybody else it's a one but because we know a threat group uses that maybe that's a let's double that score

and give us a higher residual risk score and then it allows us then to layer that into that report that we send up to the organization or the executives within your company and now they can see it's like all right here's all this technical information god thanks guys for doing that hunt looks like we're good we didn't see anything and also during that we actually did a heat map overlay to see how well we're protected against those so instead of just having that very tactical piece you're also throwing in a program level piece of this as well and then ultimately by doing this you get a kind of a build it once rinse and repeat

type of approach and what you're kind of seeing here is really that pipeline so you know your your cti group your cyber threat intelligence team identifies a threat they create that threat intelligence report it gets hand off to the actual threat hunters or the analysts they take the notebooks from your catalog of you know all the ones that you've built so maybe it's one to look for powershell commands maybe it's one for you know trying to look for golden tickets within your environment whatever those are you know they can take those because you already have them built it's just now pointing at the data then you provide that threat report you sandwich it together now the executives

within the organization have a nice report that they can look through they can see the business context to it they get the technical information if they need it and it builds something as it moves up through the organization each person has the information they need for the decisions they have to make within the organization so that i think is up at our 20 minutes so i think the timing worked out there so i will take questions now thank you very much nick that was a great presentation you've given us some really great ideas on how to translate technical data into something that the c-suite can really use um currently i'm not seeing any questions on

crowdcast or on discord if you have any questions right now please feel free to type those in so we can get those answered by nick and if you can't think of them right now but they're coming up soon feel free to bring that up in the discord channel track 2 breakout and we have a few people typing so we might get a couple of questions here perfect yeah i guess like i said this was a 20-minute talk this just introduces the topic um if any interest definitely reach out because you know the the notebooks you know that that's where a lot of this you know really gets made so you have any additional questions you know feel free to reach

out what does that structure look like what does a final report look like when it's done you'll be glad to kind of show you you know what that can really look like within your organization we do have one question there in the discord um the question is do you make a miter attack navigator json layer for detections for the heat map yeah so that's what we have internally that we use so we have we use kind of a json output of that you know just like you know the navigator that you see online that you know kind of gets layered into this so that is an internal tool so when we're going through and doing

these reports we're able to you know click in there and say these are you know the ttps that we want and then we know the notebooks that are associated with those which allows us then to go to the data sources to be able to pull that out excellent yeah i thought that matrix was really really beneficial something that i never i never considered doing myself okay got a question there can you show us the final report looks like based on the notebook oh i don't have a cleaned up one uh like i can definitely sanitize one um if if that'd be something that the you know people would like to see you've got you got pictures of that as

well so there was so some of those those were actually screen shots out of those final reports so uh just as you were going through there what i did is i just try to show those in one slide uh just to get them into a powerpoint and we can definitely share the slides awesome they'll also be a copy of these videos uploaded you'll probably be able to follow that on any of the b-side social media they'll release a link whenever all these sessions are available to be viewed and there's some other great tools you know like i think it doesn't really they don't use it as much anymore but there's the nsa has a great project out there as

well that can do a lot of the heat mapping and stuff as well so i think we're we've got two minutes yep i think we don't have any more questions so we can go ahead and give some people a little bit of extra time between the the next session um so thank you very much nick that was a very great presentation um and if you want to continue discussing this please feel free to join us on the track 2 breakout discord channel nick will probably be there for a little bit answering any additional questions that you might think about um after we get finished here so nick again thank you very much awesome yeah thank you all

[Music]

do [Music]

[Music]

[Music] you