Hunt the Stank

so hey everyone my name is near and i'm gonna talk about hunted stung today we had some technical difficulties but i think we overcame it so you should be able to see the screen and you should be able to hear me um hanza stunt is based on a real world experience and a continuous search uh done by myself and melissa b shopping and melissa unfortunately could not make it to beside this year but believe me when i say that she's standing behind every word uh in this presentation so next slide please so who am i uh my name is nier i'm currently a technical solutions engineer at danum my background is threat intelligence i started my career in the israeli

intelligence corp and i moved to the u.s shortly after 9 11 helping multiple vendors and operating systems operating um sock analyst with with securities uh what you see here is a photo of me at b-side delaware 2017 uh with joshua marpet and janice um so those are the days where we could have attend besides in person but i'm happy to be here virtually um the other activities you can see that i'm involved with is chess and basketball and obviously with my family and you can use the my handle key which is under the the photo there next slide please so why this talking topic i'm incredibly vocal and and passionate about some of the concepts that you'll

hear today i believe in security and i believe that security is a verb it's something that you do and that there's a method to this madness and if you keep on thinking acting and working better i believe that you would be able to get better results so the old-school mentality around security and detection is failing and giving you a false offsense or a sense of false protection i believe attackers are getting smarter and smarter and i truly believe that together we can overcome those sophisticated attacks and that's what we're going to talk about some of the hunting capabilities to be secure is more than just stopping the behavior it's basically being able to identify what a

bad behavior looks like and so a lot of attacks today are less detected by signatures by edrs i mean edrs are important important tools when it comes to using detecting attacks based on signatures or known malwares but if you look at the latest statistics from avtest.org we're talking about over one billion distinct malwares so they're practically there's no edr out there that would be able to stop or detect even half of them so we'll talk about in-memory attacks we'll talk about living of the land all of those activities that are really hard to be detected by edrs so next slide please let's look at the overview so i divided this stock into two sections part one

is the boring stuff so that's generally what people really relate to when we're talking about keeping the hygiene mapping your network flows uh updating your cmdps those are boring things maybe but you're never going to get to part two if you are not very strict with part one so we're going to go over some of the basic kind of eat your broccoli brush your teeth activities in part one the second part we will go over the attack life cycle and see step by step how can you improve your hunting capabilities how you can find those opportunities for damn different and dangerous behaviors and how this can help you with your hunting processes procedures you see here the steps

this is um one idea of module you can use for hunting but hunting could be used for other modules like the diamond model or the typical cyber kill chain most importantly is to be able to bucket those phases of attack and be very clear on which type of attack phase are we hunting to so let's move to the next slide so the boring basics this is the maslow aigaki of needs muslim hierarchy of needs is the theory that motivates people to do whatever they do and dictate their behavior the image below um is was taken out of a presentation by match 1 and it is being used to articulate what is the pyramid of araki when it comes to hunting and

that explains why organizations cannot just move from zero to mature hunt everyone gets really excited about threat intelligence i get myself believe me that is the original um type of activity that i did but the more i got into the market and worked with customer i realized how important the base of this pyramid is how important uh is to know where your assets are what they're doing what's installed on them is your av up to date you know favorite parts of the job will get there but before we make sure we know our assets we cannot move there so make sure you map your security tools based on your assets don't focus on building hand

capabilities if you have incomplete asset inventory and if half of the systems are not up to date specifically if your organization is tied with budget and human resources you'll do yourself a huge favor by starting identifying your assets that will already make a massive improvement towards your response capabilities so let's move to the next slide so where do we start right i get this question a lot especially when people are looking at okay what do you mean by ignoring the boring stuff so this is definitely not a comprehensive list and i know it's much more complicated than what it looks here but it is a iterative process where you map your networks you understand where the assets are

missing and what is important here is to really be ready and answer some of the fundamental questions and you know if you lack the tools to adequately you know to add the quickly keep an accurate inventory and you cannot really see all the data for flow that's fine you have to start with something and i i'm sure that whatever you have within your organization can be used to help at least uh on some of those activities so this will help you to kind of get up the bottom of the pyramid if you move into the next slide let's support resilience and detections what do we what do i mean by that so even if the boring basic sounds boring

they're going to help you support structure and detection response resilience one of the things you want to look at is anomalies and when you look at anomalies you're talking about creating baseline what a normal user behavior in your environment should look like what a normal data flow should look like if a person from hr is accessing a server within the finance department which is not characteristic to any other peer in their group that's an anomaly if you see them working um activities after night time that's an anomaly if you see two people um that are communicating that shouldn't be communicate or shouldn't have a communication between their endpoints that's an anomaly so use this data but

also cross-correlate data coming in from different data sources in order to find those activities those activities usually will show something that is out of the norm that could be either honest mistake or malicious activity so in in my career i worked with a lot of sim solutions regardless of what solution you work with a sim is a good way for you to cross-correlate the data and starting to put the timeline and the story behind those telemetries to get back from your endpoints so move into the next slide

so this is the list or a part of a list of detections capabilities or detection tools within your environment i'm actually moving this slide give me one second here

so i don't expect you to have all of those detection tools this is definitely a slide that just need to remind you that the the attacks leaves artifacts and correlations of actions uh is the best way to work a lot of the information you see here you have today and might not even leverage some of which you don't have so this is an eye chart but even if you don't collect collect all of the data you might not not have everything today but what you do have i guarantee you can use so invest time in learning the data sources you have don't let those data sources exist in a vacuum and while they're useful they become even

super power when you can go on running statistics analysis on them timeline them scoping them with multiple sources and so on all right so now that we are over with the boring stuff let's go into the exciting part moving into the next slide this is part two this is where the modern attack behavior is getting into a place and when i say modern i mean it because we're seeing more and more in the recent years the the attacks that aren't relying on a spray and prey or super noisy or easily detectable by edrs go now those days that a signature based av keeping you safe and sound human operations are highly motivated they move with stealth they can rapidly

adapt to what they see in your organizations and you need to be able to understand behavior additionally the emergency of supply chain attacks supply chain attacks or signed malicious binaries means that behavior is the primary if not the only way for you to go so what i'm saying here is look at behavior that should help you find those activities based on the baseline um and and don't rely on your detection tools only so let's move into the next slide i don't think there's any beside talk that i don't mention the pyramid of pain by david bianco and i'm sure a lot of you are familiar with it but it's so relevant it's relevant to uh threat intelligence analysis it's

relevant for incident response use cases and it's relevant for hunting and the idea here is that the higher you go on the pyramid the more potential your intel has and the more resources your adversaries have and it's much higher or much harder for the adversaries to change their ttps and tools rather they're the hashes and ips right you know changing the hash of a file is trivial it's only one bit and the file needs a to be flipped whereas changing the malware communication back into command and control that's much more annoying for the adversaries but also it's much harder for us as defender to identify but those are the things that we as threat hunter

needs to look at most resilient security programs will incorporate some level of threat hunting in the higher level of this pyramid based on intel based on ttps based on miter attack framework and the higher you go the better you off with regards to identifying threat hunting not specifically to one operation but generally to a threat that your specific organization is under

so moving to the next slide so what i did is looked at the different type of findings and dividing it into three buckets the simple stuff the stuff that we all should have been taking care of long time ago but the reports uh still show that people use them the rdp the um non-encrypted script the um open public web servers whatever those things um are still there the difference the things that you as a threat hunter haven't done in the past and figure out that makes sense for you and the dangers those are things that basically having this red flag alarm is is going off and you are in an incident so the idea is to help

your organization differentiate between those three so you would be able to quickly trash each one of them and build those from the top sorry from the bottom up right the quality of security programs should include the basic stuff then moving to the more sophisticated one and eventually end up with the response solutions for those obvious attacks so let's move into the next slide

so i really love the graphics here and that was taken out of optics presentation lol beans are used at every stage of the attack but they're especially valuable for this initial code execution and defense evasions because you already trust them they probably aren't doing anything to your edrs on the analysis tools because they're already there their norm don't sleep on this even in the last week we can see new exploits leveraging the same trusted services those makes the powerful weapon for fireless malware attacks and when you have a file dropped on a disk that you'll catch files malware and allow bin together only behavior can help you here you have have a reference to a loud bus

project which identify those candidates for for lull beans those files that are mostly used by the bad guys and i encourage you guys to look at that project and learn a little bit more about what is being used within your environment and moving into the next slide initial access so those first action in your environment the fish that got clicked the the service exploited the email the citrix vpns like we had in the colonial pipeline event this is your first line of defense 75 of pentest involved situations where mfa did not exist yeah mfa um i worked for a company that that tried to elevate the pain of mfas but mfas are important and i know that they're not a silver

bullet and there's still some steam attacks happening but you know what it's better to have them than not so make sure you're protected with mfa monitor those logins monitors the dns records for unusual requests monitor the email security providers for sudden updates in in blocks messages that could potentially show that your target supply chain attacks they're terrifying how are you going to defend your organization from sca when it is signed it's trust that you trust a vendor or maybe you even give them a domain administrator which by the way please stop doing only by watching behavior so make sure you look at those things and also um i want to make mention here on the

dismissal of the slow priority poa alerts well it may look like hardware or low threat banking trojan multiple big name attacks start with a pua and then download a payload that is much much more dangerous for your system so please keep that in mind

um moving into the next phase in the attack persistent in your first you know persistent as you know uh as a threat actor this is what gives you the way back in case the system reboots process is crashed or the initial point access is discovered and this is where obvious stuff like autorun and startup keys are obvious but think about office office trusted locations are very attractive because it literally launches all the time and by a change of a registry key you can run a dll under that context and as you can see here the low bins are again not just abusing them but maybe even replacing them this is where system baseline and known

hashes of a valid configuration elements could be powerful so i've seen attacks where the attackers are trying to get a hold of the office keys but they cannot do it because the user has to be an admin because the hive is under local the local computer hive but you can also use a user account hive and create a custom registry and so there's ways around it so be aware that even with a local account you can still create some damage around persistence i'm moving to the next slide so the next step is privilege escalation it's rare possibly unheard of for an attacker especially human one to gain initial access and not attempting to escalate from

there the challenge with human operators is that they can be very slow they can be as stealthy as they want and they often react to detection techniques as they engage with so it's a human against human game and doesn't make it easy what you can do about it well start by cleaning up your hygiene right leaving the credentials out at the open that's not smart and that also ruined the the whole the fun of the red teams so make it a little bit harder for everyone and use least privileged approach and if you're talking about hunting again anomalies anomalies anomalies know what your normal east to west traffic looks like harden your service account um not only the permission but also make

sure the type of logons and the access are to only specific servers and believe me i was in this vendor side and i know they sometimes will come to you and say that they have to have a domain admin push back on that process injection look for those power shells partials are very very strong and making outbound connection from a powershell is very weird make sure you capture those but even powershell injection a browser making output connection should be weird so look at those as well so make sure you see how obfuscating is done behind the count and how the bad guys abuse our permission creeps

we're moving to the next slide and to defensivation another another favorite use case for lol means here the bad guys blend in with naturally occurring environments and they abuse the intended function or they just hijack them you can take some mitigation options don't let your user just run every lobbying a lot of times some of the services in your users environments have no use if there's no business use for them they shouldn't be there realistically if you don't need them don't run them so think about list privilege as something that applies to your applications on your operating system as well not only for new third-party application you buy same for your service accounts it will require some work you will have

to identify the network flows it might require some politics but it can be done and investing the time and the tooling into monitoring and remediating and configuring and reconfiguring those configuration drift um will keep on the windows and doors closed and will reduce dramatically the amount of opportunities for the attackers disable bypass the security tools for troubleshooting because you need to do that that's fine put it back don't forget to get back into your hardened configuration after troubleshooting

next discovery so this slide could have been anywhere it could have been in the beginning at the end because it's an iterative process that keeps occurring uh i left it here but just know that discovery isn't the point of time thing it's an every day every step kind of a thing every now and again someone can tell you all right well just block nmap and i'll be fine and what i'm trying to tell them is that it's not about the tools it's about the behaviors blocking nmap will not prevent the bad guys from enumerating and scanning your networks there are other tools that do that i can throw you a list of bash commands that will find a lot of information

and will enumerate all your active directories so powershell is definitely a favorite tool for this kind of stuff and so many people don't script block logging that is really recommended and it's powerful because you can not only see what happened but you can de-obfuscate commands in real time uh another thing is about the norms of who's doing the um enumerations so if we have a an i.t guy that is trying to study for netblast and doing it on their machine that might be a norm but if it's something that is using a service account and is doing it out of the break room that's probably not normal so again context is really important when you

look at those kinds of behavior and the power lies here and putting it all together right maybe one thing is not that scary but if it accommodate or accumulate rather to a story then it's something else next slide

ransomware is getting profitable the fbi reports that while there were only twenty percent increase in reported ransomware events the ransoms paid increased in 200 percent just last year and this is because ransomware actors know that the value is in extortion not necessarily getting the ransom payment but the dangerous what you can get you is the encryption is okay if you have a backup but the threat is if they sell your encrypted data that's a compelling motivator and if they get the data exfiltrated they can sell it but they cannot sell it or extort it is if you can isolate the machine if you can find uh through your hunting work uh those activities prior to

acceleration and that's why detecting in this stage is so important and and obviously having the tools that allows you to quickly isolate scope and remediate those patients want machines and identify any other affected point within your environment so it is obviously a combination of the right tool set with the right processor processes in in place so we're getting towards the end of of that talk um i hope i managed to cover at least some ideas that you guys can go back into your organization and look at as we mentioned you have to start with the hygiene um answer the basic questions on your assets and their configurations their vulnerabilities make sure you cover those once you cover them

look at where the hanging fruits are start there and tie it back together you have to get all the foundations out of the way and look at behavior hunting at the end point and if you can see analyze correlate behavior that's where you should start at i myself i remember looking at the processes associated with identifying malicious activities within a specific financial company and what trip us there was access that was not really similar to any access we saw in the past it was actually a user that was not able to login and i was an anomaly but the the fact that really scared us and was that after a lot of failures that specific user managed to login into the

machines and when he logged into machines the next event we saw was he was logging in into one of the executive machines and the funny part is that security guys were not concerned until the last step and um what we're trying to say is that the fact that someone managed to log in um after multiple failures it could be a password spray it could be just an honest mistake but take a look at that and try to cross-curl it see if that specific endpoint is managed it's unmanaged is on the wi-fi if you have this hunting census that we're trying to talk about on today's call you probably be able to look at those things that

were until now not important or not important enough to something that you can real quick assess as benign or suspicious and move from there so i hope that was helpful um in closing i don't know if everyone is familiar with that last slide here um this is from june um you know some technologies such as social media wireless technologies those are all new technologies that have long been incorporated into threat models and is part of our landscape and obviously moving to the cloud you know one of the major trends across the cyber security landscape is the businesses increasing moving the it infrastructure to the cloud and so what i like on that scene is um

from jonas the discussion around change and i'll cite here what uh it uh from the movie says i'll miss the sea but a person needs um experiences they jar something deep inside allow him to grow without change something slip inside us and seldom awaken the sleeper must awaken and so yeah we need change and i think some of the things we do at b-sides is to push for those changes have this amazing community keep on pushing for things that we believe should be changed as far as best practices we did not security and that's what i was trying to do on today's school so with that i want to thank you and um i have some additional pictures

from besides uh the last slide and i really hope that um we all can meet very soon in person and have those events uh you know drinking beer and and just having fun together so thanks for your time

you