Hunting Threats as Security Ninja - Roberto Martinez

uh so um next I want to want to introduce UHA Martinez uh from bullet proof where he's he's you can see beside there I don't have to waiting for you right um and uh so Roberto uh Roberto is um a veteran of B science talks and uh and so I ask everybody to tell me something interesting about themselves something that that most people don't know and and uh so um how many P signs have you you spoken at four okay and uh and so that includes not just here but in Columbia as well so he's a bilingual bside speaker which is amazing um so uh and then he also uh was a security researcher at kers dealing with APS so I

think we're going to learn a lot uh from him uh so please welcome Roberto thank you everyone I'm very happy to be here and uh thank you for having me today uh this is my first conference here in Canada and uh this was the last piece to present the different countries in America actually I present before in some countries in Europe Latin America Caribbean previously besides Sal Pao Colombia Mexico and uh first besides so uh I'm going to present today something related to thread happing but not the regular threat happing so I want to start uh answering this uh question because sometimes there are some confusion regarding the thir threat counting what is cyber hunting because

sometimes we can confuse threat hunting with threat detection it's different because Trad detection it's about how to use the resour we have to remove detection but in a linear way and when you do thread hunting you are assuming that you are missing something that your tools are missing something your tools are not detecting some threats so this is the definition of Davido hunting is any manual or semi automated method of finding new security incidents that were missing missed by automated detection so that means that if we just trust in the truth we have to DET that we call missing something so this is why it's important to have a threat hunting CL we need to change

our poster from reactive I mean just using the tools we have a different poster in this case proactive poster so how can we be proactive To Tread to detect different threats well in this case it's very important because who as you know the Cyber TR are at whole me Cyber threat are sophisticated sometimes they are using actually the same tools that we have in our systems they use leing of the L tools they are not using specific special tools then are using the tools that are in the system in the in the um applications so in this way the best approach to protect the organization it's try to find what could be wrong in our infrastructure in our

devices the main goal here is to try to detect threads before those threads will have an impact or make an impact to our organizations I know that sometimes it's pretty difficult to detect uh everything so you need to focus just to detect are things that could be um in some cases uh undetectable but how can we do that this is an example yes yes sure okay wor there okay so for example uh what happened in the ransomware attacks in ransomware attacks we're assuming that the main factor that will affect us it could be the malware but actually the inred of the files is the last phase of the attack I mean something wrong happened before a

lot of things happened before and the problem is that we are not detecting that part we are not detecting what happened when a company could be compromised a triactor produce a specific initial Vector of attack and then the attacker will move through the network will use the same infrastructure of the company to escalate reg to moar and do different things so the last parts of the r attack actually are the exfiltration of files and the encryption of the files so the idea with Trad hunting is to try to catch these behaviors before before an impact course so the first thing we need to have a hunter mindset I mean hunter mindset means that we need to think like a hunter a hunter

hunts a hunter needs to have enough information about in this case the adversaries so we need actually to know the adversary what kind of company is the company where are we working for what industry what are the specific threads for our companies because there are different thread actors at different threats for every industry the other thing that we need to consider is that is not just a Mal thing or a hacking thing it's about motivation it's about what the potential attackers are looking for in our organization it could be a financial motivation it could be cyber Espionage so we need to understand what TR your sh looking for this is the best way to try

to figure out how can we protect how can we detect every thread for the organization so for example if we think in a Trad actor that actually is targeting a particular organization the key change is not linear I mean it's not like a step one step two step three step four the attacks are more like uh sometimes the attackers find a best ways to complete the next step that they want to follow but the the main thing is what are they looking for if they are looking for information where we have the information what privilege is needed to have access to that information so we need to build an strategy this strategy needs to be based on the information we

have about the threat actors another thing we need to consider it's to have or to follow a framework it's important because you need a methodology to do your work you need you need a methodology to uh do your uh thread count there are different methodologies the most important thing it's that that methodology works for you so you can actually mix some different different things different me from different methodologies and uh the approach you you will need to have is to focus specifically in what behaviors will be present in in a compromise or Cyber attack for example this is a methodology from myy where they focus particularly and understand the different uh models of activities malicious activities

obviously and uh following the M attack uh framework they try to map these behaviors from with particular detection another uh interesting uh thing to consider it's uh the par of pain in this case obviously every spot is good I mean if you detect something like uh for example you detect something by the hash it's good it's perfect something by the doing IP detections domain detection is good but it's pretty easy to change I mean the tractor could change ER any signature the tractor could change IP address domains so I remember uh in response I work for uh the the attack uh was uh in process so so I remember that uh I found a manous file or suspicious

file I analyzed the file and then I figured out that that file was not detect for any antivirus I mean the attackers work on this on this particular sample and was not detected for any antivirus so the thing I did I send the sample to add the detection for that particular manare and I think was like two hours after that I discovered that the sample was not detected anymore so I review the signature of the of the file and I discover that the Trad actors change the sample they recate the sample and they H change obviously the hash so this is a trivia to detect best way to focus detection it's to focus on the

behaviors I mean behaviors are not easy to change so this is why it's important it's a important piece of threat and the Baseline of everything is sorate intelligence if you have good intelligence you can create good detections you can do great hands you can work with great hands so it's important to have a good sources of information it's important to have knowledge about the Trad actors about their particular techniques that they are using they are using and uh there are some tools uh currently cyber security companies are including um mappings for example in the reports to M like okay this is the Trad intelligence report and they provide sometimes the mapping of these particular behaviors or some particular behaviors

might attack but if it's not the case there are another tools like M TR this is an open source and automated tool where you can just translate reports in PDF HTML ml to particular or specifics uh techniques in that way you can understand what the attack are doing in uh their

attacks another important thing is your hunting to sets I like this tweet from Flor R he's one of the creators of Sigma rules uh they mention that it's important to work with rules and uh I agree with you because you know if you are a assuming your current tools are not detecting everything and possible you are missing something that means that you need to focus in different ways to try to detect threads so imagine that sample or a implant that is not detected for any antivirus and you try to detect using the antivirus obviously it was it will not be detected so you need to create or use different Tools in this case is very

important to be agnostic you can use different tools there are a lot of Open Source tools that you can use but from the agnostic point point of view and the creation of rules is a great way to do that because the rules are are generic it doesn't matter what technology you have it doesn't matter what security you have it doesn't matter how you are monitoring of you are not monitoring some things so there are different types of to of J uh tools to to do that you can create rules to detect tools or mware like a Jara rules I don't know if you are familiar with jar Jara rules it's a great way to detect tools or

implants uh suata to detect malicious traffic and sigma rules to detect specific behaviors so this is a cool example how can you use J rules is not just about to detect the file itself you need to find the tracks you know you need to think like a hunter for example there is a tractor with neutron thisor have particular C particularly uh Financial motivation so theyo both to sign certificates so in that way they could sign specific uh or malicious uh dlet so when we have access those samples We compare the particular or specific uh information in this case the time stamp and if you compare the temp stamp obviously because they were using stolen information to sign certificates to over

the um height in plain side the the same time stamp was present in every sample and actually in the letters of the system so this is an interesting thing how can I detect that because if my antivirus don't detect that if my monitor to tools are not detecting that what can I do in this case if you have thread intail you have enough information about the samples you can create a j mod what particularly uh thing as these specific samples well in this case the time stamp because the time stamp was the same in every file in this case the own files of the system for example this is a J Rule a pretty simple G rule where you just

Define the time stamp and compare any file that have a size minor size that the original ones of the system was in that way you could detect the malware and you could detect avoid detection of false positives in the in this case system files so this is a pretty good example of how can you use J to detect some something initially undetectable okay uh there is another cool example you I look in this case there was well there are different threads around these particular implants so thread actors are looking to use these implants because are not detectable at the beginning you know because that are this these implants are not in the hard disk these

implants are in the firmware so it doesn't matter if you format you car this it doesn't matter if you actually change you car this the implant will be there okay currently um antivirus scan that part with your computer but before that you can detect that so this is why in cyber espan campaigns the tractors look to do that it could be compromising uh at your party or uh using the technique knows like evil N I don't know if you heard before about evil M you know you your computer in your hotel room and then the thread actor will have access to your room and then have access to your computer and install the implant this case an implant

directly to your firware there was a particular operation called shallow Hammer I don't know if you are familiar with this campaign in the shallow Hammer campaign uh thread actors compromise uh third party we are talking about a supply chain attack a wellknown uh computer manufacturer so they compromise the code in that way that if you have a computer for this brand you could be back doored by this implants new computers or if you updated your firmware so that was pretty interesting so how can you hunt this kind of strs mind that your antimalware don't detect this if you have enough information again like a Trad intelligence you can first uh dump the content the fwk is the first

part remember we are hunting We are following the tracks you know so in this case we can use the tools the own tools from the system or we can we can use external tools there are different tools to to D the the fiware so in this case you can get the fiware this is the first part the second part it's uh eliminating all sensitive information from the D this is important because there are sensitive information in the framework and that's it and after that

you will pass the D in an understandable way okay you can do similar things for example if you have a memory dump you need a memory dump from a suspicious computer you can just get the executables from the memory and then you can scan uh using yos for example I detect a lot of times the presence of mimic ads in the memory from potentially um comps compromised in run software attacks so in that way you know that the attackers does not encrypted information they have actually the passports of the users so you need to do something with that so the last part is you can use a y and you can just scan the content of that to so this is the

way that you can detect a specific threads for example for from fwar so uh the other way that you can hunt it's using Sigma rules in this case Sigma rules are pretty interesting because the thing is there are different manufacturers there are different providers to monitor and detect specific threats but you you know that they are using uh different uh queries to try to detect threats so the challenge here is what happen if my company has a particular tool to to monitor or detect and then they decide to change to another one or in this case for example if you are external or you are provider what happen if want client have particular technology and other

client that are different technology so the creators of Sigma thought that it could be a good idea create create a standard Ru a standard structure or information to detect different threats and then use different uh different uh conversions to create a particular uh queries so in that way I can have one rule to detect specific behavior and then I can convert that rule in a particular qu so this is the way that works for example you can look for a specific uh Sigma rule or you can create actually your own Sigma rule so the the same way that you use J rules you can create a sigma Rule and then or you can look for

a sigma rule associated with a maybe an exploitation of vulnerability or a particular thread for example when a thread actor tried to get the passwords from the Elsa's process using prop dunk this is a behavior a well-known Behavior so you can create a sigma rule to detect if someone is trying to use BR dump to the passour or the process from the Elsas system so in this case this is a sigma rule are similar that there are rules but are different similar in the way that an structure are created to create detections or to do detections and uh the next step is convert this rule well this is another example where you can look for rules specifically designed

to tr handy for example There are rules that you can use in in response There are rules that you can use in TR but the most important thing is that you develop the capacity to create your own rules because the environment will change obviously the threats will change so you first need to be familiar with the different um the different uh techniques that an attacker could use and then you can create or you can use the sigma

rules well there are different tools that you can use to con for example there are conversor online or you can use the the main conversion the using the sigma engine create the conversion and after that here okay for example there you just need to use a rule and with signal rules you can detect behaviors this is the way and also you can use sus suat is an open source Tool uh created to detect malicious behaviors on the traffic Network traffic you can use suana just uh importing U the pickup files for example if you capture some traffic from the network you can just import that information to suata and use the rules to detect potential

threats um there are also tools that you can use more like uh from the in response and TR hunting perspective for example veloc Raptor this is a pretty good Tool uh initially it was just an open source tool now it's part of a company but they keep the Velociraptor as open source so this tool is pretty interesting because you can just use a server in your own computer you can start a server you don't need to install anything for example let's let's assume that you are hunting in the particular infrastructure so you don't have uh tools to monitor or to try to hunt for a particular threat you can just run V ruptor in your own

computer and you will have your infrastructure the infrastructure you need to start the hands the way you you can do the hands you can have uh um you can create collectors a collector can get different pieces of evidence for example artifacts you can get uh logs you can get specific information from uh for example reg Keys you can get information forensic information about the programs that are we're executing in a particular computer and then uh you can start hunting using this platform you can you can use the common tools or you can use the the main Dash so for example this in in this case we are creating collectors to get information about the target a way that

I use veloc RoR is for example if you get if you need to get a memory top from a computer or a server you can just create a collector get the evidence and then you can analyze using Jara using different tools like uh memory analysis tools and the other way you can use Velociraptor is to deploy jars because not all the tools supports Jara to do hunts so for example if you have tools to monitor or detect threads but your tool does doesn't support G rules you can use for example the ruptor and you can add uh your J rules your collection of J rules or a particular J Rule and then you can uh

look for uh data specific uh samples in the different computers in the network so in this case we provide the general R another interesting thing is not just for detection for example in this case if uh the J Rule detects something you can get the sample as well malicious file Etc you can get the sample and you can get the sample and analyze the sample and you can use J rules to try to figure out what is the scope of the impact I mean what amount of devices are to comom because sometimes you can detect a sample or an implant in a computer but you actually don't know if that implant is present in another

computers so the best way to do that is just use the your J you deploy your search different computers in your network and then you can get uh the samples in case the detections are positives like in this case we got some detections and the next part is to re review the results and if there are detections you can do the samples yes so it's very important that you have the mindset of a hunter you need to have enough information about the thread actors about them their behaviors what kind of tools what what kind of techniques they they are using for but most important we need to focus specifically in uh particular F like a sometimes you can

start doing hun based on hypothesis like you don't have any information you just create a hypothesis and then you start looking for different threats another way is if you have a particular uh trade intelligence report for example that about a trade actor that is uh attacking um companies related with your industry you can get that trade the report and use to try to figure out if you were previously compromised actually I recall one time that um customer had the Microsoft Exchange infrastructure so we read in an in tran report that that particular vulnerability was exploited by ransomware tractors so the first thing that I we thought that that could be dangerous so we start doing the handun based that

particular threading the report and we found that the company actually was compromised uh the Trad actor was in the initial phases of the attack so that was very interesting because that proactive posture will help you to detect threats before that threats will impact your organization so you need to have uh methodology to follow you need to have the tool sets remember it's very important to have um AGN an agnostic uh mindset because if you just focus in Technologies in the specific Technologies we call M think so this is why you need to use complementary tools this is why it could be a good idea to case you can use open source tools or anything that you have to find

something if you detected before and the next thing is to Define what strategy you will follow want for example it this place hypothesis just TR intelligence report and then convert that in actually detections the way that thread cting will help you to improve your security posture is to provide you enough information to create their the texes in the future so as conclusion s threat as you know it's a very important component in your organization so sometimes could be confused with Trad detections different thre hunting is an approach more proactive with proactive activities and in that way you can minim minimize the impact for your organization okay so any

questions yes

yes yes

yes

that's yes yes yes well in that case that's a pretty interesting question what happen for example you can do thread hunt based on thread intelligence report right but that means that that threat is known I mean that's happened before so that's happened to someone before but what happened if you are for example compromised by A New U attack or a new implant that never seen before well in this case it's better if you focus if you focus in the behaviors I mean the behaviors doesn't change for example uh if uh new malware trying to get information from the network the malware needs to do some recogniz uh activity so in that case that behavior could be detected in some

way so sometimes if if you look for the might attack framework you can see different uh tactics and techniques so imagine that a triactor is using a particular technique sometimes that that technique it could be the Tex in for example if there are 10 ways to generate the same behavior maybe some tools to detect the half or five or six but missing three for example so in this case if you focus on the behavior maybe you can help to the protect the other three ways to to regenerate the the same behavior in that case you can use the approach of uh hypothesis threat hand like okay let's assume that the Trad actor is trying to do that so you

can create your thread uh plan and then you can try to find those behaviors

yeah

yes

yes yes that's correct

yes yes that's correct the idea the many idea is to try to minimize the impact or to try to detect the behavior on time yeah anything

else I didn't hear your question but with how do you avoid false

positives yes that's that's a good question because there is a challenge when you are doing trting you know because for example imagine that tractors are using ging of the L TOS like a V admin or any tool present on the system how can I differentiate the use of the bits admin to download information from internet or to uh share information between your computers and your network and a malicious behavior like a download for a specific URL and uh with the ausc man not detected man for example this is pretty interesting because sometimes you need to look around that behavior the next Behavior so you need to change to to create a change sorry uh between the first

Behavior and the next behaviors like okay if I can get the behavior a plus the behavior B plus the behavior C that's a thre and it's different that are regular Behavior so yeah well in this case you need to be familiar with a normal to look for for the abnormal to detect abnormal yeah that that's very important this is why uh you need to have enough knowledge about how tractors abuse of the uh regular tools to try to figure out the point of detection in this case yeah in the can

yes yes

well do you need do you need to combine different strategies for example obviously you you can want a lot of hypothesis because because you don't have maybe enough time or resources to to do that maybe you can get Trad intelligence information so you need to figure out what is happening in the industry what is happening in the in the thread scale because uh in that way you can define a strategy obviously um always could be the possibility that you can have a gap of the detection but remember there are different steps that an attacker will follow so the thing is that maybe you can miss the the first steps but if you can detect I don't

know in the middle of the back of to the attackers that that is a win because the main the main objective is to reduce the risk to be impacted for that so but it's possible it's possible to do that but you need to Define an strategy you need to Define your program your methodology in that way you you could improve the way that you are toat your FS it's not a one time task it's a that you need to repeat every time

than