The Anatomy Of A Threat Hunt: From Article To Incident - Lori Taliesin

well this is um a surprisingly Full House for a rookie trra speeech this is a quite a surreal experience for me because time last year I was still a Drama teacher so this is an additionally surreal experience So currently I'm a sock analyst and TR Hunter at alert logic and I'm going to talk to you about threat hunting and analyzing articles so if we go into our agenda and I go to be the presentation from here because surprise you n this right now so the Cy security landscape is Aon State PL with cyber adversaries increasingly employ inly sophisticated PS to compromise systems and data threat hunting has emerged as a proactive and essential practice for

identifying and mitigating cyber security risks so this paper is a high level look at the threat hunt process aimed at those new to threat hunting and for Professionals in other areas of cyber so that they can better understand how that process works and why many such incidents that arise from the threatment process are based on historical data that falls outside of the SL ofes the main focus of this paper is the transformation of publicly available articles and reports into actionable indicators of compromise it explores the key stages of the threat hunt from initial article analysis to the deployment of I within security operations so by dissecting the anatomy of the threat this paper provide s

Security Professionals with insights and strategies for both enhancing the threat hunting capabilities and responding to the results of these hunts showcasing how threat hunting Bridges the gap between threat intelligence and practical cyber security events before I dive into this though I do want to give a brief overview of the threat hun as a whole as it's important to see this presentation as part of the word ho threat hun process so there are many different types of hes first of all we've got the malware H so malware remains a consistent threat to organizations in this time of come we focus on identifying traces of mware within the network and then points this involves scrutinizing suspicious files

processes and network traic uh patterns to uncover indicates and compromise by proactively seeking out malware we can eradicate it uh before it's causes significant damage we also have the anomaly detection P so anomalies in a network and US of behavior can be indicative of security breaches so this hunt involves monitoring and analyzing logs and traffic patterns to identify deviations from standard baselines then of course we've got The Insider threat hunt Insider threats where intentional or unintentional CA significant risk in this Ty part we focus on identifying suspicious activities or data ration Cod by employees or third party contractors and we do this by monitoring confus actions and unusual data access acds then we have the external threat

hunt yes there are a few of these uh so external threat actors such as hackers and nation states are a constant concern this type of Punt involves monitoring external attack services such as websites email servers and cloud services for signs of malicious activity by identifying and blocking religious traffic at the perimeter with we prevent many threats from penetrating our Network much of this work is done by the soof team so there are some of you out here that may be familiar with this process then there's the data exportation fund data breaches are a major concern so we conduct H specifically focus on data experation attempts by monitoring outbound Network traffic and this brings us on to the

subject ofday the zero day vulnerability P so zero day vulnerability are a nightmare for organizations as there are no known fixes or patches if uh in this hunt we keep a close eye on emerging threats and vulnerabilities through threat intelligence PS and forums by actively seeking out um potential zero B threats we can develop counter measures or workarounds before exploits become widespread this is the title P that we will be exploring today as for many companies their first knowledge of a zero day event is either because they are a Target or an article has been published let the wi Community know so I probably should moved that the last one you can tell that I am very

very needless okay so each P requires a unique set of skills towards meth methodologies because let's face it the use of my is a threat hunting presentation all of its own so our goal as threat Hunters is to remain proactive and continuously adapt to evolving threats collaboration both within the team and the our community is essential to working effectively contrary to popular opinion threat Hunters aren't load wolves uh diving down technical rabbit holes well okay the rabbit holes are definitely a real thing um but it is very much a team effort so curating your sources so in the initial phrase of the threat hun the focus should be on identifying relevant sources of information and some

of you will probably recognize some of those new sources there then carefully analyzing publicly available sources and reports that might contain clues about emerging threats or vulnerabilities extracting key information is a critical step here as it lays the foundation for creating I sees during this phase it's essential to validate The source's credibility to ensure that the information is reliable and relevant the sheer number of sources available online is pretty overwhelming put it hardly when you first start thread ping you do get a bit over excited I know I certainly did the temptation to just Google cyber security and X is pretty hard but before you know it you're sifting through rooms of historical articles that the algorithms

place at the top pretty quickly you realize this is not the ideal way to be doing these things you might have learned a lot about an obscure attack but you haven't found anything useful to create hypothesis or generate a hunt you may already have a couple of goto favorite cyber security news outlets some of might be featured on this board which you're already setting up to on your phone to let you know when something new happens now that's a really good start with keeping up to date things but what about Twitter and other ways of getting current information before it's even come out in an article how do you keep up with those so first of all let me just say that I

am not being sponsored by the nor do I work for them but it is a powerful tool that can be harnessed with bre as it's a really efficient way to stay updated on the latest threats and vulnerabilities by curating a customized feed of cyber security news blogs and RSS feeds within feedle you can create a centralized Hub of real time information this way you can monitor emerging threats zero day vulnerabilities and hack tactics employed across various platforms and sources the ability to organize and categorize these feeds means you can uh quickly identify patterns Trends and malicious activities in the digital landscape if you're working for a large Company feed Le collaboration features enable threat Hunters to collaborate

with their teams sharing relevant articles research and insights to enhance their Collective threat intelligence and response capabilities also uh one of their newer features on the Enterprise side is uh feb's integration capabilities which can integrate with various threat intelligence platforms and tools um and make it a really powerful Tool uh you can even integrate it into your SE systems it streams Minds the CL information which increases speed and accuracy uh We've recently been triling this capability with cabana and I found that having the Articles embedded in our processes and our dashes could be actually really really useful uh if youve WR an article that's created uh some dashes on B you can set that up

when you shift change over to a us they know exactly what you read what the Cs are that you picked up from that make work from there okay so we talked a lot about how to find articles how to order this well what do you do when you actually find that article so forming a hypothesis so what relative relevant articles and reports are identified we need to De Deeper by correlating across multiple sources this involves expanding on the initial I and contextualizing the threats the goal to paint a comprehensive picture of the Potential Threat not only the indicators but also the tactics techniques and procedures employed by the adversaries so without further Ado I'm going to go through this process with a

very well-known zero day events pretty much everybody in this group would have heard of the software breach if you haven't where you be certainly it was a day that threat Hunters globally will remember any widely used tool that's been compromised will affect a multitude of customers and in an MTR the response needs to be coordinated and Swift so for us it began with this article and one of my colleagues uh posted the link to one of our customers saying is this what I think it is so if we actually just look at the article itself this is an example of a fantastic article uh to begin a threat hunt process so Props to Lawrence abam for

this because in this article not only do we have a number of indicators IPS but we also have the process that follows we already have a starting point just from this one article but of course you can't face a threat hun from one article lawence AB Abrams might have had a beef with progress who knows could have been having a bad day you've got to look into it now we were quite lucky in this case because progress were really really quick Off the Mark uh when it came to releasing information about this particular vulnerability so they actually enabled us to get all of these uh this is not the exhaustive list exhaustive list of their ioc's from

their website because there wasn't enough space on PowerPoint and that's face it none of you are going to read everything on here um but this gave us an absolutely fantastic starting point and you start to notice that there are some common aspects of some of the indicators I've done this in purple those of you at the back probably can't see this uh so the most important indicator that we had was this human. asps so what do you do next you have your arle you've got your ioc's you've got thousands of customers if you work MD so you need to start searching so our first P call was actually to go into all of our customers environments

and we had to run a generalized search on move it because we needed to know which of our customers actually use our software there's no point doing a threaten and every single one of your customers you need to start narrowing that search down because otherwise it's a waste of time and resources uh going through all of these things over and over again so we started with moveit we created a list it was a long list of all of our customers using mic software and this is where loging becomes really really important for obvious reasons I can't show you a copy of our actual logs um because I don't think my customers would be particularly happy about this um but we

as a team we needed to log everything because you don't want people duplicating work if there are are search types that aren't working you need to let your colleagues know now if you're working in a small suits uh a small team for a small company don't have huge amount of infrastructure something as simple as an Excel spreadsheet can do this for you put are your customers names in there or all of your environments if you're um a single business all of your different environments down there so you can check them one by one then you want the name the threat hunter that is analyzing each one of those environments then you want another column so whether or not you have seen

the initial indicators so in this case it was if I go back as I said that human human su. aspx so you need to see if it's got that so we ran that search and we narrowed our list down a little bit further to our customers who have been compromised however we don't know at this point the stage of the compromise just because that file is there it doesn't mean that it's moved on to the next stage of data expert so we needed to start looking into each of those environments even deeper so yes the ly got bigger the Exel spread sheeet got bigger as we went through each and every customer finding out how much information is there and

you need to be quick and you need to be organized because this was still the 1 of July the clock ransomware notice came out on the 7th not July June sorry I didn't know what the year it was but it was a very very long week um but letting our customers know as quickly as possible especially those that haven't received in dat expit at that point meant that we could send them the remediation because progress already had a patch in place we could send them remediation recommendations we could let them know what was going on we could let them know what they needed to protect we could let them know to prepare their instant response teams and yes we were

waking them up at 3:00 in the morning in some cases to let them know which brings me quickly very neatly on to determining criticality in brazing potential a because not every one of these threat hunts is going to be a movement if you see datation in a customer environment of course you wake them up at 3:00 in the morning they are not going to appreciate the extra sleep if they find themselves on the ransom Weare site at breakfast time on the other hand uh if you have a sear so such as the most recent uh fter Gates ISS issue um have been to recently um then some of those vulnerabilities we didn't even have indicators of

compromise with this particular incident all we let our customers know was that they may be potentially vulnerable and you know what they don't like be aw up in the middle of the night we thought they may be potentially vulnerable at some obscure date the future so it's really really important so as a general rule of Thum you know if you are seeing an active breach or datax it's a cpal incident raise it if you're seeing that they may potentially vulnerable trying to stick yourself in your customer shoes how important is it going to be for that particular customer's [Music] business and then finally we moving to the final stage because letting the customer know raising the incident

that's not the end of the process now I shamelessly sold this for my own company's website which is why it doesn't have reference on it um it's actually I I Mi the threat intelligence as well so I hope not watch this video um so we've moved from each of these stages so in in our particular case because it's a our Direction came from our article we collected further information and then we processed that information to create our in compromise we analyzed it by going toana and searching everything until our eyes were almost falling out of our heads then we disseminated the information we let all of our customers know that they were at rest and then we move to this

stage the feedback stage because every active threat hunt forms the basis of analytics of the future if you just do your threat hunt and then leave it there you're going to have to do that threat hunt again in the future but if you do that threat hunt and then you provide all of that data all of that analysis and you send that through to both your content creation teams and your research teams and your bread intelligence teams they can then work together and then few weeks time your so analysts will be analyzing those incidents with the information you've provided and they will be doing that in real time rather than a threat Hamp where we're looking through the client

historical data to find those implicators those S anals will be catching it as it happens and that ultimately is the goal of pround to improve the analytics of the future [Music] so does anybody have any

questions you mentioned logging and you have a bunch of different customers how do you myself how do you deal with customers who don't have the log or don't board them or do you have santized Ling across all your oh that's annoy question for me um yeah I know I've got to choose my words really really carefully right now I may maybe discuss it afterwards potentially um but for the most part um we can only work with what we can see so if the customers are those on screen to us then you're absolutely right you can't run a threat hunt if it's not there uh one of the things that we do as business we actually call regular cheing with our

customers um so if we're not seeing things uh so for example you knowy hman or certificates haven't been uploaded and things aren't getting passed correctly then uh we have regular meetings with our customers to make sure things are coming through corly but by the time we're at the threat hunt process it's kind of already too late that that needs to happen earlier on absolutely that I probably go to more detail anybody else yes much question [Music] thank

you how do

you with practice um there are some that I just you know I just I just can't even um so I think gradually just start to know what's what's what's not and you start to M those ones you narrow it down and narrow it down you've got your you've got your favorites um your favorite kind of Goos um but I do have a slush pile just in case because every so often one of those like one of those cracks actually does have a little nugget in it and one of your colleagues might say well you seen this so you pull it straight up yeah yeah I've seen that I've seen that um but yeah it's it's a

really good question because there is so much that filtering that down is it's super super difficult um so it's working with what you find useful um what you find useful as a SCP may be different um we all have our own unique styles with how we how we go into things how we research things so it's about adapting it for the type of Arles and type of Fe that you need to see the way that your brain works to create the most useful actionable intelligence is that yeah anybody else yes does your Sur have any connection it does yes so in my in my former life in my former life before I was a Drama teacher I was an actor and a

Storyteller um and uh when I got b i Took My Equity name so that was my Equity name and and yes Storyteller so anyone got any questions that to do with my name right shall we have another big run the amazing