Let the Hunt Begin - Security Bootcamp 2024

sbc-vn 3,315 views 81 slides Oct 04, 2024
Slide 1
Slide 1 of 81
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23
Slide 24
24
Slide 25
25
Slide 26
26
Slide 27
27
Slide 28
28
Slide 29
29
Slide 30
30
Slide 31
31
Slide 32
32
Slide 33
33
Slide 34
34
Slide 35
35
Slide 36
36
Slide 37
37
Slide 38
38
Slide 39
39
Slide 40
40
Slide 41
41
Slide 42
42
Slide 43
43
Slide 44
44
Slide 45
45
Slide 46
46
Slide 47
47
Slide 48
48
Slide 49
49
Slide 50
50
Slide 51
51
Slide 52
52
Slide 53
53
Slide 54
54
Slide 55
55
Slide 56
56
Slide 57
57
Slide 58
58
Slide 59
59
Slide 60
60
Slide 61
61
Slide 62
62
Slide 63
63
Slide 64
64
Slide 65
65
Slide 66
66
Slide 67
67
Slide 68
68
Slide 69
69
Slide 70
70
Slide 71
71
Slide 72
72
Slide 73
73
Slide 74
74
Slide 75
75
Slide 76
76
Slide 77
77
Slide 78
78
Slide 79
79
Slide 80
80
Slide 81
81

About This Presentation

Let the Hunt Begin - Security Bootcamp 2024

Size: 8.47 MB
Language: en
Added: Oct 04, 2024
Slides: 81 pages

Slide Content

@TueDenn present at Security Bootcamp 2024
Let the Hunt Begin

About Me
TueDenn Security Bootcamp -Let the Hunt Begin 2
➢PhạmTàiTuệ
➢tuedenn@goDefend_work
➢5yin InfosecIndustry
➢Threat Hunter (3), DFIR (1), SOC manager (1)
➢still noob but very curiousand eagerto learn
➢2ndtimeatBootcamp
➢I do on my own, not represent for any org

StOrieS
TueDenn Security Bootcamp -Let the Hunt Begin 3
https://vietnamnet.vn/ma -doc-ma-hoa-du-lieu-tong-tien-lockbit-3-0-tan-cong-vndirect-nguy-hiem-the-nao-2271741.html#

StOrieS
TueDenn Security Bootcamp -Let the Hunt Begin 4
https://cand.com.vn/Cong -nghe/yeu-cau-cac-cong-ty-chung-khoan-ra-soat-bao-mat-he-thong-i726369/

StOrieS
TueDenn Security Bootcamp -Let the Hunt Begin 5
https://vtv.vn/cong -nghe/phong-chong-tan-cong-ma-doc-ma-hoa-du-lieu-tong-tien-20240604164927375.htm

Am I too Late ?
TueDenn Security Bootcamp -Let the Hunt Begin 6

No matter the state of your org!
Threat HuntinG
Can Help!
TueDenn Security Bootcamp -Let the Hunt Begin 7

TueDenn Security Bootcamp -Let the Hunt Begin 8
Everything Start At 0

Agenda
Introduction01
Threat, Threat actor, Threat Hunting
Benefit of Threat Hunting02
How Threat Hunting can help
Methodologies03
Threat Hunting Maturity Model, Framework, Process
Usecases04
Simple usecase bring to you
Key take away 05
Summary & suggest some resources to follow up

the Chinese proverb
the Best time
to Plant a Tree
was 20years ago
the Second-best time
is NOW
TueDenn Security Bootcamp -Let the Hunt Begin 10

Introduction

IntrO“ThreAT”
➢Intent
➢Opportunity
➢Capability
➢To do you harm
TueDenn Security Bootcamp -Let the Hunt Begin 12
https://csrc.nist.gov/glossary/term/cyber_threat

IntrO“ThreAtActoR”
➢FocusonThreatActorsis
abigwin!
➢Goodatavoidingdetection
andensuringsurvivability
➢Reacttocountermeasures
andremediationtactics
TueDenn Security Bootcamp -Let the Hunt Begin 13

ThreAtActor
Will Come (back)SooN
TueDenn Security Bootcamp -Let the Hunt Begin 14
If you think your org will never
be breached, you are wrong!

The Detection GAP
TueDenn Security Bootcamp -Let the Hunt Begin 15
https://www.betaalvereniging.nl/wp -content/uploads/DEF-TaHiTI-Threat-Hunting-Methodology.pdf

Alerting is important
but can not be the only focus
of a detection program
TueDenn Security Bootcamp -Let the Hunt Begin 16
That’s why you need Threat Hunting

IntrO“ThreAtHuntinG”
➢Proactive
➢Iterative
➢Human-driven,
Machine-assisted
➢Finding which
automated detection
systems missed
TueDenn Security Bootcamp -Let the Hunt Begin 17

Threat Huntervs socanalyst
TueDenn Security Bootcamp -Let the Hunt Begin 18

Threat Huntervs socanalyst
TueDenn Security Bootcamp -Let the Hunt Begin 19

Of
ThreAt
Hunting
Benefit

Benefit 1: Shrink Dwell Time
➢Detection miss
➢Incident
➢Lost $$$
Hunt the bad guy down
before incident happened
TueDenn Security Bootcamp -Let the Hunt Begin 21
https://services.google.com/fh/files/misc/m -trends-2024.pdf

Benefit 2: Improve Detection
➢More & more data
➢Need automation detection
➢Automation = More FP
➢More human effort = more $
Threat Hunting can reduce FP &
contribute rules for automation
TueDenn Security Bootcamp -Let the Hunt Begin 22

Benefit 3: Increase Visibility
Bring the peace-of-mind!
The more you know
about your network,
the better you can
defend it!
TueDenn Security Bootcamp -Let the Hunt Begin 23

TueDenn Security Bootcamp -Let the Hunt Begin 24
Threat
Hunting
MethodologieS

50%of organizations have formally
defined threat hunting methodologies
an increase from 35%in the previous year
TueDenn Security Bootcamp -Let the Hunt Begin 25
https://www.sans.org/webcasts/sans -2024-threat-hunting-survey-hunting-for-normal-within-chaos/

Methodologies
➢50.8% defined threat
hunting methodologies
➢35.3% in 2023
➢49.2% is no method!
➢Don’t know “HOW”!
➢Still low
➢But increase!
TueDenn Security Bootcamp -Let the Hunt Begin 26
https://www.sans.org/webcasts/sans -2024-threat-hunting-survey-hunting-for-normal-within-chaos/

64%of organizations formally measure
the success or effectiveness
of their threat hunting efforts
TueDenn Security Bootcamp -Let the Hunt Begin 27
https://www.sans.org/webcasts/sans -2024-threat-hunting-survey-hunting-for-normal-within-chaos/

MeasureSuccess
➢64%of organizations
formally measure
the successor
effectivenessof their
threat hunting efforts
➢36% Don’t know “WHAT &
WHY”
TueDenn Security Bootcamp -Let the Hunt Begin 28
https://www.sans.org/webcasts/sans -2024-threat-hunting-survey-hunting-for-normal-within-chaos/

PEAK
Prepare, Execute & Act
with Knowledge (2023)
Threat Hunting Framework
From Spunk
TueDenn Security Bootcamp -Let the Hunt Begin 29
https://www.splunk.com/en_us/blog/security/peak -threat-hunting-framework.html

TaHiTi
Targeted Hunting
Integrating Threat
Intelligence (2018)
TueDenn Security Bootcamp -Let the Hunt Begin 30
https://www.betaalvereniging.nl/wp -content/uploads/DEF -TaHiTI-Threat-Hunting-Methodology.pdf

Hunting Loop
The SqrrlThreat Hunting
Reference Model (2015)
TueDenn Security Bootcamp -Let the Hunt Begin 31

TueDenn Security Bootcamp -Let the Hunt Begin 32
The HuntingMaturityModel
https://medium.com/@sqrrldata/the -cyber-hunting-maturity-model-6d506faa8ad5

Fit you it
TueDenn Security Bootcamp -Let the Hunt Begin 33
https://medium.com/@sqrrldata/the -hunt-matrix-90d8476e8765

Craft Your Own
➢Only you know the best fit
➢Learn from others,
innovate on your own
➢This is my suggestion!
TueDenn Security Bootcamp -Let the Hunt Begin 34
Prepare
Identify
Analysis
Document
Finding
Improve,
Automate

Threat Hunting Life Circle
TueDenn Security Bootcamp -Let the Hunt Begin 35
Prepare
Identify
Analysis
Document
Finding
Improve,
Automate
know the enemy
and know yourself
Clearobjective
Formulate hypothesis
To proveor disproveyour hypothesis
Create the
knowledgeof
your hunt procedures
Think for the next!

PrepAre
know the enemyand know yourself
TueDenn Security Bootcamp -Let the Hunt Begin 36

Prepare
Pyramid of pain
(2013)
➢IOC used to
detectan
adversary’s
activities
➢How much painit
will cause them
TueDenn Security Bootcamp -Let the Hunt Begin 37
http://detect-respond.blogspot.com/2013/03/the -pyramid-of-pain.html
HM1
HM2
HM3+

Prepare
How much painit will cause them? :) # TurlaLicksAss
TueDenn Security Bootcamp -Let the Hunt Begin 38
https://x.com/cyb3rops/status/1156599722326528009 https://x.com/cyb3rops/status/1372932191055974403

Prepare
Threatactorprofile
➢you must know your
enemyto winthe war
➢Diamond model:
Victim-Centered
Approach
➢MITRE ATTCK
https://attack.mitre.org/matrices
/enterprise/
TueDenn Security Bootcamp -Let the Hunt Begin 39
https://www.activeresponse.org/wp -content/uploads/2013/07/diamond.pdf

Prepare
Data soure
➢If you know the
enemy and know
yourself, you
need not fear the
result of a hundred
battles.
➢Building Better
Hunt Data
TueDenn Security Bootcamp -Let the Hunt Begin 41
https://attack.mitre.org/datasources/

Identify
Give your hunt a clearobjective
TueDenn Security Bootcamp -Let the Hunt Begin 42

Identify
A CLEARobjective→Effectivethreat hunting
➢Define your hypothesis
➢What you should hunt for: POST-Exploit!
TueDenn Security Bootcamp -Let the Hunt Begin 43

AnalysiS
To proveor disproveyour hypothesis
TueDenn Security Bootcamp -Let the Hunt Begin 44
https://www.threathunting.net/files/hunt -evil-practical-guide-threat-hunting.pdf

“SeArching”Techniques
➢the simplestmethod
➢Don’ttoobroadly
➢For generalartifacts
➢Don’ttoospecifically
➢onspecifichosts
TueDenn Security Bootcamp -Let the Hunt Begin 45

“Stacking ”Techniques
➢the mostcommontechniques
➢countingthe numberof occurrences
➢analyzing the outliersor extremes
➢Hard to dealing with largeand/or
diversedata sets
➢Most effectivewith a thoughtfully
filteredinput
TueDenn Security Bootcamp -Let the Hunt Begin 46

“Grouping ”Techniques
➢input is an explicit set of
items already of interest
➢Group by based on specific
criteria
➢Example
➢Group by timeframe
➢Group by department
TueDenn Security Bootcamp -Let the Hunt Begin 47

“Clustering ”Techniques
➢Clustering!= Grouping
➢Input is not explicitly
➢separate similardata
points
➢certain characteristics
➢Largerset of data
➢Machine Learning models!
TueDenn Security Bootcamp -Let the Hunt Begin 48
https://www.slideshare.net/slideshow/the -lord-of-the-ring-a-network-analysis/80476370

Document
Create the knowledge of your hunt procedures
TueDenn Security Bootcamp -Let the Hunt Begin 49

TueDenn Security Bootcamp -Let the Hunt Begin 50
SANS Threat Hunting & IR Summit 2020 The SOC Puzzle: Where Does Threat Hunting Fit? Ashley Pearson | @onfvp

ExpectAtionManAgemenT
Won’t always find bad
and that’s okay
TueDenn Security Bootcamp -Let the Hunt Begin 51

Document Your Findings
Create the knowledgeof your hunt procedures
➢Historical linking
➢After: Fullydocument
➢During: Partialdocument
➢Simple, butclear
➢Key points
➢Retrievable
➢Don’t wasteyour time!
TueDenn Security Bootcamp -Let the Hunt Begin 52

Document
Hunt procedures
TueDenn Security Bootcamp -Let the Hunt Begin 53
https://threathunterplaybook.com/hunts/windows/intro.html

Improve
Think for the next!
TueDenn Security Bootcamp -Let the Hunt Begin 54

Improve
➢Making futurehuntsmore effective
➢Scalability
➢Known issues, Better next -time
➢Don’t do the same hunts over and over
➢Think can Automationhunt →Rule
➢Human do, machine helps (AI, ML, automate task)
➢Remind: “Hunting comes when automation ends !”
TueDenn Security Bootcamp -Let the Hunt Begin 55

Improve
➢Contribute rules
➢Harden rules
➢reduceFP
➢Recommendations
➢What missed
➢how to detect next time
➢To Improving org’s security
TueDenn Security Bootcamp -Let the Hunt Begin 56
https://socprime.com/blog/interview -with-developer-florian-roth/*Fact: Sigma was created by Florian Roth, for Threat Hunting purpose!

Improve
TueDenn Security Bootcamp -Let the Hunt Begin 57
https://github.com/SigmaHQ/sigma/blob/master/rules -threat-hunting/windows/create_remote_thread/create_remote_thread_win_loadlibr ary.yml

Let
simple Threat Hunting procedure demo
The Hunt Begin
TueDenn 58

POWERShellHunting
TueDenn Security Bootcamp -Let the Hunt Begin 59
Let Hunt together!

Prepare-Threat Report
TueDenn Security Bootcamp -Let the Hunt Begin 60
https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf

Prepare-Threat Report
TueDenn Security Bootcamp -Let the Hunt Begin 61
https://web-assets.esetstatic.com/wls/2020/05/ESET_Turla_ComRAT.pdf

Prepare-Threat Report
TueDenn Security Bootcamp -Let the Hunt Begin 62
https://web-assets.esetstatic.com/wls/2020/05/ESET_Turla_ComRAT.pdf

Identify –Hypothesis
Threat Actor has created
a schedule taskthat
➢without being caught
→detection miss
➢Still Remain persistence
➢Run powershell
➢Using techniques:
https://attack.mitre.org
/techniques/T1053/005/
TueDenn Security Bootcamp -Let the Hunt Begin 63

Identify –Hunting Plan
➢Scope: Scale all (1000 ppl)
➢Collect:
➢Data source: File (Tasks file path, create, …)
➢Data source: Registry(Entry, LauchStrings,…)
➢Techniques:
➢Searching, grouping, stacking
➢Notes
TueDenn Security Bootcamp -Let the Hunt Begin 64

Analysis-Searching
Using your SIEM to searchthe IOC (YES/NO question!)
TueDenn Security Bootcamp -Let the Hunt Begin 65
NO RESULT!

Collect -Large Volume
TueDenn Security Bootcamp -Let the Hunt Begin 66

Analysis-Grouping
TueDenn Security Bootcamp -Let the Hunt Begin 67

TueDenn Security Bootcamp -Let the Hunt Begin 68
Analysis–Grouping &Stacking

Analysis–Stacking
TueDenn Security Bootcamp -Let the Hunt Begin 69

Analysis–Stacking
TueDenn Security Bootcamp -Let the Hunt Begin 70

Analysis–Stacking
TueDenn Security Bootcamp -Let the Hunt Begin 71

Analysis–Stacking
TueDenn Security Bootcamp -Let the Hunt Begin 72

Document
➢Follow your document method
➢Report finding threat for
stakeholder
➢IR need?
➢Enrich your procedures
knowledge base
➢Share!
TueDenn Security Bootcamp -Let the Hunt Begin 73

Improve Security
➢There is 01 rule about
CREATEpowershelljob
in the wild!
➢what if bypassed?
➢Do you monitorthe
powershelljob folder?
➢The time is NOW!
TueDenn Security Bootcamp -Let the Hunt Begin 74
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml

Take Away
Keys

Key Take Away
➢Threat Hunting is for all organization
➢Threat Hunting shinkthe dwell time
& improvedetection capability
➢Threat actors is coming!
➢knowenermy, knowyourself
➢Followyour method
➢Matureyour hunt to cutting-edge
TueDenn Security Bootcamp -Let the Hunt Begin 77

TueDenn Security Bootcamp -Let the Hunt Begin 78
What’s
Next

What’s Next
➢Define & follow Strategy, Methodologies and
Maturity model
➢StartonPost-Exploitation
➢Thinkingoffense, leads to smarterhunting!
➢Assumenothing, Beliveno one, Curious everything!
➢Remind "hunting is a practicelike any other; you
learn best by doingit, so don’t hesitate to jump
in“
TueDenn Security Bootcamp -Let the Hunt Begin 79

References
➢threathunting.net
➢huntpedia
➢framework-for-threat-hunting-
whitepaper
➢hunt-evil-practical-guide-
threat-hunting
➢threat-hunting-team-maturity-
model
➢splunk-threat-hunting
➢ready-to-hunt-first-show-me-
your-data
➢sans-webcasts-threat-hunting-
100967
➢sans-generating-hypotheses-
successful-threat-hunting-37172
➢sans-2024-threat-hunting-
survey-hunting-for-normal-
within-chaos/
TueDenn Security Bootcamp -Let the Hunt Begin 80

tuedenn
goDefend
tuedenntuept
Tags
threat hunting security bootcamp cyber security internet security
Categories
General
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 3,315
  • Slides 81
  • Age 424 days
Related Slideshows
Pray For The Peace Of Jerusalem and You Will Prosper 22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
Don_t_Waste_Your_Life_God.....powerpoint 26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf 31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
Fertility awareness methods for women in the society 14
Fertility awareness methods for women in the society
Isaiah47
29 views
Chapter 5 Arithmetic Functions Computer Organisation and Architecture 35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
syakira bhasa inggris (1) (1).pptx....... 5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views
View More in This Category