Breaking the cyber kill chain!
6 likes1,369 views
The document discusses strategies to break the cyber kill chain and improve threat hunting practices. It emphasizes proactive security measures to detect cyber attacks throughout their lifecycle, detailing various techniques for identifying lateral movement and command and control (C2) activities. Additionally, it highlights the importance of data-centric hunting, endpoint monitoring, and utilizing machine learning for incident detection.
![Md Nahidul Kibria
Co-Founder, Beetles
@nahidupa
[~] $ whoami](https://image.slidesharecdn.com/breakingthecyberkillchain-171215164121/85/Breaking-the-cyber-kill-chain-2-320.jpg)
Breaking the cyber kill chain!
- 1. Breaking the Cyber Kill Chain! Md Nahidul kibria Co-Founder, Beetles
- 2. Md Nahidul Kibria Co-Founder, Beetles @nahidupa [~] $ whoami
- 3. What is this talk about?
- 4. We ensure all compliance We still get compromised!
- 5. We spend money to buy all good equipments We still get compromised!
- 6. We ensure… We do that… We did that... We still get compromised!
- 11. Cyber Kill Chain
- 12. Threat hunting
- 13. Let's Detect and Response
- 14. Sensors >> Data >> monitoring
- 15. Approaches to Threat Hunting 1. Data-centric Hunting 2. Hunting on the Endpoint(DFIR) 3. Deception
- 16. Adversary simulation 1. Attacking web application 2. OS Command execute 3. Download malicious files (powershell webclient) 4. Getting reverse shell 5. Privilege escape 6. Scan internal host 7. Lateral Movement 8. Install APT(c2) 9. Data Exfiltration
- 17. Hunt Lateral Movement Attackers quietly traverse your Network.
- 18. Lateral Movement - Techniques, Tactics & Procedures (TTPs) Psexec File shares Powershell Pass-the-hash Scheduled tasks Windows Management Instrumentation (WMI) SMB SSH
- 19. Detect using windows event log /Sysmon
- 21. Psexec psexec.exe -i -s %SystemRoot%system32cmd.exe
- 22. Sysmon event - psexc.exe
- 23. Hunt other TTPs “net” Reconnaissance of Domain Admin Group Command ● C: > net group "Domain Admin" /domain Credential Harvesting with WMI and WCE ● net use 172.31.3.16 PASSWORD /user:SANDBOXAdministrator ● copy w.exe 172.31.3.16c$PerfLogs ● wmic /NODE:172.31.3.16 /USER:"SANDBOXAdministrator" /PASSWORD:"PASSWORD" process call create "cmd /c C:Perflogsw.exe -w > C:Perflogso.txt" Ref: http://www.crypsisgroup.com/images/site/CG_WhitePaper_Splunkmon_1216.pdf
- 25. Sysmon dashboard
- 27. Hunting Command and Control(c2) C2 via Dynamic DNS Finding the Unknown with HTTP URIs Beacon Detection via Intra-Request Time Deltas Finding C2 in Network Sessions
- 30. Hunt for Data Exfiltration
- 31. Producer-Consumer Ratio for Detecting Data Exfiltration Ref https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/analyze_producer_consumer_ratio.md
- 32. Hunt for Malware
- 34. Svchost.exe with no -k
- 36. Query (NewProcessName: "svchost.exe" AND NOT NewProcessName: "C:WindowsSystem32svchost.exe") OR (NewProcessName: "smss.exe" AND NOT NewProcessName: "C:WindowsSystem32smss.exe") OR (NewProcessName: "wininit.exe" AND NOT NewProcessName: "C:WindowsSystem32wininit.exe") OR (NewProcessName: "taskhost.exe" AND NOT NewProcessName: "C:WindowsSystem32taskhost.exe") OR (NewProcessName: "lsass.exe" AND NOT NewProcessName: "C:WindowsSystem32lsass.exe") OR (NewProcessName: "winlogon.exe" AND NOT NewProcessName: "C:WindowsSystem32winlogon.exe") OR (NewProcessName: "explorer.exe" AND NOT NewProcessName: "C:Windowsexplorer.exe") OR (NewProcessName: "lsm.exe" AND NOT NewProcessName: "C:WindowsSystem32lsm.exe") OR (NewProcessName: "services.exe" AND NOT NewProcessName: "C:WindowsSystem32services.exe") OR (NewProcessName: "csrss.exe" AND NOT NewProcessName: "C:WindowsSystem32csrss.exe")
- 37. Hunt in memory Malware become fileless- Kovter,Poweliks Volatility-/rekall
- 40. Here can come Security Operation Center
- 41. Machine Learning for Incident Detection
- 43. The Hunting Maturity Model
- 45. Happy Hunting! @nahidupa Break the Cyber Kill Chain!
Editor's Notes
- #2: Hello Who is come at least second time this con?
- #3: Cyber security company Pentesting-> malware analysis-> manage security service Synack-Web application, mobile application Free time Owasp Sofo
- #4: How do we look at security right now,/ proactive security /threat hunting/ SOC
- #5: Current mindset of security Compliance is not bad/
- #6: We give user 2fa device/
- #7: patched / ..insider threat / 0 days/
- #8: We did everything alright whole year but a simple mistake all our credits gone, We need to change mindset
- #12: An attack doesn’t just happen instantaneously, it takes time and effort. If we can detect in that duration
- #13: Not a new concept Not Alert Driven Not a tool or product Not standardized Not a silver bullet
- #14: Let's start detect from most important
- #22: psexec.exe -i -s %SystemRoot%\system32\cmd.exe
- #24: http://www.crypsisgroup.com/images/site/CG_WhitePaper_Splunkmon_1216.pdf
- #38: https://github.com/google/rekall
- #40: www.threathunting.net
- #44: 0=> Automatic alerting- 1=> Threat intel feed,IOC search =>3=> Procedural=>4=>Innovative way=> 5. Automation and analytics. http://blog.sqrrl.com/the-cyber-hunting-maturity-model
- #46: MindSet..raise the bar