Let the Hunt Begin - Security Bootcamp 2024

@TueDenn present at Security Bootcamp 2024
Let the Hunt Begin

About Me
TueDenn Security Bootcamp - Let the Hunt Begin 2
➢ Phạm Tài Tuệ
➢ tuedenn @ goDefend_work
➢ 5y in Infosec Industry
➢ Threat Hunter (3), DFIR (1), SOC manager (1)
➢ still noob but very curious and eager to learn
➢ 2nd time at Bootcamp
➢ I do on my own, not represent for any org

StOrieS
https://vietnamnet.vn/ma-doc-ma-hoa-du-lieu-tong-tien-lockbit-3-0-tan-cong-vndirect-nguy-hiem-the-nao-2271741.html#

StOrieS
https://cand.com.vn/Cong-nghe/yeu-cau-cac-cong-ty-chung-khoan-ra-soat-bao-mat-he-thong-i726369/

StOrieS
https://vtv.vn/cong-nghe/phong-chong-tan-cong-ma-doc-ma-hoa-du-lieu-tong-tien-20240604164927375.htm

Am I too Late ?

No matter the state of your org!
Threat HuntinG
Can Help!

Everything Start At 0

Agenda Introduction
01
Threat, Threat actor, Threat Hunting
Benefit of Threat Hunting
02
How Threat Hunting can help
Methodologies
03
Threat Hunting Maturity Model, Framework, Process
Usecases
04
Simple usecase bring to you
Key take away
05
Summary & suggest some resources to follow up

the Chinese proverb
the Best time
to Plant a Tree
was 20 years ago
the Second-best time
is NOW

IntrO “ThreAT”
➢ Intent
➢ Opportunity
➢ Capability
➢ To do you harm
https://csrc.nist.gov/glossary/term/cyber_threat

IntrO “ThreAt ActoR”
➢ Focus on Threat Actors is
a big win!
➢ Good at avoiding detection
and ensuring survivability
➢ React to countermeasures
and remediation tactics

ThreAt Actor
Will Come (back) SooN
If you think your org will never
be breached, you are wrong!

The Detection GAP
https://www.betaalvereniging.nl/wp-content/uploads/DEF-TaHiTI-Threat-Hunting-Methodology.pdf

Alerting is important
but can not be the only focus
of a detection program
That’s why you need Threat Hunting

IntrO “ThreAt HuntinG”
➢ Proactive
➢ Iterative
➢ Human-driven,
Machine-assisted
➢ Finding which
automated detection
systems missed

Threat Hunter vs soc analyst

Benefit 1: Shrink Dwell Time
➢ Detection miss
➢ Incident
➢ Lost $$$
Hunt the bad guy down
before incident happened
https://services.google.com/fh/files/misc/m-trends-2024.pdf

Benefit 2: Improve Detection
➢ More & more data
➢ Need automation detection
➢ Automation = More FP
➢ More human effort = more $
Threat Hunting can reduce FP &
contribute rules for automation

Benefit 3: Increase Visibility
Bring the peace-of-mind!
The more you know
about your network,
the better you can
defend it!

Threat
Hunting
MethodologieS

50% of organizations have formally
defined threat hunting methodologies
an increase from 35% in the previous year
https://www.sans.org/webcasts/sans-2024-threat-hunting-survey-hunting-for-normal-within-chaos/

Methodologies
➢ 50.8% defined threat
hunting methodologies
➢ 35.3% in 2023
➢ 49.2% is no method!
➢ Don’t know “HOW”!
➢ Still low
➢ But increase!

64% of organizations formally measure
the success or effectiveness
of their threat hunting efforts

Measure Success
➢ 64% of organizations
formally measure
the success or
effectiveness of their
threat hunting efforts
➢ 36% Don’t know “WHAT &
WHY”

PEAK
Prepare, Execute & Act
with Knowledge (2023)
Threat Hunting Framework
From Spunk
https://www.splunk.com/en_us/blog/security/peak-threat-hunting-framework.html

TaHiTi
Targeted Hunting
Integrating Threat
Intelligence (2018)
https://www.betaalvereniging.nl/wp-content/uploads/DEF-TaHiTI-Threat-Hunting-Methodology.pdf

Hunting Loop
The Sqrrl Threat Hunting
Reference Model (2015)

The Hunting Maturity Model
https://medium.com/@sqrrldata/the-cyber-hunting-maturity-model-6d506faa8ad5

Fit you it
https://medium.com/@sqrrldata/the-hunt-matrix-90d8476e8765

Craft Your Own
➢ Only you know the best fit
➢ Learn from others,
innovate on your own
➢ This is my suggestion!
Prepare
Identify
Analysis
Document
Finding
Improve,
Automate

Threat Hunting Life Circle
Prepare
Identify
Analysis
Document
Finding
Improve,
Automate
know the enemy
and know yourself
Clear objective
Formulate hypothesis
To prove or disprove your hypothesis
Create the
knowledge of
your hunt procedures
Think for the next!

PrepAre
know the enemy and know yourself

Prepare
Pyramid of pain
(2013)
➢ IOC used to
detect an
adversary’s
activities
➢ How much pain it
will cause them
http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
HM1
HM2
HM3+

Prepare
How much pain it will cause them? :) #TurlaLicksAss
https://x.com/cyb3rops/status/1156599722326528009 https://x.com/cyb3rops/status/1372932191055974403

Prepare
Threat actor profile
➢ you must know your
enemy to win the war
➢ Diamond model:
Victim-Centered
Approach
➢ MITRE ATTCK
https://attack.mitre.org/matrices
/enterprise/
https://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf

Let the Hunt Begin - Security Bootcamp 2024

Prepare
Data soure
➢ If you know the
enemy and know
yourself, you
need not fear the
result of a hundred
battles.
➢ Building Better
Hunt Data
https://attack.mitre.org/datasources/

Identify
Give your hunt a clear objective

Identify
A CLEAR objective → Effective threat hunting
➢ Define your hypothesis
➢ What you should hunt for: POST-Exploit!

AnalysiS
To prove or disprove your hypothesis
https://www.threathunting.net/files/hunt-evil-practical-guide-threat-hunting.pdf

“ SeArching ” Techniques
➢ the simplest method
➢ Don’t too broadly
➢ For general artifacts
➢ Don’t too specifically
➢ on specific hosts

“ Stacking ” Techniques
➢ the most common techniques
➢ counting the number of occurrences
➢ analyzing the outliers or extremes
➢ Hard to dealing with large and/or
diverse data sets
➢ Most effective with a thoughtfully
filtered input

“ Grouping ” Techniques
➢ input is an explicit set of
items already of interest
➢ Group by based on specific
criteria
➢ Example
➢ Group by timeframe
➢ Group by department

“ Clustering ” Techniques
➢ Clustering != Grouping
➢ Input is not explicitly
➢ separate similar data
points
➢ certain characteristics
➢ Larger set of data
➢ Machine Learning models!
https://www.slideshare.net/slideshow/the-lord-of-the-ring-a-network-analysis/80476370

Document
Create the knowledge of your hunt procedures

SANS Threat Hunting & IR Summit 2020 The SOC Puzzle: Where Does Threat Hunting Fit? Ashley Pearson | @onfvp

ExpectAtion ManAgemenT
Won’t always find bad
and that’s okay

Document Your Findings
Create the knowledge of your hunt procedures
➢ Historical linking
➢ After: Fully document
➢ During: Partial document
➢ Simple, but clear
➢ Key points
➢ Retrievable
➢ Don’t waste your time!

Document
Hunt procedures
https://threathunterplaybook.com/hunts/windows/intro.html

Improve
Think for the next!

Improve
➢ Making future hunts more effective
➢ Scalability
➢ Known issues, Better next-time
➢ Don’t do the same hunts over and over
➢ Think can Automation hunt → Rule
➢ Human do, machine helps (AI, ML, automate task)
➢ Remind: “Hunting comes when automation ends!”

Improve
➢ Contribute rules
➢ Harden rules
➢ reduce FP
➢ Recommendations
➢ What missed
➢ how to detect next time
➢ To Improving org’s security
https://socprime.com/blog/interview-with-developer-florian-roth/
*Fact: Sigma was created by Florian Roth, for Threat Hunting purpose!

Improve
https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml

Let
simple Threat Hunting procedure demo
The Hunt Begin
TueDenn 58

POWERShell Hunting
Let Hunt together!

Prepare - Threat Report
https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf

https://web-assets.esetstatic.com/wls/2020/05/ESET_Turla_ComRAT.pdf

Identify – Hypothesis
Threat Actor has created
a schedule task that
➢ without being caught
→ detection miss
➢ Still Remain persistence
➢ Run powershell
➢ Using techniques:
https://attack.mitre.org
/techniques/T1053/005/

Identify – Hunting Plan
➢ Scope: Scale all (1000 ppl)
➢ Collect:
➢ Data source: File (Tasks file path, create, …)
➢ Data source: Registry (Entry, Lauch Strings,…)
➢ Techniques:
➢ Searching, grouping, stacking
➢ Notes

Analysis - Searching
Using your SIEM to search the IOC (YES/NO question!)
NO RESULT!

Collect - Large Volume

Analysis - Grouping

Analysis – Grouping & Stacking

Analysis – Stacking

Document
➢ Follow your document method
➢ Report finding threat for
stakeholder
➢ IR need?
➢ Enrich your procedures
knowledge base
➢ Share!

Improve Security
➢ There is 01 rule about
CREATE powershell job
in the wild!
➢ what if bypassed?
➢ Do you monitor the
powershell job folder?
➢ The time is NOW!
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml

Key Take Away
➢ Threat Hunting is for all organization
➢ Threat Hunting shink the dwell time
& improve detection capability
➢ Threat actors is coming!
➢ know enermy, know yourself
➢ Follow your method
➢ Mature your hunt to cutting-edge

What’s
Next

What’s Next
➢ Define & follow Strategy, Methodologies and
Maturity model
➢ Start on Post-Exploitation
➢ Thinking offense, leads to smarter hunting!
➢ Assume nothing, Belive no one, Curious everything!
➢ Remind "hunting is a practice like any other; you
learn best by doing it, so don’t hesitate to jump
in“

References
➢ threathunting.net
➢ huntpedia
➢ framework-for-threat-hunting-
whitepaper
➢ hunt-evil-practical-guide-
threat-hunting
➢ threat-hunting-team-maturity-
model
➢ splunk-threat-hunting
➢ ready-to-hunt-first-show-me-
your-data
➢ sans-webcasts-threat-hunting-
100967
➢ sans-generating-hypotheses-
successful-threat-hunting-37172
➢ sans-2024-threat-hunting-
survey-hunting-for-normal-
within-chaos/

tuedenn
goDefend
tuedenn
tuept

Let the Hunt Begin - Security Bootcamp 2024

More Related Content

What's hot (20)

Similar to Let the Hunt Begin - Security Bootcamp 2024 (20)

More from Security Bootcamp (20)

Recently uploaded (20)

Let the Hunt Begin - Security Bootcamp 2024