Abstract image of a woman sitting on books and studying on a laptop

Maturing your threat hunting program

Cybereason, profile picture
Cybereason

This document discusses maturing a threat hunting program. It provides an overview of threat hunting, including defining the process as proactively discovering undesirable activity to elicit a positive outcome. It reviews the hunting process of having a motivation/hypothesis, collecting data, using tools for analysis, and achieving outcomes. It then discusses how hunting outcomes can improve an incident response process by providing detections, new collection techniques, and prevention capabilities. The document dives deeper into expanded hunting of PowerShell techniques like file-less execution, persistence, network communications, and provides examples of how hunting could escalate incidents or enable prevention controls related to PowerShell.

Technology
Related topics:
Threat Hunting
1 of 16
Downloaded 75 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Total Endpoint Protection: #1 in EDR & Next-Gen AV Threat Hunting 102: Beyond The Basics, Maturing Your Threat Hunting Program
Total Endpoint Protection: #1 in EDR & Next-Gen AV Who Am I? Jayson Wehrend Senior Sales Engineer, Cybereason Former Tech Consultant, RSA
Total Endpoint Protection: #1 in EDR & Next-Gen AV Why We’re Here Today o Quick hunting refresher o I’m hunting! Now what? o Giving back & process integration o Expanded PowerShell use case
Total Endpoint Protection: #1 in EDR & Next-Gen AV REFRESHER: HUNTING DEFINED. The process of proactively discovering undesirable activity to illicit a positive outcome.
Total Endpoint Protection: #1 in EDR & Next-Gen AV REFRESHER: WHY? Prepare? It’s very hard to defend what you can’t see and don’t understand. Be proactive? Don’t wait for the bad to happen, then have to react to fix. Fix stuff? Especially before it breaks!
Total Endpoint Protection: #1 in EDR & Next-Gen AV Time to Change. Intelligence is the ability to adapt to change. -- Stephen Hawking
Total Endpoint Protection: #1 in EDR & Next-Gen AV The Hunting Process Motivation + Hypothesis Data Collection Tooling / Analysis Outcomes Automation
Total Endpoint Protection: #1 in EDR & Next-Gen AV I’m Hunting! Now What? o We’re Giving Back! – Incidents – Detection improvements / new collection techniques – Prevention with confidence – Improve response / triage – Configuration management / compliance / audit
Total Endpoint Protection: #1 in EDR & Next-Gen AV Incident Response Process Prepare Detect Respond Contain / Eradicate Post- Mortem / Prevent
Total Endpoint Protection: #1 in EDR & Next-Gen AV Prepare Detect Respond Contain / Eradicate Post- Mortem / Prevent Motivation + Hypothesis Data Collection Tooling / Analysis Outcomes Automation* Incident Response Process Hunting Process Use blind spots/gaps as sources of motivation + hypothesis High fidelity detections Escalated incident New data collection & analysis techniques improve triage & response SOPs
Total Endpoint Protection: #1 in EDR & Next-Gen AV Hunting: A Deeper Dive o Previous outcomes create new motivation + hypothesis’ o Introducing new datasets to expand previous outcomes o Data stacking becomes more crucial to the journey to analysis/data science
Total Endpoint Protection: #1 in EDR & Next-Gen AV EXPANDED HUNTING: POWERSHELL
Total Endpoint Protection: #1 in EDR & Next-Gen AV File-less Techniques PowerShell Process Execution Persistence Network Comms Service Registry Hidden Obfuscated Encoded Download Commands Shellcode DLL Execution Parent/child Profiling Int2Ext Profiling DNS Queries Service = commandline:powershell or .ps* Registry = commandline:powershell or .ps* commandLine:hidden|1|-nop|iex|- invoke|ICM|scriptblock, commandLine:`|1|^|+|$|*|&|. commandLine:nop|nonl|nol|bypass|e|enc|ec commandLine:DownloadFile|IWE|Invoke-WebRequest|IRM|Invoke- RestMethod|DownloadString|BITS commandLine:dllimport| virtualalloc Parent:wscript|mshta|M SOffice|Browser|WMI* Connections à Filter:isExternalConnection:True URL: .ps* DNS Query: TXT C2 DNS Query: Received vs. Transmitted Ratios
Total Endpoint Protection: #1 in EDR & Next-Gen AV Giving Back…Incident Escalation o Incident 1: PowerShell Web Client – Downloading Stage 2 Payload o Incident 2: Remote .ps file execution / invoking shellcode o Incident 3: Mismatched Services – Adversarial use of .ps o Incident 4: Data Exfil – Powershell BITSTransfer
Total Endpoint Protection: #1 in EDR & Next-Gen AV Giving Back…Prevention o Block execution of PowerShell.exe on all systems where it’s not in use for administrative purposes o Force specific Parent/Child Process Relationships – MSOffice|Wscript|Mshta|Browsers|WMI spawning Powershell.exe o Anchor PowerShell scripts to a specific server directories, block .ps* from running directly on a system o Use endpoint firewall to prevent PowerShell.exe from connecting to non- approved Ips o Block “Bypass” “Hidden” “Download String” “WebClient” “DLLImport” “VirtualAlloc” as a command line argument for execution by an unauthorized user o See #2 for allowing valid applications
Total Endpoint Protection: #1 in EDR & Next-Gen AV Thank you! Questions? jayson.wehrend@cybereason.com @cybereason

More Related Content

PDF
Protecting the healthcare industry
Cybereason
 
PDF
The attack lifecycle. Cybereason can help you answer: Are you under attack?
Cybereason
 
PDF
The Cyber Attack Lifecycle
Cybereason
 
PDF
The Incident Response Checklist - 9 Steps Your Current Plan Lacks
Cybereason
 
PDF
Protecting the manufacturing industry
Cybereason
 
PPTX
Hunting The Shadows: In Depth Analysis of Escalated APT Attacks
F _
 
PDF
Deception Technology: Use Cases & Implementation Approaches
Priyanka Aash
 
PPTX
Purple team is awesome
Sumedt Jitpukdebodin
 
Protecting the healthcare industry
Cybereason
 
The attack lifecycle. Cybereason can help you answer: Are you under attack?
Cybereason
 
The Cyber Attack Lifecycle
Cybereason
 
The Incident Response Checklist - 9 Steps Your Current Plan Lacks
Cybereason
 
Protecting the manufacturing industry
Cybereason
 
Hunting The Shadows: In Depth Analysis of Escalated APT Attacks
F _
 
Deception Technology: Use Cases & Implementation Approaches
Priyanka Aash
 
Purple team is awesome
Sumedt Jitpukdebodin
 

What's hot (20)

PDF
2018 CISSP Mentor Program- Session 6
FRSecure
 
PDF
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
HITCON GIRLS
 
PDF
2018 CISSP Mentor Program Session 3
FRSecure
 
PDF
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
HITCON GIRLS
 
PDF
FRSecure 2018 CISSP Mentor Program Session 10
FRSecure
 
PPTX
Worst-Case Scenario: Being Detected without Knowing You are Detected
Ashwini Almad
 
PPTX
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
FRSecure
 
PPTX
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
beltface
 
PPTX
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
Clare Nelson, CISSP, CIPP-E
 
PDF
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE - ATT&CKcon
 
PPTX
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
FRSecure
 
PDF
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
Roger Johnston
 
PDF
2018 FRSecure CISSP Mentor Program Session 8
FRSecure
 
PPTX
Extracting the Malware Signal from Internet Noise
Ashwini Almad
 
PPT
Sp Security 101 Primer 2 1
Barry Greene
 
PDF
2019 FRSecure CISSP Mentor Program: Class Nine
FRSecure
 
PDF
2019 FRecure CISSP Mentor Program: Session Two
FRSecure
 
PPTX
Advanced persistent threat (apt)
mmubashirkhan
 
PDF
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE - ATT&CKcon
 
PPTX
Pen Testing Explained
Rand W. Hirt
 
2018 CISSP Mentor Program- Session 6
FRSecure
 
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
HITCON GIRLS
 
2018 CISSP Mentor Program Session 3
FRSecure
 
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
HITCON GIRLS
 
FRSecure 2018 CISSP Mentor Program Session 10
FRSecure
 
Worst-Case Scenario: Being Detected without Knowing You are Detected
Ashwini Almad
 
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
FRSecure
 
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
beltface
 
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
Clare Nelson, CISSP, CIPP-E
 
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE - ATT&CKcon
 
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
FRSecure
 
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
Roger Johnston
 
2018 FRSecure CISSP Mentor Program Session 8
FRSecure
 
Extracting the Malware Signal from Internet Noise
Ashwini Almad
 
Sp Security 101 Primer 2 1
Barry Greene
 
2019 FRSecure CISSP Mentor Program: Class Nine
FRSecure
 
2019 FRecure CISSP Mentor Program: Session Two
FRSecure
 
Advanced persistent threat (apt)
mmubashirkhan
 
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE - ATT&CKcon
 
Pen Testing Explained
Rand W. Hirt
 
Ad

Similar to Maturing your threat hunting program (20)

PPTX
The Best Just Got Better, Intercept X Now With EDR
Netpluz Asia Pte Ltd
 
PDF
Threat Hunting 102: Beyond the Basics
Cybereason
 
PDF
Next Generation War: EDR vs RED TEAM
BGA Cyber Security
 
PDF
Fidelis Endpoint® - Live Demonstration
Fidelis Cybersecurity
 
PDF
How to not fail at security data analytics (by CxOSidekick)
Dinis Cruz
 
PPTX
Foundations_Optimum_Security_Overview_AP_Marketing_EN_GLB.pptx
chuwc
 
PPTX
panw-cortex-xdr-customer-presentation.pptx
duyanhNguyen70
 
PDF
Endpoint Protection Comparison.pdf
Eng. Ala' Zayadeen- MBA,CEH,ISO Lead Implementer, MCP
 
PDF
Three Considerations To Amplify Your Detection and Response Program
Morphick
 
PPTX
Ask me anything: A Conversational Interface to Augment Information Security w...
Matthew Park
 
PPTX
Protecting endpoints from targeted attacks
AppSense
 
PDF
DevOps or DevSecOps
Michelangelo van Dam
 
PPTX
Best Practices for Preventing and Recovering from Ransomware
Precisely
 
PPTX
Filar seymour oreilly_bot_story_
EndgameInc
 
PDF
Offensive malware usage and defense
Christiaan Beek
 
PDF
Laura Bell (SafeStack)
AgileNZ Conference
 
PPTX
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
Adrian Sanabria
 
PDF
Cyber Attack Lifecycle
Shannon Sevor
 
PPTX
12 Crucial Windows Security Skills for 2017
Paula Januszkiewicz
 
PDF
Increasing DevSecOps Maturity Level in 2021
Alexandre Rebert
 
The Best Just Got Better, Intercept X Now With EDR
Netpluz Asia Pte Ltd
 
Threat Hunting 102: Beyond the Basics
Cybereason
 
Next Generation War: EDR vs RED TEAM
BGA Cyber Security
 
Fidelis Endpoint® - Live Demonstration
Fidelis Cybersecurity
 
How to not fail at security data analytics (by CxOSidekick)
Dinis Cruz
 
Foundations_Optimum_Security_Overview_AP_Marketing_EN_GLB.pptx
chuwc
 
panw-cortex-xdr-customer-presentation.pptx
duyanhNguyen70
 
Endpoint Protection Comparison.pdf
Eng. Ala' Zayadeen- MBA,CEH,ISO Lead Implementer, MCP
 
Three Considerations To Amplify Your Detection and Response Program
Morphick
 
Ask me anything: A Conversational Interface to Augment Information Security w...
Matthew Park
 
Protecting endpoints from targeted attacks
AppSense
 
DevOps or DevSecOps
Michelangelo van Dam
 
Best Practices for Preventing and Recovering from Ransomware
Precisely
 
Filar seymour oreilly_bot_story_
EndgameInc
 
Offensive malware usage and defense
Christiaan Beek
 
Laura Bell (SafeStack)
AgileNZ Conference
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
Adrian Sanabria
 
Cyber Attack Lifecycle
Shannon Sevor
 
12 Crucial Windows Security Skills for 2017
Paula Januszkiewicz
 
Increasing DevSecOps Maturity Level in 2021
Alexandre Rebert
 
Ad

More from Cybereason (7)

PDF
Antifragile Cyber Defense
Cybereason
 
PDF
An Introduction to the Agile SoC
Cybereason
 
PDF
Protecting the financial services industry
Cybereason
 
PDF
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Cybereason
 
PDF
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Cybereason
 
PDF
Some PowerShell Goodies
Cybereason
 
PDF
Ransomware is Coming to a Desktop Near You
Cybereason
 
Antifragile Cyber Defense
Cybereason
 
An Introduction to the Agile SoC
Cybereason
 
Protecting the financial services industry
Cybereason
 
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Cybereason
 
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Cybereason
 
Some PowerShell Goodies
Cybereason
 
Ransomware is Coming to a Desktop Near You
Cybereason
 

Recently uploaded (20)

PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PPTX
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PDF
Five Habits of High-Impact Board Members
OnBoard
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
DOCX
search engine optimization ppt fir known well about this
StandardCodeLearning
 
PDF
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
Modernising the Digital Integration Hub
Daniel Toomey
 
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
Five Habits of High-Impact Board Members
OnBoard
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
The various Industrial Revolutions .pptx
bandileshozi3
 
search engine optimization ppt fir known well about this
StandardCodeLearning
 
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 

Maturing your threat hunting program

  • 1. Total Endpoint Protection: #1 in EDR & Next-Gen AV Threat Hunting 102: Beyond The Basics, Maturing Your Threat Hunting Program
  • 2. Total Endpoint Protection: #1 in EDR & Next-Gen AV Who Am I? Jayson Wehrend Senior Sales Engineer, Cybereason Former Tech Consultant, RSA
  • 3. Total Endpoint Protection: #1 in EDR & Next-Gen AV Why We’re Here Today o Quick hunting refresher o I’m hunting! Now what? o Giving back & process integration o Expanded PowerShell use case
  • 4. Total Endpoint Protection: #1 in EDR & Next-Gen AV REFRESHER: HUNTING DEFINED. The process of proactively discovering undesirable activity to illicit a positive outcome.
  • 5. Total Endpoint Protection: #1 in EDR & Next-Gen AV REFRESHER: WHY? Prepare? It’s very hard to defend what you can’t see and don’t understand. Be proactive? Don’t wait for the bad to happen, then have to react to fix. Fix stuff? Especially before it breaks!
  • 6. Total Endpoint Protection: #1 in EDR & Next-Gen AV Time to Change. Intelligence is the ability to adapt to change. -- Stephen Hawking
  • 7. Total Endpoint Protection: #1 in EDR & Next-Gen AV The Hunting Process Motivation + Hypothesis Data Collection Tooling / Analysis Outcomes Automation
  • 8. Total Endpoint Protection: #1 in EDR & Next-Gen AV I’m Hunting! Now What? o We’re Giving Back! – Incidents – Detection improvements / new collection techniques – Prevention with confidence – Improve response / triage – Configuration management / compliance / audit
  • 9. Total Endpoint Protection: #1 in EDR & Next-Gen AV Incident Response Process Prepare Detect Respond Contain / Eradicate Post- Mortem / Prevent
  • 10. Total Endpoint Protection: #1 in EDR & Next-Gen AV Prepare Detect Respond Contain / Eradicate Post- Mortem / Prevent Motivation + Hypothesis Data Collection Tooling / Analysis Outcomes Automation* Incident Response Process Hunting Process Use blind spots/gaps as sources of motivation + hypothesis High fidelity detections Escalated incident New data collection & analysis techniques improve triage & response SOPs
  • 11. Total Endpoint Protection: #1 in EDR & Next-Gen AV Hunting: A Deeper Dive o Previous outcomes create new motivation + hypothesis’ o Introducing new datasets to expand previous outcomes o Data stacking becomes more crucial to the journey to analysis/data science
  • 12. Total Endpoint Protection: #1 in EDR & Next-Gen AV EXPANDED HUNTING: POWERSHELL
  • 13. Total Endpoint Protection: #1 in EDR & Next-Gen AV File-less Techniques PowerShell Process Execution Persistence Network Comms Service Registry Hidden Obfuscated Encoded Download Commands Shellcode DLL Execution Parent/child Profiling Int2Ext Profiling DNS Queries Service = commandline:powershell or .ps* Registry = commandline:powershell or .ps* commandLine:hidden|1|-nop|iex|- invoke|ICM|scriptblock, commandLine:`|1|^|+|$|*|&|. commandLine:nop|nonl|nol|bypass|e|enc|ec commandLine:DownloadFile|IWE|Invoke-WebRequest|IRM|Invoke- RestMethod|DownloadString|BITS commandLine:dllimport| virtualalloc Parent:wscript|mshta|M SOffice|Browser|WMI* Connections à Filter:isExternalConnection:True URL: .ps* DNS Query: TXT C2 DNS Query: Received vs. Transmitted Ratios
  • 14. Total Endpoint Protection: #1 in EDR & Next-Gen AV Giving Back…Incident Escalation o Incident 1: PowerShell Web Client – Downloading Stage 2 Payload o Incident 2: Remote .ps file execution / invoking shellcode o Incident 3: Mismatched Services – Adversarial use of .ps o Incident 4: Data Exfil – Powershell BITSTransfer
  • 15. Total Endpoint Protection: #1 in EDR & Next-Gen AV Giving Back…Prevention o Block execution of PowerShell.exe on all systems where it’s not in use for administrative purposes o Force specific Parent/Child Process Relationships – MSOffice|Wscript|Mshta|Browsers|WMI spawning Powershell.exe o Anchor PowerShell scripts to a specific server directories, block .ps* from running directly on a system o Use endpoint firewall to prevent PowerShell.exe from connecting to non- approved Ips o Block “Bypass” “Hidden” “Download String” “WebClient” “DLLImport” “VirtualAlloc” as a command line argument for execution by an unauthorized user o See #2 for allowing valid applications
  • 16. Total Endpoint Protection: #1 in EDR & Next-Gen AV Thank you! Questions? jayson.wehrend@cybereason.com @cybereason