Tuesday, October 22, 2019

Behavior-based Threat Hunting






I had the privilege of attending the Sans Threat Hunting and Incident Response Summit a few weeks ago as a volunteer for Sans. I also volunteered as an in-class simulcast moderator for Matt Bromiley’s Forensics 508 class as I shared a couple weeks ago. This is the first of 3 diaries I’d like to share with you over the next few months, of some ideas I’ve brought back to community at large.

There was no official “theme” of the Summit, but I would summarize the most important take-away as “Stay Focused.” Use your creativity to chase threats down rabbit-holes, but stay focused on the correct rabbit-holes at the right times, and do not deviate even when you see something else that may be interesting. In other words, in your daily work, analysis, managing, or hunting... work innovatively but not recklessly. If you work in a very large organization, this is especially crucial.

Today I’m going to briefly share with you knowledge and links from a talk which I found very valuable, suggest a few ways you might apply this at a high-level to your daily work, and point to a few ideas which I’m researching further, which may also spur your own creativity.

David Pearson, currently working at a company called Awake Security, shared a talk he called “Remote Access Tools: Thee Hidden Threats Inside Your Network.” Here is a link to his slides. I was happy to spend some time with David after his talk, and gain more insight into his ideas. I’d recommend for you to read the following highly technical posts if you are interested specifically in his security research on the hazards of TeamViewer and LogMeIn, as well as this historical, 3-part-series from Optiv on the TeamViewer Application.

The below image is a great illustration of the differences of traditional defense, such as trying to block a specific file-executable or hash (which is a very “painful,” infinitely-changeable type of telemetry, see David Bianco's work on the pyramid of pain if you are new to this concept):
why behavior-based threat hunting versus vs traditional
credit:  David Pearson


You can see also in this specific example below, the striking difference between RDP traffic at rest, and a file-upload, which may be an indicator of mal-activity vs an administrator doing their daily work. File ex-filtration stands out like a toddler writing all-over the wall with a bright red crayola:

file exfiltration example chart - RDP exfil versus vs normal traffic at rest
credit: David Pearson

Three open-source tools were mentioned with which anyone could use to effectively perform behavior-based hunting: Wireshark, (and writing Lua Dissectors for Wireshark), as well as the browser-based tool Cyberchef (you'll want to host your own version internally). There is a great example of writing custom Lua dissectors also in the book Attacking Network Protocols by James Forshaw, which we've been reading this year in the InfoSec Book Club.

In most organizations, innovation and supporting your developers and/or customers must take priority over actions like simply blocking applications. This then, is a perfect example of where advanced defenses like behavior-based threat hunting can be used. Behavior-based analysis is a key concept to brainstorm about, and use to stomp out similar threats of unwanted or potentially unwanted aka “pup” applications, before they become malicious, regardless of your exact job function

Threat-hunting has been a buzzword in the past few years in InfoSec--but in reality, you can employ behavior-based analysis to almost any area of work. A personal favorite resource of mine, if you’d like a strong, classic example of anomaly-based threat hunting is “Threat-hunting using 16th Century Math and Sesame Street” from the RSA Conference this year by Vernon Habersetzer.

If you’d like to be in touch feel free to DM me on the Brakeing Down Security [sic] Slack, DShield / Internet Storm Center Community Slack, Threat Hunters' Guild or on twitter, all as @cherokeejb_.

Please also let me know if you’ve ever written Lua dissectors for Wireshark as well; this is something that currently I’m looking into with renewed interest, along with a few other members of the security community.

The new "LinkedInSecureMessage"​ ?

With all the talk of secure messenger applications lately, I bet you’d like to have just one more, right? In the past few weeks, we’ve noti...

Follow by RSS