1
00:00:00,283 --> 00:00:02,010
<v ->Threat hunting.</v>

2
00:00:02,010 --> 00:00:03,790
What is threat hunting?

3
00:00:03,790 --> 00:00:06,860
Well, threat hunting is a cybersecurity technique

4
00:00:06,860 --> 00:00:09,010
that's designed to detect the presence of threats

5
00:00:09,010 --> 00:00:12,323
that have not been discovered by normal security monitoring.

6
00:00:12,323 --> 00:00:15,170
Essentially, threat hunting is proactive

7
00:00:15,170 --> 00:00:16,990
as opposed to being reactive,

8
00:00:16,990 --> 00:00:19,075
like you are with an incident response.

9
00:00:19,075 --> 00:00:21,540
The idea here is we are going out and hunting

10
00:00:21,540 --> 00:00:24,420
or looking for those threats within our network,

11
00:00:24,420 --> 00:00:26,170
instead of waiting for them to attack.

12
00:00:26,170 --> 00:00:28,080
Now, when you're doing a penetration test,

13
00:00:28,080 --> 00:00:30,010
often you're trying to break into your system

14
00:00:30,010 --> 00:00:31,450
to demonstrate a weakness.

15
00:00:31,450 --> 00:00:34,520
But with threat hunting, we're not doing that.

16
00:00:34,520 --> 00:00:36,580
Instead, we're trying to analyze data

17
00:00:36,580 --> 00:00:38,436
within the systems we already have.

18
00:00:38,436 --> 00:00:40,040
So, because of this,

19
00:00:40,040 --> 00:00:42,420
threat hunting is potentially less disruptive

20
00:00:42,420 --> 00:00:43,993
than a penetration test.

21
00:00:43,993 --> 00:00:45,440
To do threat hunting,

22
00:00:45,440 --> 00:00:48,350
we start out by establishing a hypothesis.

23
00:00:48,350 --> 00:00:50,290
Now, when we establish a hypothesis,

24
00:00:50,290 --> 00:00:51,440
we're going to derive that

25
00:00:51,440 --> 00:00:53,220
from the threat modeling we've done.

26
00:00:53,220 --> 00:00:55,370
And it's going to be based on the potential events

27
00:00:55,370 --> 00:00:57,760
with higher likelihood and higher impact

28
00:00:57,760 --> 00:00:59,101
if they were to occur.

29
00:00:59,101 --> 00:01:01,320
So, essentially we're going to sit around

30
00:01:01,320 --> 00:01:04,010
and we're going to think, who might want to harm us,

31
00:01:04,010 --> 00:01:05,600
who might want to break into our networks,

32
00:01:05,600 --> 00:01:07,214
and how might they will be able to do that?

33
00:01:07,214 --> 00:01:09,640
And by going through our threat intelligence,

34
00:01:09,640 --> 00:01:13,590
we can create a good hypothesis about what type of campaign

35
00:01:13,590 --> 00:01:16,670
or what type of adversary group might want to do us harm.

36
00:01:16,670 --> 00:01:17,590
Then, we're going to move

37
00:01:17,590 --> 00:01:20,207
into profiling threat actors and activities.

38
00:01:20,207 --> 00:01:22,230
At this point, we're really going to be relying

39
00:01:22,230 --> 00:01:23,678
on that threat intelligence.

40
00:01:23,678 --> 00:01:26,000
We're going to start creating scenarios

41
00:01:26,000 --> 00:01:28,240
that show how a prospective attacker

42
00:01:28,240 --> 00:01:29,690
might attempt an intrusion

43
00:01:29,690 --> 00:01:31,831
and what their objectives might be.

44
00:01:31,831 --> 00:01:34,470
Again, we're going to sit back and think to ourselves,

45
00:01:34,470 --> 00:01:36,910
What TTPs might they use?

46
00:01:36,910 --> 00:01:38,240
Who wants to harm us?

47
00:01:38,240 --> 00:01:40,230
Are they an insider, a hacktivist,

48
00:01:40,230 --> 00:01:42,380
a nation state, or an APT?

49
00:01:42,380 --> 00:01:45,500
And based on that, we're going to start determining

50
00:01:45,500 --> 00:01:47,300
what their objectives might be

51
00:01:47,300 --> 00:01:50,264
and what systems they might be going after.

52
00:01:50,264 --> 00:01:53,160
At that point, we're going to start our threat hunting,

53
00:01:53,160 --> 00:01:55,177
and we're going to use different tactics to do this.

54
00:01:55,177 --> 00:01:56,420
Now, remember,

55
00:01:56,420 --> 00:01:58,740
threat hunting is going to rely on the use of tools

56
00:01:58,740 --> 00:02:00,690
developed for regular security monitoring

57
00:02:00,690 --> 00:02:02,064
and incident response.

58
00:02:02,064 --> 00:02:04,190
We're going to be analyzing logs,

59
00:02:04,190 --> 00:02:07,140
process information and file system and registry changes

60
00:02:07,140 --> 00:02:08,680
from all the different hosts.

61
00:02:08,680 --> 00:02:10,500
Generally, all that information

62
00:02:10,500 --> 00:02:13,300
is going to be consolidated for us inside of a SIEM.

63
00:02:13,300 --> 00:02:15,330
By being inside of a security information

64
00:02:15,330 --> 00:02:16,870
and event management system,

65
00:02:16,870 --> 00:02:19,090
we're going to be able to correlate that data quicker

66
00:02:19,090 --> 00:02:21,020
and do better threat hunting, instead of having to go

67
00:02:21,020 --> 00:02:23,090
to each of those systems individually.

68
00:02:23,090 --> 00:02:25,220
Now, one of the keys to remember with threat hunting

69
00:02:25,220 --> 00:02:26,640
is that we have to assume

70
00:02:26,640 --> 00:02:28,720
that the existing rules have failed

71
00:02:28,720 --> 00:02:29,770
when we're threat hunting.

72
00:02:29,770 --> 00:02:31,000
And what I mean by that

73
00:02:31,000 --> 00:02:33,680
is you already have monitoring systems in place

74
00:02:33,680 --> 00:02:35,560
that are detecting and monitoring things

75
00:02:35,560 --> 00:02:36,810
across your networks.

76
00:02:36,810 --> 00:02:38,720
And if they were working properly,

77
00:02:38,720 --> 00:02:40,519
you'd already have found this bad guy.

78
00:02:40,519 --> 00:02:42,410
So, when we're doing threat hunting,

79
00:02:42,410 --> 00:02:44,930
we're looking for those things that aren't detected,

80
00:02:44,930 --> 00:02:46,850
things that have bypassed the rules,

81
00:02:46,850 --> 00:02:48,760
things where the query isn't returning the data

82
00:02:48,760 --> 00:02:49,930
we expected it to.

83
00:02:49,930 --> 00:02:52,860
And that is really the crux of doing threat hunting.

84
00:02:52,860 --> 00:02:55,610
These tactics are developed around an awareness

85
00:02:55,610 --> 00:02:57,310
that the adversary is smart

86
00:02:57,310 --> 00:03:00,400
and they have good TTPs to try to avoid detection.

87
00:03:00,400 --> 00:03:03,760
And now, we're going out and trying to detect them anyway.

88
00:03:03,760 --> 00:03:05,350
So, that's the thing you have to remember

89
00:03:05,350 --> 00:03:06,530
when you're doing threat hunting,

90
00:03:06,530 --> 00:03:09,163
is that it is challenging and it is very difficult,

91
00:03:09,163 --> 00:03:11,162
but it is worth it.

92
00:03:11,162 --> 00:03:13,185
Let's take a quick example here.

93
00:03:13,185 --> 00:03:15,820
Let's say that we had threat intelligence that told us

94
00:03:15,820 --> 00:03:18,270
that Windows desktops in a lot of different companies

95
00:03:18,270 --> 00:03:20,170
have been infected with a new type of malware

96
00:03:20,170 --> 00:03:21,090
that's out there.

97
00:03:21,090 --> 00:03:23,816
And there's not any current malware definitions for it.

98
00:03:23,816 --> 00:03:25,930
Well, we can start threat hunting

99
00:03:25,930 --> 00:03:27,502
based on that threat information.

100
00:03:27,502 --> 00:03:28,784
What might we do?

101
00:03:28,784 --> 00:03:31,430
We might start with analyzing network traffic

102
00:03:31,430 --> 00:03:33,620
to determine if there's any outgoing traffic

103
00:03:33,620 --> 00:03:35,650
to some sort of a suspicious domain

104
00:03:35,650 --> 00:03:38,410
or some kind of a C2 server based on our threat research

105
00:03:38,410 --> 00:03:41,256
and reputational databases that we talked about previously.

106
00:03:41,256 --> 00:03:43,300
This will give us a list of different hosts

107
00:03:43,300 --> 00:03:44,950
that we might want to investigate further

108
00:03:44,950 --> 00:03:47,110
because they're the ones sending that traffic there.

109
00:03:47,110 --> 00:03:48,920
Then, when we look at those hosts,

110
00:03:48,920 --> 00:03:52,410
we might analyze the executable process list on those hosts,

111
00:03:52,410 --> 00:03:54,730
seeing what programs and services are being run,

112
00:03:54,730 --> 00:03:56,856
and which ones are opening that network connection.

113
00:03:56,856 --> 00:03:58,650
Were these valid connections?

114
00:03:58,650 --> 00:04:00,690
Or was this something that's suspicious

115
00:04:00,690 --> 00:04:02,590
that needs to be investigated further?

116
00:04:02,590 --> 00:04:03,450
If it is,

117
00:04:03,450 --> 00:04:05,940
we're going to move on to analyzing other infected hosts.

118
00:04:05,940 --> 00:04:08,330
And as we look at all these different infected hosts,

119
00:04:08,330 --> 00:04:09,163
we can start to see

120
00:04:09,163 --> 00:04:11,090
if there's any similarities between them.

121
00:04:11,090 --> 00:04:13,420
Are they all running the same malicious process?

122
00:04:13,420 --> 00:04:16,400
Or are they using different things to avoid detection?

123
00:04:16,400 --> 00:04:19,220
And then, finally, we might start identifying the method

124
00:04:19,220 --> 00:04:21,800
that that malicious process on those different hosts

125
00:04:21,800 --> 00:04:23,150
was actually executed.

126
00:04:23,150 --> 00:04:24,760
What allowed it to start up?

127
00:04:24,760 --> 00:04:26,630
Is there a way we can block that attack vector

128
00:04:26,630 --> 00:04:28,180
against future compromises?

129
00:04:28,180 --> 00:04:29,990
Maybe we can move to a whitelisting system,

130
00:04:29,990 --> 00:04:32,550
or we can blacklist that vulnerable application

131
00:04:32,550 --> 00:04:34,113
until a patch has been developed.

132
00:04:34,113 --> 00:04:36,160
All of these are things that we can think about,

133
00:04:36,160 --> 00:04:38,130
as we go through and do threat hunting.

134
00:04:38,130 --> 00:04:39,660
And so that's the idea of threat hunting,

135
00:04:39,660 --> 00:04:41,440
is we take this needle in a haystack

136
00:04:41,440 --> 00:04:43,090
based on the information we have

137
00:04:43,090 --> 00:04:45,130
and how we can better protect our systems

138
00:04:45,130 --> 00:04:46,670
and try to find the bad guy,

139
00:04:46,670 --> 00:04:48,886
if they made it in through our automated defenses

140
00:04:48,886 --> 00:04:52,470
by using additional tactical level resources.

141
00:04:52,470 --> 00:04:53,603
Now, one of the big things you have to remember

142
00:04:53,603 --> 00:04:56,890
with threat hunting is it does consume a lot of resources

143
00:04:56,890 --> 00:04:58,960
and a lot of time for you to conduct it.

144
00:04:58,960 --> 00:05:01,834
But it can give you a lot of great benefits.

145
00:05:01,834 --> 00:05:03,150
For instance,

146
00:05:03,150 --> 00:05:05,890
it can help you to improve your detection capabilities,

147
00:05:05,890 --> 00:05:07,770
because when a threat hunter finds the way

148
00:05:07,770 --> 00:05:09,280
that these bad guys have gotten in,

149
00:05:09,280 --> 00:05:11,080
and bypassed your detection,

150
00:05:11,080 --> 00:05:13,720
you can then feed that back into the detection plan

151
00:05:13,720 --> 00:05:15,380
so you can rewrite the rule sets,

152
00:05:15,380 --> 00:05:17,460
you can rewrite the detection algorithms,

153
00:05:17,460 --> 00:05:18,293
and you can make sure

154
00:05:18,293 --> 00:05:20,200
that you use additional scripting and customizations

155
00:05:20,200 --> 00:05:22,632
to detect things more accurately.

156
00:05:22,632 --> 00:05:24,980
This way, your results from threat hunting

157
00:05:24,980 --> 00:05:27,410
can be used to improve your signature-based detection,

158
00:05:27,410 --> 00:05:29,021
and prevent future infections.

159
00:05:29,021 --> 00:05:30,580
Another thing you can do

160
00:05:30,580 --> 00:05:32,553
is it can be integrated with your intelligence.

161
00:05:32,553 --> 00:05:35,660
Threat hunting is a great use case for correlating

162
00:05:35,660 --> 00:05:37,860
that external threat intelligence you've been getting

163
00:05:37,860 --> 00:05:39,870
with what you're seeing in your internal logs

164
00:05:39,870 --> 00:05:40,970
and other sources.

165
00:05:40,970 --> 00:05:42,680
By putting those two things together,

166
00:05:42,680 --> 00:05:44,866
you now have actionable intelligence.

167
00:05:44,866 --> 00:05:46,640
The third benefit you can get

168
00:05:46,640 --> 00:05:48,739
is to reduce your attack surface area.

169
00:05:48,739 --> 00:05:51,610
The benefit here is, as you're doing your threat hunting,

170
00:05:51,610 --> 00:05:54,300
you're able to identify the entire attack surface,

171
00:05:54,300 --> 00:05:57,460
and where a bad guy may have gotten into your network.

172
00:05:57,460 --> 00:05:58,970
Based on that, you can go back

173
00:05:58,970 --> 00:06:00,820
and reduce that attack surface.

174
00:06:00,820 --> 00:06:03,560
This also can help you block attack vectors,

175
00:06:03,560 --> 00:06:05,000
because you're now understanding

176
00:06:05,000 --> 00:06:06,900
the different attack vectors that are being used

177
00:06:06,900 --> 00:06:09,730
and the different TTPs by that bad guy,

178
00:06:09,730 --> 00:06:11,950
and you can then add additional security controls

179
00:06:11,950 --> 00:06:14,530
to try to block those different ports or interfaces,

180
00:06:14,530 --> 00:06:16,760
and prevent them from getting into your network.

181
00:06:16,760 --> 00:06:17,740
And finally,

182
00:06:17,740 --> 00:06:20,518
it's going to help you to identify critical assets.

183
00:06:20,518 --> 00:06:21,830
This is really important,

184
00:06:21,830 --> 00:06:23,580
because as you're doing your threat hunting,

185
00:06:23,580 --> 00:06:24,670
you're going to start seeing

186
00:06:24,670 --> 00:06:26,792
what things people tend to go after.

187
00:06:26,792 --> 00:06:28,720
And you're going to end up figuring out

188
00:06:28,720 --> 00:06:30,190
what are the best defensive options

189
00:06:30,190 --> 00:06:32,689
for those critical systems and data assets.

190
00:06:32,689 --> 00:06:34,170
One of the things we tend to do

191
00:06:34,170 --> 00:06:36,110
is we will bundle those assets together

192
00:06:36,110 --> 00:06:38,070
with a certain layer of security controls

193
00:06:38,070 --> 00:06:40,990
around those important assets to improve the monitoring

194
00:06:40,990 --> 00:06:44,010
and prevention capabilities around them even further,

195
00:06:44,010 --> 00:06:45,390
because we see that adversaries

196
00:06:45,390 --> 00:06:47,340
are continually going after those targets.

197
00:06:47,340 --> 00:06:49,160
And we want to make them an even harder target

198
00:06:49,160 --> 00:06:51,660
for the adversary to get into.