Detection Mastery: War Stories From The Hunters Side

all right here we are second to last presentation we've got iliac kolmanovic and felix kurmisch who's going to present the detection mastery war stories from the hunter side thanks a lot folks please take it away awesome so welcome everybody to besides toronto 20 to 20 and thanks for joining this presentation we're going to talk today is max mentioned about detection mastery war stories from the hunter side now on this presentation we would like to take the angle of cyber security that covers the proactive detection capabilities now the industry is shifting uh to the proactive mode where we kind of have our red teams or adverse simulations uh address simulation teams or threat hunters in order to compensate on

on the gaps of the security controls that we have and that's what we're gonna talk about today yeah so for our agenda for today i'm gonna have an intro we're gonna talk about how the threat hunting train arrived and evolved and we're gonna talk about how to build the threat hunting program from our experience we're gonna talk about detection engineering and what it is and eventually we're going to finalize it with some practical hunting scenarios that you will be able to take to your organizations and to implement it there awesome now before we begin a short disclaimer this has nothing to do with our employer or or its views it's our personal view of how we should approach threat

hunting now this says this is the first section of our presentation and here we're going to talk about who dread hunter is and what threat hunting is yeah so we like to think about threat hunter is as a full stack security expert something that someone that has been on both sides the blue and the right size knows how to do micro analysis in malware a reverse engineering knows how to do dfir like host forensics and network analysis but also knows how to think like an attacker because to defend well you need to know how to attack well so just a second just like a holistic view as we said a full stack security expert and the more capabilities he will have

the more successful he will be as a threat hunter now awesome what threat hunting is so i like this simple uh definition from wikipedia let me just read it for you once the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade security controls or solutions so essentially we are hunting in between controls to compensate on the gaps and i like this uh scientific graph in order to address the space of the problem that we are trying to solve with red hunting because there is always a problem right now if you focus on all the dark dots above the pink line those are uh the bad alerts or the

alerts that you should respond to or take a look at those are produced by your security controls now thinking about the vendor's perspective every vendor will strive to give you the loss that desired low false positive rate right and this comes with the with the caveat so the comment here is that those potential leads that that that reside in the space between good things that happen good events on your network and bad events this is the area where the vendor is not very comfortable to be so what what do we do here so we have thread hunting to compensate on this area exactly between the blue and the pink line and in this area we have plenty of

good activities let's take for example powershell activity your sysadmins will deploy a lot of those and it will be very noisy but some of them will be affiliated with threat actors on your network and you need to sift through them in order to identify what we call a good threat hunting lead yeah so if we're talking about why threat hunting is a trend or is it is a thing right now and we're going to look on the google trend there's the google trends uh we can see that the rice file the last five years the threat hunting uh trend emerged and from our experience we see it from few different reasons the first reason is there is a lot of

regulatory require requirements these days that uh require enterprises and organizations to have a proactive threat hunting program and the other reason is that consulting the companies is starting to uh offer services marketing uh threat hunting in different ways but from our perspective the main reason that threat hunting has is trending right now is because enterprises decided to go to a proactive way of detection the proactive way of security the organization and yeah so this is about the trend now this concludes our intro and now we are at our second chapter where we're going to talk about how to build this program because strength hunting is not something that you show up and just simply do

there's not nothing available for you to consume but you rather need to build it as a program and we're going to focus on key highlights for this matter it's we're going to talk about maturity collaboration of course we're going to talk about mitre attack and a good strategy towards maitre attack because there is no cyber security presentations without mentioning mighty attack now and we're gonna close this section by talking about detection engineering now first thing maturity uh so maturity is an interesting thing how do you mature like for example you show up to to your new threat hunting role or position and how you build it what you should do now you can start doing some uh some

simple hunts and maybe leverage some knowledge on the internet and then you can do the same thing for 10 years and that way you won't mature you can't say that i did hunting ten years and i matured like i have a super mature program so the example that i like to use here is from my actual personal life i like to ride motorcycles when i on my on my spare time and when i ride my motorcycle if i were to ride it for 10 years on the same streets on the same roads i won't improve much right it will be the same experience as i learned on my first day just practice the same thing

for for a decade but if i were to take my motorcycle to a racetrack and actually take it to the ages and to the extreme situations i will be able to mature and and when i get back to the road i will feel more confidence and i will have kind of more uh more power and gear to to overcome any uh radical situations so this is how we trend they train the navy seals in extreme situations yeah that's what we're talking about now this is a classic hmm as was originally hunting maturity model as was originally introduced by david bianco now we're not going to talk about the model itself uh too extensively because it's available on the internet

but i want to walk you through key components that you should focus on when you when you deal with dirt hunting now your initial phase zero is kind of a responder uh a responder position when you get alerts passively and you respond to them but when you start to to move towards a level one that's exactly the point where you start ingest threat intelligence feed and you take action on them so you are starting to to practice this mentality of being proactive now the next step would be procedural you will go on different github repositories or different dirt hunting books and recommendations and you will start copying those threat hunting uh scenarios or hans as we call them now this is good face to

be in but you should strive to innovation you should be constantly challenging yourself and your program in order to really mature and that comes with that with the price of innovation now you have to look at your security problems within your organization based on your security stack that is deployed there and then identify those gaps and write for them a good threat hunting program and those hunts now this is an innovative step and which each increase on on the on the graph here you have to start in just more data and more data and more data until you're a leader so that level four it's actually being a an industry leader writing a lot of innovation ingesting a

lot of data and the last piece would be sharing back to the community so those other organizations can copy whatever you come up with yeah as a every successful program collaboration is also important for threat hunting if you're going to talk about the main collaborative efforts that threat hunting program or the team should have we identified them here and the three main main collaborations that threat hunting usually uses the first one is a virtual emulation which sometimes called the red team a lot of the threat hunters theme leagues come from the vulnerabilities and the exploits that the red team or the adversarial emulation fights in the organization so the better the leads from the adverse simulation team the

better the threat hunting team can create the detection another collaboration effort is the threat intelligence thing drug intelligence find intelligence from austin sources or paid sources and they feed the threat hunting program and the team to create other detections that more close to the real threat actors today and the last but not least it's the sock or the instant response team collaboration because eventually after the threat hunting team created detection uh someone needs to follow up on this detection and take another step for that and this is where the socket is or triage things are coming eventually it starts from a people from collaboration and it evolves to technology and then eventually the automation but

it starts with people everything and ends with technology yeah so this is a this is a key point don't start thinking about technology solutions first come together to an agreement with your teams and how you can operate with them yeah another thing we should mention here is that threat hunting team works with data sources such as everyone basically but the better the data sources the more data you have data lakes anything in any kind splunk elk doesn't matter and the better the success and for the threat hunting plan so the running plan needs to be use case oriented it also needs to look on the quick wins what are the quick wins from the data i

see what is the quick detection i can create and forward it to the secondary team but also need to look on the big rock theory first what are the main concerns of my organization which we take from the diversity regulation what the recent vulnerabilities they just found and so also the big rock theory work for the to create detection for the most vulnerable aspects in the risks for organization but you also need to question the data because when you receive the data sources from your vendors you don't need to try you need to trust them but also question what the resolution these sources or log sources or security controls they give you and what visibility they give

you and if they give you 99 from what you need is not enough so get this one extra percent to have a hundred yeah go an extra mile and this is very key uh point it's actually from experience you need to validate what your uh whatever you're relying on so let's talk about we started to think about red hunting and what function it actually takes like how do you should build this function and strategy around this approach so it's actually we came up to the to the idea that it is an rnd focus function so you're not entirely a researcher or responder or just this and that it's a comprehensive function where you have to go on those iterative

uh hunts right every time you go on a hunting journey you define okay i'm going after my let's say uh network logs or endpoint logs so every time you go and do that you next time you should do a lesson learn and and then apply those lessons learned and and do it again and again and again so there will be hunting journeys coming uh frequently uh to to to your teams then you have to challenge the hypothesis because the hypothesis that you put together may be good today maybe good in a month but maybe after three months the threat plans can shift and threat actors started to use new tools or new uh or new tactics and you definitely

need to challenge yourself do i cover everything what i assume to cover here does it still effective so you have to kind of constantly look into the this aspect every time and then research so don't don't be scared of research if you need to take this malware sample detonated in sandbox environment or virtual machine and start collecting tdps yourself you have to you have to spend time on research that that is the best way to understand how things uh work behind the scenes and next thing would be to prototype new detections that's about the maturity you don't have to build something and just practice it all over again you have to introduce new uh new prototypes to your

environment and that's obviously comes with automation yeah so we cannot make this presentation without mentioning the metro attack framework so metro attack is a good start the framework gives you a lot of ttps and detection that you we could create as a threat hunter and there are two main strategies that we're gonna talk about one is you can build a wall and another one is to build the minefield and then we're gonna summarize how we think we should use that and but yeah matrix is a good start it cover your base but it doesn't give you 100 so you need to give your extra percentages so the first if you're going to look on the mantra ttp kill chain we're gonna

see a lot of phases and stages and ttps and it's overwhelming so if you're gonna build the wall you can just cover the initial axis and the execution phases of the mitral kill chain uh actually look at martin kill chain and then cover the ctps and sub techniques and techniques and basically cover your base or you also can build a minefield because if you're gonna as a threat hunter you think assume reach so assume you're breached and your organization is has already compromised you need to build the mindful to detect the threat actor already inside and along the kilchan phase from our experience if you combine those two strategies it's a wall and the minefield strategy

is going to give you the more coverage but it also give you a realistic plan to achieve as a threat content as an and the threat hand in game yeah absolutely now uh talking about the last section of the program itself uh this section will cover the detection engineering what detection engineering is so we're going to talk about like you're going to have an engineer that will write for your detections but what it actually gives you what is the uplift what is the extra benefit and why we need this new role uh that that we're promoting here that that is called detection engineering it is all going to be about formalized process about framework and about

maturing your program yeah so if you're going to look on the past and what detection engineering or call basically everybody knows this you have a log from a security control for this in this example which you see now it's in evr log you send it to your sim correlation solution or store and then you have a detection that being sent to you by email sms or any other mailing system the threat hunting and the detection engineering as it evolved just added a few steps to it and it become an overlay function an enrichment and extension to the current process which take also into consideration validation of the log sources and the edr log challenging in different scenarios when

different ttp with different actors on different samples uh cover the blind spots and assumptions cover the false positives because as olivia mentioned your system administration administrator also use powershell so how do you defer them and threat actors you need to get the lowest resolution possible to see how the vendor works and research the vendor capabilities and eventually it's tp based because you work in mantras so this whole process is like an overlap process of detection engineering that the threat hunting program gives you yeah as we mentioned to to cover the extra the extra space the extra area in between those controls so provide an extra benefit now for all that we would need something that

is called framework right where you're going to build it how you're going to document it how you're going to structure it and there is a good uh good framework for that this alerting and detection strategy framework called in short ads was first introduced by volunteer and we decided to adopt it it's actually very good it covers the entire stack of the detection problem so it you will have all those steps that you can see on the side that we will cover in the in the upcoming slides it it will have your goals your criteria categorization blind spots assumptions validations all the things that you need to know around the detection problem now why it is good it is actually good

because when you do it well when you do the right uh way possible you will be vendor agnostic so your detection teams your your blue teams your defensive teams will be able to work on a collaborative manner on those repositories of detections and each time you would need for example to shift your vendor your you stopped using this vendor for for ddr and you partnered with the new vendor without mentioning any names here uh it's not a problem for your teams your teams will be able to refer to this ads framework and rewrite the exact hunt or query or script in order to achieve the same visibility and the same coverage from the detection perspective

so it will be vendor agnostic it will last for longer it it allows you this collaborative environment it gives you the right resolution so the growing gravity is really high and then it will eventually address the security gaps yeah if we're gonna finalize our presentation here after we really re we what's important for thread hunter and the threat hunting program i'm going to speak a bit about uh practical hunting scenarios that you can create so if you're going to take real life examples one example you can do is you can create a hunting scenario which is called the binary hunt for example we use the ibs framework and just hunt for a potential remote programming programs in your environment

um and this this is some one kind of detection you can create or you can actually create another detection which is called spearfishing detection and this is our two example that we just created for this presentation to be able to show you how the abs framework was built i'm going to speak about the spearfishing one but if you have any questions you can ask us about the other one later also so spiritual spear fishing we're gonna go you go with you the the process of the thought that how we created it so the goal is to take specific spirit fishing attempt that were bypassed by traditional security controls if your security proxy blocks the url and the url does not

arrive to the employee's email box there is a detection but when the once the url comes to the mailbox and it was missed by the security vendor why do you do them so the categorization microattack has categorized it as well and the strategy abstract is how do you build this detection um how do you extract it what data sources you look you basically look on and how does it build um technical context is the most important part of the abs because here you basically create a detection and why was you you tried to think in the research why the security control didn't detect this specific url that came to the email box of the of the employee did the employee

clicked on the on the url what browser opened the url uh was it downloaded firewall payload downloaded from this spear phishing url and any kind of characteristic characteristics of the payload eventually talking about blasphemy assumptions because as we know some it can be also false positives you can look at you validate what happened there and you can engage your your adversary emulation team for yeah for the validation yeah you use the right team to validate actually the detection you created so they attack and you try to test your detection talk about priority you need to prioritize the detection that you created also to the relevant things and then because you build the detection you also

know how to respond to it the best if we need a good start once we realize that this is the ads we can also start from ocean source so this is how we started back in the days started great detection or security research we went to these amazing blogs and amazing companies and we read the blog two gttps extracted them emulate it on our environment and basically create detection to see how our enterprise actually faces these attacks and threat actors and this is a good start now this concludes our presentation i know it was a super high rpm but we tried to to keep the content relatively small but relatively enriched so uh if you have any questions we will be

we're going to be happy uh to address them and support you if you are interested in threat hunting and detection engineering process yeah thank you everyone thank you awesome thank you very much julia and felix um there aren't any questions that have come in yet but by all means you can hop on the discord channel getting thanks and praise there right so thank you again for speaking at b-sides last talk is coming up soon