Developing a holistic approach to threat hunting: Welcome to the jungle

thanks everybody for attending i hope uh you're all having a a good time at uh b-sides calgary um i wanted to give a you know good big shout out to the organizers and the sponsors uh you know i guess it was pretty touch and go in the beginning and 2020 hasn't been the easiest year so uh the fact that they were able to put this all together is is great um so today i wanted to talk about uh threat hunting um and you know there's there's a lot of things when it comes to threat hunting um you know when you when you look online um you know there's tons of different information um open source stuff vendor related

stuff and so what i'm hoping to do with this uh presentation is just kind of you know would let down to some of the basics introduce you to some tools that i have found personally that really made you know the whole concept make sense um or make more sense and you know and and some of the tools and and uh documents that i that i talk about during the presentation i've i've added a reference section to the end so um you know even though we may touch on them um you know i'll show you uh some examples um you know a lot of the stuff will be you know in the reference section so when you get the presentation

um you know at the end of the conference you'll be able to go check them out uh let's see here so a little about me um i think in total just over 20 years experience and i t and information security in both the public and private sectors and probably the last 12 years i focused on network security hunting and digital forensics and incident response currently i lead the hunting and forensics program for aecom's corporate cyber security operations center back 12 years ago when i started there was maybe three people on our team um one of one one of them was the cso and one person looked after endpoints and i looked after the network security

and that was um you know i think we we're in somewhere and uh you know 50 000 computers so in 120 different countries so um if i twitch or or something you'll know why uh it's it's been a long ago but now it's so it's a lot better the team's a lot bigger um and you know it's uh and we have some more coverage across all the time zones so my certifications uh you can see there i i have a great interest in a lot of things related to security so you can see i i kind of dip my hands in a lot of different areas you know between forensics and reverse engineering and pen testing

and of course incident response i know we only have just under an hour so i'm hoping to have a bit of time at the end for questions but you know i have i threw my contact information up if we don't have time for questions feel free to um you know reach out to me either you know during the conference or after the conference if you have any questions or anything like that so let me see here a little bit on the agenda so we'll talk about a little bit about what what is threat hunting uh we'll touch on the threat hunting cycle some of the things i think that that you should focus on when you're when

you're hunting as i mentioned before you know there's a lot of really good stuff out there um a lot of really smart people have gone to a lot of effort to put together frameworks and documents and all sorts of different things that um like i said you know it it starts to to bring it all into perspective and and you know it makes it easier to manage uh i'll talk a little bit some tips and tricks that you know i've kind of come across over my time um you know hunting and and and some of it there's a some of uh an overlap with the uh incident response but um you know it kind of ties in together

and like i said i'll i'll i'll go over some of the uh the tools and documents that um you know that i've referenced during this during the talk so what if i told you threat hunting is just incident response without the incident well when i first read that i kind of chuckled and i the more i thought about it the more i thought well you know there's there's there's some logic to this and i know thread hunting is not incident response but at the same time um what i've noticed is some of the tools some of the techniques that i use during some of my you know hunting expeditions mirror some of the tools and some of the

processes that we use during insta response and and i thought well you know this is kind of cool because thread hunting um is almost like a tabletop exercise you know you may find something you may not find something but it allows you to go through the processes and and certainly there will be some aspects that are different but um you know you don't have to kind of reinvent the wheel that way either um and and on the flip side some of the things that um you may come up with um as you build out the threat hunting program you can transition over to the incident response side of things and and and start to help mature that

that program so what is threat hunting so there's a document that um i'm i'm referencing here uh put it by a company called squirrel called hunt evil your practical guide to thread hunting and i i highly recommend um that if you're interested or or even if you're you know actively thread hunting uh to to read that document because there's just an absolute wealth of information in there right from um you know the maturity of the program uh examples things to look look for um you know it's an awesome document so i've referenced that in the reference section so you can you can download that and read it but this this uh this is what it says

thread hunting is the human driven proactive and iterative search through networks endpoints or data sets in order to detect malicious malicious suspicious or risky activities that have evaded detection by existing automated tools so i've underlined a couple things one is human driven um i'm i'm a huge believer that when it comes to thread hunting um you're you're hunting for what you don't know you don't know and you know you you can't have you can you you can't necessarily have a an appliance or a piece of software do that um sometimes you know it just takes the human to take a look at it uh analyze it and and you know make make the decision as to whether

it's a false positive or actual malicious activity you can use the tools to collect data and you know crunch data especially large amounts of data have it displayed in different ways but it really comes back to the human taking a look at that and and kind of making a judgment call if we if we want to uh kind of abbreviate that a little bit it's like finding a needle and a stack of needles um you know attackers as i'll cover later on um they like to use what's available to them and sometimes you could look at um almost two to two similar things i would say they may look like you know it's normal activity but once

you start digging a little deeper you find that uh one of them may very well be benign but the other one is very very malicious

so to look a little bit at the threat hunting cycle i guess a really high level um one of the first things you want to do is is conduct research um and i'm going to break down these a little bit more so i'm going to kind of just cover them real quick next step you're going to develop a hypothesis there's so many things that that you could look for in so many places that you could look you need to kind of you know narrow it down to something relatively specific next thing once once you know what you're looking for you go and collect the data analyze the data and then you'll end up with some outcomes

from that analysis so prior to starting all of that and this again is another thing that i think is probably um hugely important to to kind of get an understanding of and and sometimes it's easier easier said than done depending on the size of the organization um you know but you know understanding what your crown jewels are what what is the most important thing to um to your organization um ingress and egress points you know where are your computer or where your users going out to the internet if you happen to have dmz's internal external but especially the external you know where where do you have um access coming into your network and hopefully your access into your

network is actually going into a dmz and not to a system on the internal side of the network um you you want to know what sort of operating systems you have applications um monitoring tools any any any sort of um anything that can provide you um perspective on um what an attacker might target but but also what information is available to you to gather

so on the research side of things you want to ask yourself some questions here you know who are the threat actors um you know what is their motivation when are they why did they do what they do um who are they targeting there it could be a um you know a specific industry vertical it could be a specific company it could be companies within a a certain country any any number of things that that they may be after um what are their ttps sorry their their tactics techniques um and what iocs are available and a lot of this stuff if you go to the vendors um you know they did they do papers um i

think actually i have a uh something in the reference section there's a site on github that a group has been maintaining and there's literally years worth of documents um about different attacks different groups you know iocs you know samples actual malware samples that you know you can you can look at um in a in a isolated environment um you know so but but this this gives you an understanding of who it is that that you are potentially dealing with and and it's important you know as as the process goes um to start to kind of get in their heads you know um they they have a tendency to exhibit repeatable behavior and sometimes if you if you can

if you can get a real feel for what how they operate um you can if you do encounter them and you're careful you can um you know you can track them even even if they kind of jump out and jump in somewhere else you can um you can it can be easier to to see them pop back up and and continue continue tracking their activities so next thing is your hypothesis so you know it's based on your research um what do you want to look for and why so you know you want you may want to look for you know at a high level you may want to look for something in in in your windows log files or you know

a specific event code like um you know like rdp connections or you know rdp connections with a a source address that's you know maybe a public address if if you have um you know in ingress points um you know thing things like that so you it is you try to narrow it down and then from there you you craft um you know queries however you know depending on the the log source and the tools that you have available if you have a scheme um sometimes i can make it easier if not there's there's some other tools that you can use to kind of reach out and and do a a large scale collection of data

and you know what data you want to collect in here you know there's your windows system security application logs you might have packet captures net flows proxy logs anti-virus logs um endpoint protection logs power shell logs uh sysmon logs uh even registry artifacts and i i threw this in because i i came i kind of came across this a couple of years ago um with the sccm database i i asked them if uh if they could give me you know read-only access to it and i was just kind of going through um you know the the different tables seeing what it was that they collected and i noticed that they had it configured to do

uh software auditing so that you know they were keeping track of what software was installed um you know so they could match it up against our licensing and make sure we were compliant and all that stuff but what was interesting when i looked at that was that the um it was recording two things it was recording um the executables that were on a system but it was also uh recording when the last time an executable was run because i wanted to see if people had software um on their system that maybe they hadn't used in 30 days or 60 days or whatever you know they so i kind of um did a quick um sql query

and i noticed that not only was it looking for um you know specific executables but it was it was actually looking for every executable and as i as i kind of started to whittle away at some of the uh the noise on in that query i noticed that i was able to look for things that ran in like the updated roaming folder or the app data local folder and it wasn't long before i was starting to see malware that was being recorded in the sec sccm database um as as one existing on the system and also i could find it when the last time it was run and then you know once once you have

that little uh nugget of information you can you know go to the system and take a look at it and you know there were instances where you know we found things like keyloggers and stuff like that that had been running for a long time and the antivirus software had either not picked it up or they were cycling new versions of the executable just prior to the av detecting the old one so you know sometimes you would see in the av logs you would see one system you would see two or three hundred detections for the same thing but when you went and looked what it was doing it was detecting yesterday's malware not today's so they they were able to kind of stay

ahead of it and even though you know the system may have appeared as though av had picked it up and cleared the malware in actuality it was still there running

so this this i think is um is probably the biggest component of the hunting is is the analyzing the data um and and you know curiosity is the key with this there's not necessarily one uh right way to do this um but you know you really need to keep an open mind and think outside the box it's it's one of those things where you know it's it's about um you know part knowledge part intuition part um you know gut feeling but it's a it's a you know it's the type of thing that evolves over time the more times you the more scenarios you go through the more times you see things you start to think about them in a

different way you know and it just kind of grows out of that you know one of the especially when you're dealing with a lot of data one of the problems is um you know it's pretty easy to fall into a rabbit hole and that's not necessarily a bad thing because you know sometimes it only takes one artifact or one you know one log entry to you know send you on a journey that's going to lead to you know you phoning up the incident response manager at five o'clock on a friday afternoon and saying uh yeah you can forget about your weekend on the flip side you can get down pretty deep and it's hard to find your way back

out so you you need to really watch how you do that because you know i know i know there were times there you know i've spent i was absolutely sure i was looking at something malicious and i spent you know the better part of two three four hours um drilling down and analyzing and gathering more and more data just to find out that it was in fact you know benign so but that was just one of the many rabbit holes so you know you need to kind of be able to back your way out go on to the next step and and investigate the uh the next artifact um when it comes to tooling again it

depends on the size and the format of your data set um you know i've used excel i've used um you know if i have a large number of of text files or csv files sometimes and i'm looking for strings sometimes i'll use the i'll use notepad plus plus and and the the search um search files and i'll just point it out to directory and say you know show me everything with um you know cmd.exe or show me everything with powershell and you know it it'll kind of chew through the files and and identify any lines that that that have those identifiers um you know the strings program part assist internals that's another uh good tool for for going through

especially really large files um and you know another one that i've relatively recently um got involved with was uh some frameworks that that that involves juniper notebooks and the nice thing about juniper notebooks is that you can i guess basically integrate text and then embed code um primarily it's it's python but they've they have the ability to um you know tie in um i think powershell now as well so a couple of the frameworks actually i'm and one specifically that i'm going to go over later uses this this format to not only document um you know the all of these parts of the cycle but also allow uh they also put in the the code that brings um you know imports

the data um you know allows you to to run the analysis of the data uh document your outcome so it's uh when i show you it's it's actually really cool it ties this whole cycle in um and and most importantly it it it does so in a way that allows you to um you know create a create a process that's repeatable you know like any process you have the ability to tweak it um and make it more efficient but you know one thing with hunting is that that you want to try to create something that's that's repeatable especially as as you know if you if your hunting program grows or if you don't necessarily have

people that are full-time um you know you might have somebody who might spend a day or half a day every week or every two weeks doing some hunting you want to be able to point them to um some um you know playbooks to that will allow them to kind of do that process and repeat that process over and over so coming to the outcomes um again there's there's many outcomes to to to threat hunting obviously the you know if you do happen to find something during this process you know you're gonna obviously spawn an incident that's why nobody um hit on our sock will answer the phone if i call them afternoon hour on a friday because

they they know their weekends toast um but you know that's that's obv the obvious one um another thing is you know as we mentioned when we were talking about the definition we're looking for and and hopefully finding things that have evaded our automated detection tools so one of the things that is a is a good outcome from from this hunting process is as we find things in the environment that are not being detected um you know we can work you know either with our um you know with our sock or or you know with the tools or with the vendors to develop and or refine um you know the signature so if that particular um indicator or artifact shows up again

hopefully that you know maybe this time we can pick it up now this is something that i think is important and sometimes i think it's overlooked is um you know identifying and remediating vulnerabilities now i know you know the first thing that comes to mind is well you know we have vulnerability scanners that are scanning and identifying vulnerabilities we have you know patch management programs that ident you know that manage and identify systems that that need to be patched but it's not always something that is that could be picked up by those those programs um you know i've done a lot of hunting you know i certainly i'm looking i may be looking on a system for

malicious activity but sometimes i'll look i'll just look around and you know the see what it is that um is available to someone you know i assume that assume that i'm attack an attacker and i already have him or access to a system um what is it that that could be just sitting there um that could provide me maybe my my next step into the environment and i'll later on i'll cover a few of those scenarios that that i've run into over the years the other useful thing with the thread hunting is identifying gaps you know depending on the complexity and the size of your environment you know you could as you're you know looking for

you know things in the sim or you know you're looking at individual systems you may find things that um you know agents aren't running you know agents aren't installed you know you could end up that you know they're not communicating because the um you know the the the access controllers between your network segments is not allowing it to communicate with um you know it's management server maybe you're not monitoring um a certain segment of the network that you should be monitoring um maybe you're finding systems you didn't even know you had so you know that that helps with um you know uh working with the i.t organization at large to um you know to to kind of tighten

down because you know the ultimate goal is certainly during you know the threat hunting process your your primary focus is to you know find the bad guys that may be lurking around in your network but at the same time you want to try to find some of these issues before they do and if you can tighten them up then that just gives them one less foothold when you know if they happen to to to to to get in

so do not try to detect objective code that's impossible instead only try to detect the obfuscation if you haven't noticed i like the matrix by the way um so this this kind of leads into the next piece for you know we we we talk about the focus so i'm sure a lot of people are familiar with the pyramid of pain um and you know the what i you know look when i when i first saw this it was like that's really cool um and then when i when i started into the being more you know getting more and more involved with the hunting um you know seeing how these different components um how important they were um really

important to attackers especially you know well-established you know in certain cases nation-state attackers um you know you could see how um you know the the the hash values the ip addresses the domain names uh network even the network and the host artifact um they they they were swapping them out consistently it's very cheap they're disposable they're easy to you know to detect with a lot of the the the um you know the standard tooling that we have um for for you know the ips's ids firewalls all that stuff so you know and and that's and those tools are great for you know automating that that process um but those top two sections that the tooling and the and the ttps

those are are um those lean more like i say to the the behavioral side of things how do they behave and the thing about those um two components is from an attacker's perspective um it's difficult for them to change those um and and they're not they're gonna they're only gonna want to do it as an absolute last resort um you know if they've got zero days if they've got you know especially malware that they've you know created to to kind of operate low and slow in an environment they're not going to want to take the chance of of kind of giving that up if if they can get away with it and my and then on the flip side

it's much harder to um you know to automate those detections so and i think that's that's kind of where you know if at all possible that's kind of where you want to operate because if you can if you can identify those and i've seen it you know um on a number of occasions you know these these some of these advanced attackers will if they if they get the impression that they're being watched um they can you know disappear and they may disappear for a week they must may disappear for a month or even longer but then they'll show up again somewhere else and if you can get a really good understanding of those behaviors it makes it a lot easier to um

detect when they come back in and you know we went from um in one instance you know um having involvement with it with a a an apt group where eventually they disappeared and we thought we'd kick them out but we left some of the the monitoring and and and stuff and we were we at the time we were able to you know create some signatures that were that were that were behavioral based and they i think was about a month later when they came back we were basically detected based on the behavior within literally within minutes of them coming back in so um you know that that that's that's a good good place to be if if

you're hunting so i'm just going to take a quick break here and i'm going to pull up a see if i can uh let me see this here so i was going to show um a few of these tools that like i said i found that really help makes make sense of stuff um one is the threat hunting project so this is um put together by uh david bianco who put together the pyramid of pain and if we can take a look at some of the um let me see here oh roswell here we go so some of the hunting procedures so he he has this um broken out by um you know different um

i guess you'd call it a hypothesis okay so or a technique or a tactic however you want to do it so if we if we open up one of these we can start to see you know these these parts of the cycle okay you know what's the purpose um what what kind of data do you need to collect what type of analysis techniques are useful to detect this type type of activity and then you know a description of of what it is that you're looking for um gives gives the analysts a bit of background so they have a better understanding and then you know if it came from a specific um you know paper or

any any sort of reference material that the analyst could kind of go back and and take a look at so this this was one really good site that that had a lot of useful information and it comes back to you know why reinvent the wheel why you know why do this all on your own and these people have uh you know gone to the effort and and a lot of these um platforms you know they they they like many other or open sourcing they're actively willing to ingest information from other people so you know as you kind of get more and more into the threat hunting you know you can start to put these types of um

you know playbooks together and submit them share them for everybody now a similar one was put together by robert rodriguez and this one is is one that i've i started working with a few months ago and i really i really like it it kind of takes seems to take it to a next level um but it again it it this is this one uh integrates the jupiter notebook so if we and it ties it to the miter attack framework too which is really cool um that looks like there's ah here we go so not only using this framework you can you know work on notebooks create playbooks that that are tied to my or to the attack

framework but you can also kind of do a kind of a collective overview and say okay if these are all of my playbooks these you can use the the attack navigator view which basically shows you know all of the the tactics and techniques and stuff that uh mitre has put together you notice how some of them are highlighted so now what you have is you can look at that whole big picture of of all these tactics and and techniques and instantly see which ones you have covered with your playbooks so if you're if you're um you know if you want to rather than you know maybe do some hunting you want to do some work on playbooks

you can then look at this and say you know what we've got all of this stuff here covered but we haven't really done any work here so let's you know let's see if we can create some playbooks and and you know start to kind of fill in the gaps that that you might be missing in the uh in your program um and just to look at some of these um let's just look at the see what this one see if we can find one that's really okay so so if we look at uh let me see if we can get rid of this context thing here um so if we look at this again you can see

that that that that cycle or that framework of of um you know conducting a hunt so you know obviously there's some metadata creation date modification date um you know who created it here's your hypothesis you know adversaries leveraging wmi activescript event consumers remotely to move laterally in the network provide some technical context you know just some background to get a better understanding of how you know what what these technologies are for how they operate um you know they have a section on offensive tradecraft how do the threat actors utilize this technology um now the this particular framework they you know out of the box they put together what they call mordor data sets that you know you can use to

you know for testing for playbook development and stuff like that so it's a good a good source of some practice i guess data but this this is where it gets kind of neat is is on the analytics side so um you know you can you can actually put the um now this this is a i guess a web web version of of the actual playbooks but you can get this um i think it's uh like a docker uh image that you can download and get going um but you can actually when you're in the jupiter notebooks you know you can modify and work with this python code and and you know as it executes that code you know you get output

you can get it to you know you can have multiple analytics so you could have it take the same data set and the same information and look at it in slightly different ways you can identify if the um you know what what the false positive level um levels are oh i think we're i think we're getting close so um so this you know this that this is a really good tool um i really like this one it it it helps keep things um um you know con concise helps document it makes the process repeatable um you know you can put in your false positive you can put in notes for other people um you know your output and and you know

the the sigma rules that will basically take some of this this generic um uh these generic um i guess the analysis or the logic behind the analysis and and will turn it into actual rules for um different platforms so that's a actually a really cool little project to take a look at um and i do i wanted to touch to on on this tool set that called kansa and put it by dave hull and what's really neat about it is that it's it's entirely powershell based you can point it at one or many systems it it has modules that will go out if we take a really quick look at some it will go out it'll grab files it'll

grab disk usage information it'll grab you know the fls body file files by hashes there's there's a huge number of things that it'll do the other nice thing about the and it'll do it really quick um the other piece of this is that it also has um i guess this is the uh the analysis piece um the module is collected but the the the analysis piece will actually do some of the uh um you know the the slicing and dicing and and you know all that mundane leg work that that you might have to do manually it'll do that for you and as this tool has evolved they've they've also have the ability to um like as it stands you know you can

you can pull that all back into csv files but you can also take that and push it um to like an elastic stack so you can take all that all those all those machines that that are reporting back all that goes up into an elastic stack you or an instance and then you can do an elastic search on it um and slice it dice it whatever you want at whatever way you want so i'm just gonna jump back to this um just some some things you know tips and tricks as we um that you know i've kind of run into um during my experience hunting you know normal is the new not normal um attackers tend to i've noticed they tend

to take the path of least resistance and one of the best ways that they can do that is by just using the tools that are laying around on the system standard windows admin tools you know sysinternal tools whatever they can they can find and you know if they can make the more they can make it look like a normal administrator's working way on a system the harder it is to find and you know it's often referred to as living off the land they don't they don't bring any special malware they don't bring anything you know that might you know set off alarms and and trigger that they're running around they'll just use what's there and and they'll do that until they you

know they they have no other choice but to you know bring in some alternate tools um and then like i said before you know find the vulnerabilities before the attacker does um examining files on a system it can expose vulnerabilities that you know a scanner might miss um and some of these examples you know if you have a web server look at the web config files if they haven't been encrypted there's a high probability that there's probably uh database database names um you know and and uh you know uh database usernames database passwords and then most likely they could be very complex but they're still they're still stuck in there in plain text so if if an attacker gets on to

um a web a web server and i've seen them do this before where you know they would get a web shell on there and all they would do is is is search and stream out the contents of web config files and they would just start collecting credentials things like exposed citrix citrix apps

you know i i we had an incident i called death death by notepad he wouldn't think um you know notepad could be dangerous but i'll tell ya it's it's amazing what's uh functionality is uh built into that and you know exposed sql query windows um i think it was my uh was that my php admin had a um like a sql query window that was built into it um i you know i i have a basic uh uh i guess maybe maybe a a medium understanding of the whole sql query language but um yeah who knew you could write a string to a file um you would think it would be obvious here you know you can you can query a

database and write contents to a file but yeah that was an interest interesting one so you know looks can be deceiving you know attackers attackers are good at the area deception like i said before what appears to be normal can be in fact malicious and and here's an example so i remember um you know you have an analyst that looks at a data set of proxy logs notice a certain hearst commun host uh communicating with the url but it's getting a 404 back you know paige not found well you know there there's two scenarios you might kind of immediately think well there shouldn't be is probably it's highly likely that you know maybe it used to be

like a malicious site and maybe somebody took it down or maybe um you know maybe it's operating the way it's supposed to be you know you know it's but you know upon further um further analysis you know we picked up that these sessions occurred about five minutes apart and that race flags right there what are the odds right that that to me sounds scripted um we obtained a packet capture and it was discovered that um yes indeed it was um you know that a legitimate uh 404 page from a web server but if you looked at the very bottom there was a set of comments and in that comment was a whole bunch of base64 encoded

commands so the the malware would go out it would hit the 404 would bring back the the page not found and if you rendered it you would see just a page page not found but if you went into the html and went right to the bottom you would see where they embedded their c2 traffic and it was just going back and you know pulling back whatever commands and then sending out whatever information they uh they needed um capability versus intent um sometimes you want to take a look at an application's capability and determine um if it can be used to perform functions beyond its original tenant it doesn't have to necessarily be an exploit um and and you know that was another

interesting scenario um you know i mentioned earlier a little bit uh ago about the sql uh interface well the first thing that came through my mind was well that's not good and you know somebody could get access to the database or a series of databases well they did actually use that interface but it wasn't to access a database they actually wrote a string of text php eval and a variable name and wrote that to the web server so they instantly had a simple web shell and you know they used that to um you know download some a little more advanced software and then the way they went another example was the the citrix server and the notepad

and if the i if you're not aware of this you'll probably i don't know you might have trouble sleeping tonight but i know it kind of scared me when i first saw it they opened up notepad but what they did was they opened up notepad they opened up the file open dialog box and in the window where the file path was they put in c colon windows slash system32 cmd.exe hit enter and then instantly they were given a command prompt on the citrix server as whatever user that app was published as so you know not only could they technically save files but now they had a command shell so um you know it was it was a i guess a

mute point uh for anyone in the in the hacking business um as as far as you know how easily it would be for there to to start to escalate and and and make your way through a system so um that's that's kind of you know some of the things that i've seen um like i said the um the reference materials uh the honey evil read that it's an awesome awesome uh pdf um it has some really good information check out mitre attack it has um it's a treasure trove of information for to find stuff to uh to hunt for and being able to to attribute it back to certain groups this cyber criminal campaign collection

mentioned that before it's got like hundreds and hundreds and hundreds of pdfs going back like 10 years or more um that that different uh groups and and um individuals have published on on on attack so there's a huge amount of information to research there the threat hunter playbook and the threat hunting project we have links there again it just makes managing the whole process a lot easier and uh sigma which is the generic signature format for sim systems you know helps you create kind of a generic and let's say a generic signature you can use that and and translate that into signatures for you know various sims so you know you have one rule and you have

um you know the ability to kind of change it into whatever you need um security onion um if you're not familiar with that it's a great open source solution for network monitoring they've integrated some hunting stuff into it i think they're actually just not too long ago they release versions that'll operate in the cloud super super great tool does packet capture all that neat stuff um cape and cans of their great data collectors cans i showed you cape was was designed specifically to do forensic gathering without having to do like full image of a system it would go and get information it would maintain the file stamps everything else so i i recommend taking a look at that

it's a really cool program not only for hunting but also for for for ir and this was actually released not too long ago um you know i i'm sure we've seen you know fire eyes um you know various vms for um they had one for uh pen testing i believe and and then they had their flare vm for malware analysis so they just recently uh released the threat pursuit vm which is a threat intel and and hunting virtual machine um so i'm i've just recently started playing with that and and um well we'll see how that goes but from what i've gathered and what i've seen so far it's a really cool tool um so i know we're kind of pushing the

envelope here but uh you know if anybody has any questions like i said um my content info is there feel free to reach out to me uh you know over the next day or so or even after the conference um if you have any questions and hopefully i was able to provide some insight and hopefully enjoyed it thank you