Let’s go Threat Hunting Gain visibility and insight into potential threats and risks

Introductions Drives security innovation and awareness to help customers navigate the ever-evolving threat landscape. Serves on Product Advisory Councils for FireEYE, Palo Alto, Sophos, Cisco, Intel-McAfee, and Symantec Instrumental in developing the first virtual SOC and CISO programs Worked with FBI’s Cyber Crime Divisio John Ayers VP, Product Management

About Us Proven: 10 consecutive years on Gartner Magic Quadrant for SIEM Comprehensive: Combines all critical capabilities (SIEM, MD, UEBA, threat intelligence) Innovative: Only SIEM platform that also provides 24/7 co-managed SOC Effective: Practical and flexible solutions even for the “1-man” or “No-man” security team Recognized as “Best Buy”, “5 Star” and “Recommended” by trusted leading industry source.

Agenda What is threat hunting? What is a threat? Why me? What is the threat lifecycle? Why hunt for threats? What is needed to hunt? When should you hunt for threats? Hunting maturity What if you find something? The role of threat intelligence Demonstration – some examples How SIEMphonic hunts for threats What have we caught? Questions

What is a threat? Threats occur because adversaries have intent, capacity and opportunity INTENT The goals your adversary wants to achieve CAPABILITY The ability of your adversary to successfully breach your organization and achiever their intended goals (s) OPPORTUNITY Your adversary’s timing and knowledge of your environment, including its vulnerabilities A THREAT A threat to your organization + + =

What is threat hunting? You have “good stuff” in your network, the bad guys want it; they are attacking you as we speak-trying to get a foothold Yes you have defenses (NGFW, AV, IDS, SIEM…) but Pobodys Nerfect Assume Breach paradigm is needed Despite your best defenses, the bad guys are inside – what now? Answer: Go looking for them Threat hunting is A focused, iterative approach to seeking adversaries inside your network Threat hunting is not Waiting for someone else to tell you that you’ve been hacked

Why hunt for threats? 80%+ of malware is tailored to the target network Time to discover is 200+ days

The Kill Chain of Advanced Threats Antispam Malicious Email Spam Spam Web Filtering Malicious Link Malicious Link Malicious Web Site Intrusion Prevention Customer Office Exploit Exploit Anti-Malware Malware Malware App Control Command & Control Server Bot Commands & Stolen Data Bot Commands & Stolen Data Access Confirmed

A win is a win – catch them anywhere in the cycle Where in the kill chain to catch them? A win is a win – catch them anywhere in the cycle and you win; they lose Don’t buy the bogus argument: Defenders have to win every time all the time but attackers get infinite tries and need to win only once With this shift, show them there will be losers… we should have a slight variation of this slide per vertical depending on Source: Verizon report

Assume you’ll catch something, then what? Work out an Incident Response Plan Who does what when an incident is found Stages of IR

What do you need to start hunting? Get data from assets Passive defense first Active defense next Meld TI into the mix Only hypothetical: Offense If you have nation-state capabilities (hint: you don’t)

How to hunt? Form a hypotheses. For example – VPN connections from outside our home country bear investigation First time seen processes on critical machines need eyes Get data Linked data makes analysis possible; pivoting is key How to search Visualization, anomaly How to focus Enrichment

Who should hunt? This is a full time job – hard to do part time Dedicated staff is preferred Ideally focused on true threats, not sidelined by alert response or network maintenance or vulnerability patching tasks Curious people with exposure to security technologies Security Operations Skills: Tier 1 Rankings 80% Log analysis and use of analytic tools 78% Knowledge of baseline network activity 70% Threat analysis (including the use of threat intelligence) 66% Understanding of baseline endpoint apps, users and access

Hunting Maturity Model LEVEL 0 INITIAL Relies primarily on automated alerting Little or no routine data collection LEVEL 1 MINIMAL Incorporates threat intelligence indicator searches Moderate or high level of routine data collections LEVEL 2 PROCEDURAL Follows data analysis procedures created by others High or very high level of routine data collection LEVEL 3 INNOVATIVE Creates new data analysis procedures LEVEL 4 LEADING Automates the majority of successful data analysis procedures

Demonstration EventTracker 9 is a threat hunters dream weapon Super fast search with linked data via Elastic Search Visualizations, enrichment, anomaly engine Death Star

How SIEMphonic hunts Start with end in mind – IR Plan Identify data sources and integrate them Integrate threat intelligence Get triggers from various sources Anomaly detection in network Notification from threat intel (global or community) Review hourly reports Crown jewels analysis Escalate L1  L2 L3  customer with remediation recommendations Recording via Case book - Leverage IR Playbook Update Risk Register

eventtracker.com/catch-of-the-day We review billions of logs daily to protect our customers. See what we caught today! eventtracker.com/catch-of-the-day

Resources The Threat Hunting Project: www.threathunting.net • Enterprise Detection & Response: http://detect-respond.blogspot.com • “The Who, What, Where, When, Why and How of Effective Threat Hunting”: www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785 • “Generating Hypotheses for Successful Threat Hunting”: www.sans.org/reading-room/whitepapers/threats/generating-hypotheses-successful-threat-hunting-37172

Q&A

Thank you.