PROACTIVE SNOOPING ANALYSIS Abhishek G (Member Technical Staff) Deeksha Murthy (Senior QA Engineer) Aditya Kumar (Senior QA Engineer) First American India

Contents Abstract Introduction Problem Solution Conclusion References

Abstract Proactive Snooping Analysis Hackers of the modern days are more smart and skilled than ever before One of the largest breaches of classified information was carried out by an insider Offensive Countermeasures can hunt these threats

Introduction According to the 2015 Statistics, the breakdown of the breached targets by type of entity is as follows: Businesses were the target of 40% of the security breaches (312 breaches) Medical and Healthcare entities made up 35.4% of data breach target (276 breaches) Government or military targets made up 8.1% of cybersecurity breaches (63 breaches) Why did this happen? Whom to blame for this? How did this happen ?

Problem Delta Detection Detecting threats and adversaries on networks continues to be a problem for many organizations Alert fatigue: Alert fatigue is an enemy to detecting or hunting real, human adversaries on an organization’s systems Human Adversaries: At the other end of any bot, virus, or targeted attack there is a human Prioritization of Adversaries: what are we protecting and who are our adversaries? Are we prioritising it in right way?

Solution Threat Hunting Proactively and iteratively searching through networks and datasets to detect threats that evade existing automated tools  Intelligence-Driven Situational-Awareness Driven Analytics-Driven Incident Response An essential component of Threat Hunting The bigger result is achievable with hunting and Incident Response working together and in hand with each other

Threat Hunting

Attribution Dynamic Defense technique which, when combined with Threat Hunting will minimize the effects of a targeted attack Web Bug Server The Web Bug Server is essentially a command and control (C2) server for the defender MoleHunt If the Threat Hunter has a suspicion that there are leaks happening or potentially happening, Mole Hunt helps to narrow the focus Molehunt takes the simple Web Bug concept to the next level By leveraging a list an insider hunt drive can easily be built by feeding the list to a Python script

Web Bug Server

MoleHunt

Bots and machines are not the advanced challengers but humans are..! Conclusion Large scale data breaks have happened and will continue to happen unless the mindset of security practitioners change Bots and machines are not the advanced challengers but humans are..! Simply selecting through logs and alerts may be effective, but it does not lend to a proactive hunt of intrusions within or against an organization With Active Defence tools of Web Bug Server and Molehunt, the Hunter can go on the offense and proactively seek out insiders who might be leaking data, hopefully before any real data is leaked It is time to let the machines hunt the machines and humans hunt humans..!!

References & Appendix https://en.wikipedia.org https://www.sans.org https://sqrrl.com https://securityintelligence.com

Any Questions..?

Thank You!!! First American India Abhishek G (Member Technical Staff) Deeksha Murthy (Senior QA Engineer) Aditya Kumar (Senior QA Engineer) First American India