Presentation is loading. Please wait.

Presentation is loading. Please wait.

Let’s go Threat Hunting

Published bySteven Burke Modified over 6 years ago

Similar presentations

Presentation on theme: "Let’s go Threat Hunting"— Presentation transcript:

1 Let’s go Threat Hunting
Gain visibility and insight into potential threats and risks

2 Introductions Drives security innovation and awareness to help customers navigate the ever-evolving threat landscape. Serves on Product Advisory Councils for FireEYE, Palo Alto, Sophos, Cisco, Intel-McAfee, and Symantec Instrumental in developing the first virtual SOC and CISO programs Worked with FBI’s Cyber Crime Divisio John Ayers VP, Product Management

3 About Us Proven: 10 consecutive years on Gartner Magic Quadrant for SIEM Comprehensive: Combines all critical capabilities (SIEM, MD, UEBA, threat intelligence) Innovative: Only SIEM platform that also provides 24/7 co-managed SOC Effective: Practical and flexible solutions even for the “1-man” or “No-man” security team Recognized as “Best Buy”, “5 Star” and “Recommended” by trusted leading industry source.

4 Agenda What is threat hunting? What is a threat? Why me?
What is the threat lifecycle? Why hunt for threats? What is needed to hunt? When should you hunt for threats? Hunting maturity What if you find something? The role of threat intelligence Demonstration – some examples How SIEMphonic hunts for threats What have we caught? Questions

5 What is a threat? Threats occur because adversaries have intent, capacity and opportunity INTENT The goals your adversary wants to achieve CAPABILITY The ability of your adversary to successfully breach your organization and achiever their intended goals (s) OPPORTUNITY Your adversary’s timing and knowledge of your environment, including its vulnerabilities A THREAT A threat to your organization + + =

6 What is threat hunting? You have “good stuff” in your network, the bad guys want it; they are attacking you as we speak-trying to get a foothold Yes you have defenses (NGFW, AV, IDS, SIEM…) but Pobodys Nerfect Assume Breach paradigm is needed Despite your best defenses, the bad guys are inside – what now? Answer: Go looking for them Threat hunting is A focused, iterative approach to seeking adversaries inside your network Threat hunting is not Waiting for someone else to tell you that you’ve been hacked

7 Why hunt for threats? 80%+ of malware is tailored to the target network Time to discover is 200+ days

8 The Kill Chain of Advanced Threats
Antispam Malicious Spam Spam Web Filtering Malicious Link Malicious Link Malicious Web Site Intrusion Prevention Customer Office Exploit Exploit Anti-Malware Malware Malware App Control Command & Control Server Bot Commands & Stolen Data Bot Commands & Stolen Data Access Confirmed

9 A win is a win – catch them anywhere in the cycle
Where in the kill chain to catch them? A win is a win – catch them anywhere in the cycle and you win; they lose Don’t buy the bogus argument: Defenders have to win every time all the time but attackers get infinite tries and need to win only once With this shift, show them there will be losers… we should have a slight variation of this slide per vertical depending on Source: Verizon report

10 Assume you’ll catch something, then what?
Work out an Incident Response Plan Who does what when an incident is found Stages of IR

11 What do you need to start hunting?
Get data from assets Passive defense first Active defense next Meld TI into the mix Only hypothetical: Offense If you have nation-state capabilities (hint: you don’t)

12 How to hunt? Form a hypotheses. For example –
VPN connections from outside our home country bear investigation First time seen processes on critical machines need eyes Get data Linked data makes analysis possible; pivoting is key How to search Visualization, anomaly How to focus Enrichment

13 Who should hunt? This is a full time job – hard to do part time Dedicated staff is preferred Ideally focused on true threats, not sidelined by alert response or network maintenance or vulnerability patching tasks Curious people with exposure to security technologies Security Operations Skills: Tier 1 Rankings 80% Log analysis and use of analytic tools 78% Knowledge of baseline network activity 70% Threat analysis (including the use of threat intelligence) 66% Understanding of baseline endpoint apps, users and access

14 Hunting Maturity Model
LEVEL 0 INITIAL Relies primarily on automated alerting Little or no routine data collection LEVEL 1 MINIMAL Incorporates threat intelligence indicator searches Moderate or high level of routine data collections LEVEL 2 PROCEDURAL Follows data analysis procedures created by others High or very high level of routine data collection LEVEL 3 INNOVATIVE Creates new data analysis procedures LEVEL 4 LEADING Automates the majority of successful data analysis procedures

15 Demonstration EventTracker 9 is a threat hunters dream weapon
Super fast search with linked data via Elastic Search Visualizations, enrichment, anomaly engine Death Star

16 How SIEMphonic hunts Start with end in mind – IR Plan
Identify data sources and integrate them Integrate threat intelligence Get triggers from various sources Anomaly detection in network Notification from threat intel (global or community) Review hourly reports Crown jewels analysis Escalate L1  L2 L3  customer with remediation recommendations Recording via Case book - Leverage IR Playbook Update Risk Register

17 eventtracker.com/catch-of-the-day
We review billions of logs daily to protect our customers. See what we caught today! eventtracker.com/catch-of-the-day

18 Resources The Threat Hunting Project: www.threathunting.net
• Enterprise Detection & Response: • “The Who, What, Where, When, Why and How of Effective Threat Hunting”: • “Generating Hypotheses for Successful Threat Hunting”:

19 Q&A

20 Thank you.

Download ppt "Let’s go Threat Hunting"

Similar presentations

Security Life Cycle for Advanced Threats

Security Life Cycle for Advanced Threats
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.

Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
Building a Threat Intel Team Ryan Olson Director of Threat Intelligence October, 2014.

Building a Threat Intel Team Ryan Olson Director of Threat Intelligence October, 2014.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Www.encase.com Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
1© Copyright 2012 EMC Corporation. All rights reserved. Getting Ahead of Advanced Threats Advanced Security Solutions for Trusted IT Chezki Gil – Territory.

1© Copyright 2012 EMC Corporation. All rights reserved. Getting Ahead of Advanced Threats Advanced Security Solutions for Trusted IT Chezki Gil – Territory.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
Alert Logic Security and Compliance Solutions for vCloud Air High-level Overview.

Alert Logic Security and Compliance Solutions for vCloud Air High-level Overview.
Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.

Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.
Ali Alhamdan, PhD National Information Center Ministry of Interior

Ali Alhamdan, PhD National Information Center Ministry of Interior
CIO Perspectives on Security Fabrício Brasileiro Regional Sales Manager.

CIO Perspectives on Security Fabrício Brasileiro Regional Sales Manager.
2© Copyright 2013 EMC Corporation. All rights reserved. Cyber Intelligence Fighting Cyber Crime Insert Event Date LEADERS EDGE.

2© Copyright 2013 EMC Corporation. All rights reserved. Cyber Intelligence Fighting Cyber Crime Insert Event Date LEADERS EDGE.
1 Current Trends in Enterprise IT Network Security Key Takeaways Based on 100 Survey Responses © 2016 Lumeta Corporation.

1 Current Trends in Enterprise IT Network Security Key Takeaways Based on 100 Survey Responses © 2016 Lumeta Corporation.
How to Make Cyber Threat Intelligence Actionable

How to Make Cyber Threat Intelligence Actionable
Why SIEM – Why Security Intelligence??

Why SIEM – Why Security Intelligence??
IT Security Mandatory Solutions Andris Soroka 2nd of July, RIGA.

IT Security Mandatory Solutions Andris Soroka 2nd of July, RIGA.
©2014 Check Point Software Technologies Ltd. 2014 Security Report “Critical Security Trends and What You Need to Know Today” Nick Hampson Security Engineering.

©2014 Check Point Software Technologies Ltd Security Report “Critical Security Trends and What You Need to Know Today” Nick Hampson Security Engineering.

Similar presentations

Ads by Google