Cyber Threat HuntingA Fundamental Change in Mindset

Chris Dodunski, CTOPhirelight Security Solutions, Inc.

Cyber Security Evolution

Reactive Security Proactive Cyber Threat Hunting

Must evolve!

Threat Hunting Terminology

Adversary

Customer

Capability or Capacity

Victim

Infrastructure

Sergio Caltagirone, Andrew Pendergast and Christopher Betz, “The Diamond Model of Intrusion Analysis,”Active Response, July 2013

(The end beneficiary of the hack, breach, intrusion, etc.)

(The hacker or operator)

(The theoretical tools, techniques, methods, exposures or vulnerabilities to be exploited)

(The physical or logical communication platform used to achieve the goal )

(The company, server, person, account, etc. that is the )

Threat Hunting Styles

Victim-Centered: The most common approach in Enterprise security. Focused on monitoring the hosts and the networks to identify malicious infrastructure and capabilities. Capability-Centered: Focused on identifying features of a capability in order to find other elements related to the adversary’s operation. Common in AV vendor reports.

Infrastructure-Centered: Focused the malicious infrastructure used in the attacks with the goal of mapping owned infrastructure, pivoting to identifying other victims and uncovering additional capabilities used in the attacks.

Other Styles: There are other styles of threat hunting, but they are either outside of the cyber realm (socio-economic-centered), in the realm of LEAs (adversary-centered), or focused on technologies and services which can be more in the theoretical research camp (e.g. fuzzing, 0-day exploit hunting, etc.).

So, What is Cyber Threat Hunting?It is the human-driven search for one or more phases of a cyber attack conducted by an adversary, using tools, information and investigative techniques. It is NOT waiting for an alert to be fired from a piece of technology.

• Threat intelligence (data about known threats)

• Behavioral analytics (data about suspicious activity)

• Complete Situational Awareness (data about the environment)

• Intuition, hunches and hypotheses (human judgment)

• Security tools that produce consumable data (contextual answers)

Five Levels of Capability**

Level 1: Initial- Relies primarily on automated alerting- Little or no routine data collection

Level 2: Minimal- Incorporates threat intelligence indicator searches- Moderate or high level of routine data collection

Level 3: Procedural- Follows data analysis procedures created by others- High or very high level of routine data collection

Level 4: Innovative- Creates new data analysis procedures- High or very high level of routine data collection

Level 5: Leading- Automates the majority of successful data analysis procedures- High or very high level of routine data collection**David Bianco, “A Simple Hunting Maturity Model,

” Enterprise Detection & Response blog, Oct. 15, 2015

Example Threat Hunt: Victim-CenteredHypothesis: System is potentially compromised.

Trigger: SSH traffic visualization indicates low volatility communications during data browse.

Tools: rapidPHIRE Cyber Intelligence Platform. Inspects network traffic using a combination of threat intelligence, behavioral analytics and vulnerability data, combined with full-stack network operational data collection (i.e. security and operational observations).

Sufficient Data and Tools?Threat Intelligence? Yes. rapidPHIRE uses over 40 global threat intelligence feeds as well as private threat intelligence specific to the network being monitored.

Behavioral Analytics? Yes. The rapidPHIRE Cyber Intelligence Platform uses a combination of Bro policies for IP session-based analysis, as well as machine learning and anomaly detection of network communications at a higher altitude (i.e. network communications level).

Situational Awareness? Yes. rapidPHIRE collects all operational data communications on every active device on the monitored network, identifying the MAC, IP, hostname, active user credentials on the system, and tracks all application communications in and out, thus learning function. Additionally, rapidPHIRE is aware of theoretical vulnerabilities of each system discovered.

Consumable Data? Yes. The rapidPHIRE solution tells a rich visual story and provides quick answers, allowing for threat hunters to pivot through the data very quickly.

Windows Vista Laptop(no extended support from Microsoft on system)

Swiss C&C Platform

CVE-2015-0016: Score 9.3

Total compromise of system integrity and protection. Entire system may be compromised.

Pivot from Victim(contextual indicators)

rapidPHIRE Live Demo:Situational Awareness