How To Sign Iowa Banking Word

How to industry sign banking iowa word secure

hello and welcome to our threat hunting basics webcast with logarithm on this webcast to a surprise everybody Paul is actually here say hi Paul I made it I made it yeah and we have AC from logarithm our sponsor for this webcast and me so alright so what we're gonna do is we're going to talk about some cool things that Paul and I have found interesting over the past couple of weeks whenever we're talking about threat hunting and getting ready for a threat hunt and then also we're gonna hand it over to logarithm and logarithm slides are really really cool they talked about a lot of vent IDs specific things to look for that that are indications of different compromises escalation different programs executing so it's a really cool webcast so thank you so much and let's kick it off alright so one of the first things that we like to do for threat hunting preparation believe it or not has literally nothing to do with threat hunting at all basically what can you do to identify what types of command and control are allowed outbound from your organization now the reason why this is critical is the fewer ports and the fewer doors you have open for a bad guy to get a command and control session out of your environment it reduces the total amount of places that you end up looking to try to identify command and control leaving your environment for example in this particular set that we have set up from the pen test that take Joff did this one he went through and created a number of different backdoors DNS cat PowerShell backdoors meterpreter reverse tcp reverse HTTP all of these different types of malware specimens using different types of command and control on a variety of different ports and at the top you can see that it was able to make a connection leaving on port 21 22 84 43 and 8080 that's giving a lot of ground for a bad guy to be able to blow through those particular ports to establish a command and control server in some horrible country someplace that you know you don't want your data actually going to now as you do this type of testing it's also important to look at the type of testing that you can do to cross-reference hedge ITER attack matrix yeah Paul so I just want to go back to that other slide where you talked about testing the ways in which an attacker could basically make a network connection outside of your network are there like standard tools and techniques like can I just download something drop it in my network and it'll test a bunch of things I remember Pony Express is devices actually used to kind of do that by default right are there tools you recommend for defenders to do that one of the things that you can do is really quite easy to do just set up a server on like digitalocean right and then simply do a port scan of that server and identify which ports were allowed to make a connection all the way through yeah so that's really easy for TCP but it's not quite so easy for services like DNS sure that's why tools like DNS cat can actually do that covert channel detection with because it requires that full protocol to be utilized mm-hmm awesome cool now Paul as you know with any webcast that we do it's impossible for me to get through the webcast without talking about the minor attack framework absolutely love this framework because it's giving defenders the capability to sit down and say what is the total set of different techniques we see for persistence privilege escalation defensive evasion discovery lateral movement execution what are the different techniques that are utilized and can we actually detect these various techniques being used in our organization now there are some tools out there like unfetter from the NSA and caldera from mitre that allows you to automate a tremendous amount of this and this could be something we're going to talk about a little bit later with logarithm and AC when he starts talking about it is you can actually go through and test these things and you can very quickly identify in a tool like logarithm whether or not these things are being detected and the fact we encourage anybody that has d a defensive network to actually do that hey John there's there's a couple of more that cropped up actually so you mentioned caldera you did you mention Chris gates at uber also created meta meta it's uber - common for / meta under github and then there was the atomic red team from red canary and then yes a new one that actually met the person last week that is spearheading the project that endgame actually created one for testing against the miter attack framework and I believe we'll be releasing that open source as well I actually have a slide on that in my presentation I gave the other day in Orlando and learned that that endgame had one as well so there's increasingly more and more vendors and open source projects and vendors releasing open source projects to support the mitre attack framework which I thought was just fantastic and I think that we've been talking about it for a while this is threat intelligence being used correctly looking at all the different tactics that are used not just for a specific threat actor but being able to look at the tactics that are consistently used across multiple threads and then detecting and your ability or basically gauging your ability to detect those capabilities fantastic that's amazing and just to your point actually pull you know I think it's really you know positive to hear that kind of shift in mindset of you know the defenders kind of going out and forming active defense and referring to these free available resources you don't getting really good and quick than are you just by keeping it simple yeah absolutely some other things that we recommend in AC and I were talking about this before of a webcast I am a really big fan and Paul you've talking about it for a long time of inventory right yeah can you actually inventory all of your systems can you inventory the processes the services that are running now this isn't specific to something like log analysis or sim or a detection capability but whenever you have an alert that is generated if you have a corresponding inventory that you can quickly identify in that asset that is generating anomalous behavior and you can quickly drill down to identify what are the drivers on that system or the ports that are being used on that system what are the accounts that are on that system and so on and makes the Incident Response next step process but as part of identification so much easier and there's a couple of tools that we absolutely love system configuration manager or System Center Configuration Manager is a tool that most all enterprises already have you could also run something like teen IAM as well you could even use PowerShell someone that's been on our show we love all the work that he's done over the years is David hull and he released a tool a long time ago that he's been keeping up-to-date called concept and constant will do stacked analysis of all of your different workstations so you aren't doing an individual workstation buy a workstation lookup for atomic indicators of compromises you can stack all of the different processes on all of your different systems together and by doing a stacked analysis and doing a long tail analysis it makes it much more efficient to try to identify deviations in your environment rather than trying to categorize every single thing that's running all the processes all the programs all the services and looking at each individual system in and of itself by stacking them together and identifying what processes are common across an entire environment what processes are unique within that environment it allows you to identify those outliers very quickly now by and large console requires PowerShell 3.0 but that should be pretty easy with most modern Windows 10 systems it should be at least at that version full functionality you have to install handle and autoruns sis eternals from Microsoft and put that on a file share somewhere in your environment where all of your systems can access those files then you're gonna have to install log parser on the admin machine that's launching the scripts and then you need to make sure that Windows remote management is enabled with Windows RM quick config then you're able to log on to every single one of the workstations and do stacked analysis now here's the stacked analysis in a quick lab or on Paul where we had 10 systems and all 10 systems had these processes running on them and it was able to tell us the executables and the md5 hashes now when every single system in your environment is running the exact same program that either means one of two things either that program is pretty normal in your environment or you're so completely compromised that you should probably just shut off the network connection to the Internet and go to sleep for a while we usually don't see malware that spreads to every single system and environment so this is not really something that we would expect to see in most incidents that we're working so by and large you can take all of these programs that are installed on every single workstation in your environment you could say these are most likely normal this allows you to baseline what is normal without actually having to go to each individual system and baseline what is normal manual now what does Const actually pull it'll pull information like net staff from network connection DNS cache process handles WMI log user assist values which is cool talk about that here in a second service fails service triggers different event filters connections event consumer auto runs PowerShell profiles temporary directory listings and local administrators so it makes it very very very easy for you to do this type of analysis across multiple systems and correlate and do a stacked analysis on every single one of these computer systems in an automated fashion now here's the long tail on these systems long tail on these systems we saw that every single system will have a DNS entry for itself that is normal but we also saw that we had two systems that had DNS entries for truly evil 550 and mail dot truly evil dot 550 that would be an anomalous domain also for counts for the user accounts we had the IE user accounts domain accounts administrator accounts and only one of the systems had my malicious support elite account the three one three three seven account once again these discrepancies show up very clearly in an environment when doing a stacked analysis and when you do it this way rather than trying to analyze every single system now down below you see the CT value these are all the single entries for programs that were executed by an individual of course we see log parser because that's running on the analysis system now the Windows Defender one was very interesting to me I had one of my systems that had a firewall enabled and I disabled that firewall or modified the firewall to allow Windows remote management in and because I interacted with Windows Firewall it actually showed the log user assist value that I had interacted with Windows Defender also we see fondoo which shows up on a number of Windows systems from time to time but more importantly you can see that we have the users administrators downloads MSF that would be my malware in this specific environment so instead of trying to find a specific signature and trying to find bad programs doing bad things I instead will focus on what are the things that are only happening on one or two systems in my entire environment the other title that oh yeah go ahead I just saw a question based on the constitute you just described which admit they had not heard of before I was looking into it I haven't tested it hands on yet but it was at Facebook that did OS query did they release os query as open source so could you use os query that no there's another project called collide that when I polled our Twitter audience for security weekly they send a lot of people were using collide + OS query could you accomplish some of the same things that you're talking about some of the same goals as concert provides with something like OS query absolutely you could but we require custom queries on the database on the backend um you would have to do yet basically have to sort every single record that exists for processes and display to count associated with them which honestly is not that difficult if you if you know what you're doing in fact as far as inventory using those two different tools the big one that I see actually used in many environments is actually google's ger they actually do the same type of kind of baselining of systems for free as well once again back in database you can do that type of querying and stacked analysis with simple simple sequel queries awesome hey John just on that last slide one thing that I found quite interesting is the fact that in the results there you've got the bottom I guess 10 results for example and then on a couple of the other pictures you've got the top and that's kind of relevant to what I'll be talking about in then in the realms of hunting and kind of knowing and understanding your infrastructure and what's normal so it's interesting you've got two different outputs there but one would only show up if it's a top X and one might only show up and fix the bottom X so that's absolutely like oh the next tool this is something that we were talking about to AC we were talking about logon tracer and this is JP cert and JP cert has been doing an amazing amount of research and development over the past few years they've just absolutely rocked it and what logon tracer allows you to do is ingest EVT x files from your domain controller and it will automatically identify authentication in your environment and show you the top communicators in your environment so on the right hand side you see the administrator account is being used and then the Machida Kon Kanagawa account is being used as well on multiple systems so on this graph you can see administrators authenticated to four workstations it's but the kind of the cross in the middle and Machida is actually authenticated to two different workstations as well so being able to do that type of drawing of which accounts are logged into which systems allows you to identify multiple concurrent logins for potentially compromised accounts now this is basically the heart of user kind of user analytics user behavioral analytics and there's a lot of products out there that do that we'll talk about logarithm here in just a few moments that also supports this type of capability as well but being able to identify accounts that are quote-unquote behaving badly is is an amazing amazing step in the right direction now one of the differences for a tool like this versus a nice automated tool is this is a single-shot tool you have to export the e BTX files upload it into this logon tracer utility and then it has to actually graph it for you it's not something that's actually working continuously and generating alerts on the back end but when you're doing threat hunting it's a nice little tactical tool that you can to use rather than doing it a strategic level now for Network setup Paul and I are big fans we've already done a couple of webcasts last week about this so I'm not going to spend too much time on it but when you're talking about network setup and trying to detect Network anomalies one of the big things that we see missing from a large number of organizations today is actually having a spam port and their egress traffic where they can basically see pre network address translation where all of their systems on the inside of their network are going outside of the network on the internet so if you have one compromised computer system with a little ik icon on it that's communicating to the bad guy or bad gal system on the outside of the internet you need to be able to get those RFC 1918 IP addresses for non-routable internal IP addresses and you need that because if there's something acting malicious or even just interesting you need to be able to identify exactly what the IP address of that asset is and that requires you to have a and poor pre network address translation out of your firewall to be able to dump that into something for free like bro or Rita and bro and Rito work very well together as well so why would you use bro well to be honest speed right it's a very fast tool it has greats usual support big user base and also the timestamps are consistent and that's key whenever you're trying to do any type of analytics for frequency and beaconing detection to be able to identify weird communication pairs leaving your environment and this is all part of going away from signature based detection and that's one of the reasons honestly whenever Paul and I spend time talking about vendors that come onto security weekly we do spend a lot of time talking about whether or not we want a vendor to be part of that and anytime we have a vendor that spends a tremendous amount of time talking about how they can do their job for you that's not really a vendor we're interested in whenever you have vendors that come on and say well we can actually assist you in doing your job and get you the data that you need so that you can make good determinations about what happened what's happening well that's fantastic as well Rita is free we've talked about it many times for doing frequency analysis and beaconing detection in an environment you can download it this is the the git repository where you can pull it down and then final housekeeping that I would like to add in clear out ads have some tour some type of ad blocking in your environment so you do not have to sift through terabytes of AD connections trying to identify potentially malicious connections regardless of whatever tool you're using the more you can clean up that signal on the wire the more effective your threat hunting is actually going to be so please try to find a way to block ads either by using the Cisco umbrella project or Open DNS whatever one you can actually use piehole is another good one Paul I believe that we've had a bunch of them recommended over the past years there's a number of them out there it's sintering in my my presentation where I talk about open source tools in the enterprise that are used for security I cover the the PI whole project and how we use that actually here in security weekly and how that tied into a bunch of technical segments that you can go back in the archives and and watch and in all of that is free and essentially Pinal was made for a Raspberry Pi but you can just dump that on like you said a digitalocean droplet and and be off to the races which is great there's you know also commercial solutions I want to also go back to you know some of you are kind of network monitoring stuff I know logarithm has done freemium which is pretty awesome the security onion I didn't realize how great that project was and I spend a lot of specially now especially right now with okay I spent a lot of time in my talk talking about my experiences with the experimental version and just how quickly I was able to and I never on freemium did the same thing in fact Greg Faust came here in our studio and set up the the net Mon freemium and was like given people demos and showing them stuff that you could identify and that's essentially all hunting and all these tools are free and when we look at you know where you can sniff that data from there are so many tools that just out of the box give you great insights into your network I know that for some of our skype machines we talked about looking at connections I was like well they're connecting to lists that are on some kind of threat list or or blacklist and it's because they make so many connections to so many different systems in the way that that Skype works that's the bubble to the surface pretty quickly in my environment so well I think that that's gonna be a sea change in the way that we actually approach security as well instead of trying to find tools that actually do our jobs for us but actually moving towards tools that enable us to get information and really solid intelligence out of what is happening on the network in our environment is really where things have to go yeah and I will say too that when I did use and I still have it set up in the studio here they're monitoring our network and as you said John the security onion the experimental version has a full ilk stack and kibana is the web interface and I had used that for the first time a couple weeks ago and it gives you some interesting statistics but like it doesn't necessarily answer all of my questions being kind of a an analyst in this you know since the 2001 when I started monitoring networks it doesn't directly answer all my questions I end up like clicking around going that's interesting but it doesn't give me enough insights which is why I'm very interested in what andrew has to say and what some of the other tools it's also why I was kind of bugging you over the past couple of weeks to be like look what read it like Rita can just answer my questions than I want to ask of my network would generate a little bit of background so Paul calls us up just so you guys know and he's like he breed is not installing on security onion and we're like Rita does install on security onion he's like it's not working it's crashing it's crashing it's crashing it's crashing and he's sending a stack trace we're like holy crap it's actually crashing we come to find out that Paul's got this super secret sauce experimental non-public release of the security onion that's completely different from what we installed lately different so I'll say I will say the stable version of security onion I followed the instructions for Rita dude I had a report in like like five minutes like it works flawlessly as soon as I went to the experimental version of security onion they call it experimental for a reason right it's like it's not fully baked yet so then I tried like a beta version of Rita and I sent notes to like both developers I'm like you guys will figure it out I'm confident that you will I gotta move on to other things well it'll get figured out and when it does you know it'll be awesome but obviously there are experimental versions of most of these projects that we talked about to be safe use the stable version it we're I and if I didn't break it believe me it probably works pretty well it's pretty good brain stuff well we're not the world of open source right yes absolutely all fun and games now with that ohad what you talked about I went through my slides kind of fast and the reason why I went through my slides kind of fast is AC has got all kinds of slides that he's going to talk about now so we're gonna kick it over you ready to share your screen I am and ISA I'm so glad that you're sharing a screen and not a hideous picture of me by the way we can see your video box in Skype because Skype is kind of dying about oh there you go there we go all right we're good and with that we'll hand it over Andrew is going to take over Andrew tell us a little bit about roll at logarithm before we get started them yeah absolutely so I'm a fret research engineer I'm based over in the UK and I've been at logarithm for just over five years now so my general background is quite varied actually so I kind of started out doing hardware support somewhere around 17 years ago kind of moved up to kind of sysadmin field engineer consulting Conor been specialized in enterprise application level support and a bit of infrastructure and just free logarithm really my career's kind of ended up doing fret research in our labs department so my kind of day-to-day role is quite varied you kind of touched on a few points earlier John part of part of our role as a team is to develop new content so that would be for example ueb a and also rules to deal with network monitor as well as things like obviously research in the threat landscape malware analysis and triage and well I'm sure you guys can relate you know you wear many hats so it's quite a varied and dynamic role I just I wanted before you start and you just talk about you EBA because having spent time with over 40 vendors in the past week and a half or so it's really a feature and I don't want our audience to think that it's not a valid feature because they've seen it in the marketing of so many other security vendors there are people to get it right there are people they get it wrong but it is a very valid feature and when done correctly such as a logarithm solution it's an extremely valuable piece of information to have in your arsenal especially as a threat hunter and that's a trend that I've seen when you EBA first came out there's like whole startups that said you know like this is what we do largely those have been swallowed up larger companies such as logarithm are like well no that's a feature like we we have that data we can we can build it and are doing it very effectively and it's one aspect of threat hunting that you should absolutely be paying attention to you know and that's a really good point Paul because finally enough we were developed in originally our module was called the user threat detection module and we were going for a bit of a revamp and a bit of internal housekeeping thinking about ways to update that particular module and just around that sort of time this whole UE be a buzz kind of hit the industry and we kind of as part of our review kind of came to a realization that we actually already do you EPA out of the box but it it kind of helped us to kind of focus in some areas but coupled with things like cloud AI and true identity and you know the various correlation rules that we have in that particular module and coupled also with things like JP sir you know the mitre attack matrix that's when you can really benefit from no not just you EPA and having that work properly but also kind of complement in the the new the new kind of resources it come you know quite widespread over the recent months yeah and I so it's really basic questions or common sense questions that you're asking of your security analytic solutions if a user successfully logs in from two different locations that's a pretty easy thing to spa and like you said Andrew like you're like we could we could spot that a long time ago we didn't call it you EBA back then but that was an event that someone would want to pay attention to absolutely and actually going back to the just on the John slide he mentioned about inventory and again it was just something that we do out the box in terms of entities we have you know it's one of the very first phases of our kind of deploying our solution to our customers is to define your entities you know deciding where your assets live it almost kind of like a logical structure if you like of your organization and by that you're able to then quickly correlate on things like identity or what that device type might be and that's going to then subsequently make life easier when it comes to you know proactive threat hunting and active defense and so on awesome all right so shall I get started yes please do SRT conferencing on some of these slides a little bit shouldn't take too long to get through if my PowerPoint will actually wake up and respond sorry guys can you see my screen oh yes we got it all right so obviously this is probably a bit of a given so why we hunt in so it's kind of common knowledge these days that you know hackers and and you know underground auctions as well as apt nation state-sponsored attackers you know targeting organizations one thing that particularly brand rank truth for me personally was I don't know if you guys remember actually so I think it was a couple of years ago there was a company called the hacking team and they were basically a government spying agency and they they basically got hacked and the hacker pasted how he got in on pastebin and it was really interesting read but he claims that actually out of the most of the fortune 500 companies that exist there's pretty much you know botnets or you know our DPS that exist within there that kind of reminisce with me but you know this is you know there are to this day still companies that just think they're a little bit untouchable and that this stuff isn't happening but I don't know if you guys remember that story I do and I always found it in something I don't think we talked about enough but there's a in underground market for that level of access into an organization if you've got stealthy access into a some companies especially here in the US like there are whole groups out there that that's what they do and then they just sell that to someone else yeah exactly RDP you know servers for sale you know really readily available and accessible in an instant just you know painting my Bitcoin and away we go all right so kind of wet weather this will kind of hopefully start making sense in a little bit so I just want to touch on the pyramid of pain so David Bianco came up with this kind of concepts of the idea behind this graphic being that the pyramid of pain is just a way of measuring the usefulness of your threat intelligence so you know traditionally you know things like IPS and hashes and domain names for instance have a very short shelf life so you know if you can if you're able to effectively try and prevent tools for instance from hitting your network then you're gonna potentially quite drastically reduce the likelihood of the attacker getting back in or at least trying to kind of fork their attempts later down the line so kind of how this fits in and just as a quick example so you know taking a simple IP version 4 address you know most modern-day operating systems you can put in you know hex or a decimal or not or even a combination you know insert web browser and still reach as an example peer security weekly or whatever the domain name is so you know that the idea going back to the Pyramid of pain is that you know beat these you know malware authors can quite easily and readily available II update c2 infrastructure you know all it takes is someone to upload a file potentially a suspicious file to virustotal and that in itself could trigger a notification to you know the organized crime group that are responsible and then they may change their hash or IP addresses or teardown a domain name and so on so that's where the idea of maturity models come in and it's I'm kind of covering off some of the reasons as to kind of kind of just put this into context you know boy some of this is relevant to fret hunting because for example in in the realms of maturity models you don't have to be on the kind of far-right end of the scale and just Rin for instance the graphic on the left is the COBIT maturity model the one on the right is the logarithms interpretation of the mature have of their own code of maturity when this I'm sure there's other maturity models that exist out there but the general kind of consensus is the higher up the spectrum that you are more mature your security posture is then the easier life's going to be with hunting but that's not to say that you can't necessarily do fret hunting unless you're at the far end I mean even if you have no security tools equal disposal disposal it's still possible to do fret hunting even just by using you know static logs Windows Linux servers but of course that that process is going to be very manual and it's going to take you considerable amount of time yeah you know I grew to Andrew in you know we talk about when you're ready to implement some kind of solution or some kind of tactic or technique and I think you know largely what John and John will agree with me here I believe is that like anyone and everyone should be hunting it's not an activity where you're like well I have to have like all this other stuff in place or I have to have you know all this stuff in place over here like anyone can just start hunting today like right now like after this webcast everyone listen you can go do some hunting in your environment and I think that's an important point for this for this presentation absolutely and actually we we ran a similar webinar earlier in the week and we did a quick poll as to you know do people think so the participants decided to vote whether you know fret hunting was a buzz word or whether they're actively going out and already hunting and I genuinely believed that the majority would say that it was maybe a bit of industry fight to my surprise they were actual y I think the majority were actually already going out and hunting so that was quite kind of refreshing to hear that I thought and so yeah so moving on so just a few other reasons to hunt so interestingly one of the things that I've picked up on just in my time over the years in this space is that you know a common common problem that many companies face is staff retention so quite often I've seen people leave you know great companies because they're just not getting for and hunting has got a really good kind of almost kind of HR benefit because you know your typical blue team can become the purple team and maybe they don't have kind of a red team background but it's a perfect opportunity to kind of fully engage your you know your resources and get them more involved in kind of thinking like anniversary thinking like an attacker fitting on that kind of black cap momentarily and kind of understand it and figuring out how they might want to get into that organization because people don't often think of it like that unless of course they have come from a pen testing background but you can't obviously assume everyone has obviously the other reasons to you know as another benefit so you know doing the hunting obviously increases your visibility so in the example that I'll get to and towards the end of this presentation it's just an example of you know you could start hunting for something that could be you know what you might think would probably not turn up any results and it could in fact turn up something malicious but it also could turn up something completely benign and may just increase your visibility into maybe a you know performance issue on your network or your server or an application reliability problem so you know just by hunting alone you can instantly start touching on areas of your network that you may not otherwise touch on unless that system just happens to go down for instance and again not to repeat is too much but you know fully utilize in all of your security tools and increase in your return investment and I think that hunting really plays a part in this because you know every company has got you know quite a collection of tools but quite often they're just not getting the real value from it so hunting really comes into its own because you really do start touching on not only you know the search capabilities but also things like ticket in case management and and so on and also just last went on this slide and traditionally and maybe not always but incidents or instant responders typically a work in you know to kind of type deadlines they usually operate under kind of fire highly pressurized environments and having to provide you know answers and updates to sea level and management and so on and the good thing with hunting is it doesn't have to necessarily be under that kind of intensity of pressure so free huntin is more likely and not necessarily guaranteed even but it's more likely to unravel in you know wings of interests Andrew and one thing you made me think of when you went through all the points on that slide was I think another benefit is as an incident responder often times you find yourself responding to an incident because someone else found it an external entity the FBI someone else in the organization says well we can't get to the Internet and it's because of some security incident when and you spend time responding to that but when you are the hunter and you find a problem that nobody else knew about because there was no other indicators other than you spend some time and found it in the network and you bring it to other people you're like look that system is compromised no one else really noticed this but like when I did my investigation like this is is compromised it increases your visibility in the organization as a security person and develops trust within the organization because they're like oh wow like they found out something and we got it fixed before it caused any major issues and I think that's important as well slightly as well and also pull but you know as you know you know do an incident response quite often you know the the forensic kind of approach particularly if maybe that incident might result in you know and not go into a court of law you know the forensic process has to be very precise you know you know high precision high efficacy and so on but with hunting it's not so you know it's not so stringent and you know it so there's a little bit more flexibility I guess right absolutely so can't have a talk about talking about kill chains but just very quickly you know if you know depending on your your own interpretation wheel we've all probably heard of the latke kill chain the graphic in the bottom part of the screen is the logarithms implementation but really how that kind of plays a part in fret hunting is because you can use these kill chains so you think about what might be relevant to you and your organization so for example maybe you're only interested in you know data being exfiltrated out of your organization so therefore that would be a good place to start and it kind of goes back to what John covered earlier talking about the mitre attack matrix which I believe is on my next slide as well but you know this is a really good breakdown of just being able to decide you know where to begin I think there's it could be a bit of a perception possibly that you know fred hunting is maybe a little bit overwhelming but it really doesn't have to be and again you know john you said it in one of your slides but you know just keeping things simple is sometimes all that's needed and the final point on this slide is the kind of the logarithm equivalent of our kill chain which we've kind of called the attack lifecycle we actually have numerous rules that kind of fit into those particular phases of the attack lifecycle so for example not only could you only for example focus on the exfiltration phase big you might then specifically pick out a detection rule so I'll use the one in the bottom right corner so mass files deleted by admin so you could then use that rule just the simple name of the rule as the direction for you know an example of a hunt and then go off and go into your research and then proactively go out and do the hunt and so just a few points to touch on here so challenges so the idea of threat hunting perhaps isn't I mean it's definitely building traction but perhaps it could be a stopping point at the kind of sea level board level is because you're essentially selling the concept of hunting and to almost try and guarantee that you might find something but of course as we know there is no guarantee and all I would say though is that I would caveat that if anyone was to argue that fret hunting is is not beneficial I would look at the average number of days to detect and respond so the mean time to detect and respond I think the last I heard was something like 170 something days last year so the chances are if you are actively doing threat hunting even just one day a week the chances are even with a small number of resources allocated to hunting you probably going to turn up something it might not necessarily be a piece of you know a sophisticated attack even but I don't believe that there's I mean this is just a personal belief that I don't believe that there's any such thing as an unsuccessful frequence operation because the chances are you're still going to turn up something even if this is not necessarily an attack because you're still going to learn by whatever you whatever results you know produced I kind of touched on the HR side but you do of course need to have ideally tactically shot people and but not necessarily technically shot people but just people that are enthusiastic and want to get more involved you need to be a little bit mindful of how much time and resource it could potentially take up you don't want to kind of set an unlimited and that amount of time to go off and look for a certain type of activity for example so and that's obviously that and and then obviously it relies on clean log and network data and a solid interpretation and understanding and just from my own you know talking from my own experience you know we do quite often get you know customers that are asking questions about the interpretation of their log data or why does this look how it does or is this normal and it all goes back to kind of knowing what normal is and doing your baselines looking at your trends looking at your top and bottom X's and just really understanding your infrastructure so you're gonna move on to a quick demo now and we've run out of time so I'll probably just blitz through this really quickly and so just using I'm gonna use the logarithm at all because that's obviously that's although I kind of use day-to-day so really simple idea here so we're going to do just very simple hunt looking for internal PS execu search by specifically are privileged users or sysadmin x' so really simple thing to do so we can go off and we can select our criteria nothing too tricky about that and then we can then start looking at the results so what we've got here is the process started and stopped which is just a metadata or common event that's been derived from the original lock message and then we have a host which I'll just call PC - so from this point on we could probably pivot and we could go backwards or forwards in time and the kind of to the left of the yellow highlighted section is kind of the marker point of where what the time the current time is so we can go forward or backwards in time so from here we're going to go forward in time drilling specifically into processes and services started in reference to our original PS exec asset operation so we'll get our results back and again looking at kind of general eats for topics types of graphs we'll see some results and what might be suspicious is PS exec SVC exe rock dumped or exe cmd.exe but more worryingly that we have a CDC one which is effectively our domain controller and obviously this isn't a real world scenario but it's just a concept of being able to use existing tools to do very quick and efficient hunting so we do a little bit more drilling and we use in this instance Windows system on event blogs so as we all know system on has a whole rich feature set of of collects you know the ability to collect really reap rich event ID data in this example you know things like hashes we actually have what we call an empty rule name and which is our message processing engine rule name so we categorize a lot of this data automatically but what we can see here it would being executed on the domain controller potentially via PS exec is the host name dot exe so okay we know it's a sysadmin because were targeting our sis admin group or privileged user groups when we started out this hyung so at this stage there doesn't seem to be anything necessarily untoward as we move on through the Hunts though we look and find proc dub dubby X ISA proc dump is an executable typically used for troubleshooting and generates and memory dumps of a running process so again nothing necessarily untoward we do see a user administrator which does seem a little bit strange but we'll carry on trace in the individual event IDs and gonna skip some of this because there's a little bit of overlap here I mean so kind of what we've gathered so far is we know that PS exec SVC exe was executed on the domain controller we know that PS exec was executed on the PC number two and we also know that CMD then spawned hostname and Proctor we got most of this information funnily enough just from using system on logs and some of the other Windows security logs haven't obviously listed them all because we could be here for a lot longer so at this stage we can then start adding our evidence and evidence in the form of actual log data and we can add case notes and obviously it's a really really good idea to document everything that you do we could also hop across to Network Monitor and actually have a look at communications going backwards and forth between these two particular machines so obviously obviously this is probably a bad example but you know even just by drilling into some of these histograms you should be able to spot whether there's any for any spikes or anything abnormal that might be for instance network communications occurring out of hours or just suddenly a surge of network traffic going from that particular machine to a domain controller what we see when we drill in a little bit further and kind of this is where kind of the benefit of collecting peak out data comes in is we automatically classify SMB traffic so SMB cert certain SMB commands typically you know things like query directory assembly writes and query info all of that all of those types of commands are typical for you know Windows server typically talking to another Windows machine or vice versa and those that are typically used to you know query query volume maybe server information file share information and so on so kind of quick point really obviously to know like protocol ii need to always make sure you've got the RF caesar's john kind of mentioned earlier you know knowing your RFC's or at least having access to the documentation so anyways we drill into that particular file name metadata field for that particular SMB traffic we see a bunch of information here but what's really important that stands out is we have the traffic the SMB traffic is another confirmation in a digital footprint of the pc to making a connection with PS exec and we said we also have the process IDs captured in that particular flow and one thing that comes highlighted at the very bottom there is the fact that there's an LSA SS dump file which seems a little bit interesting so we decide to have another look this is going back to our web console dashboard and here we can see again our object of LSA SS dump now without even having to jump over to the net1 console we could have done that just by staying in the web console dashboard we could then pull down the p cap and use our favorite tool whether that's Wireshark or TCP dump ins and so on and but we get the IPS the MAC addresses and all the nice juicy you know layer 2 layer 3 and so on from from these from the logs and the network flow so just kind of quick kind of just to kind of wrap up what we're talking about really quickly so we just basically gathered a bunch of different SMB commands and various other artifacts so far so nothing really at this stage remain necessarily warned the intruder has done anything malicious hey Andrew yeah so you discovered the connection between this PC to and the domain controller well the original query was like show me PS exec being transferred correct as that was that the initial kind of like dive into this investigation right so exactly so doing doing PS running PS exec maybe you have a detection rule that might be triggering when a user executes PS exec and maybe they the customer or the end user kind of might look at the user only and think yeah that's fine they're SS admin and throwing to beyond power but the idea of the kind of the change of the kind of change of stance from being that reactive as opposed to proactive fret hunting can kind of start to or very quickly rather reveal you know pieces of the story that might you might not otherwise notice if you're just yeah thanks it's bunk we used to call those at tenable right never-before-seen events so if you know a PC connected to domain control and ran and PS exactly like we've never seen that before it kind of sounds like that's where your investigation started then you're like well there was this SMB traffic and then there were some else and you know the investigation goes on from there and I love the fact that you can kind of take notes on your investigation that's a really big differentiator something that I haven't seen certainly in open-source tools yet cool so I can say at this stage that doesn't necessarily indicate anything malicious so again we can use our pivot tool to go back in time and see okay what happened before all if all of this activity you know was running between these two machines so again we this time look at the bottom process names running on that particular PC over the last tw hours we're also looking at process starts so again we see cmd.exe PS exec and we see printer setup x86 exe now all this actually is events relating to the PC and the domain controller so one might question why is printer setup x86 making outbound connections to the domain controller so again looking just a regular windows event logs event ID five one five six for this one we get IP and you know TCP UDP information we obviously do classification out the box so you know things that have simple things that people take for granted but just being able to quickly drill into this data so this is just a regular event ID for filtering platform allowed connection and we see our process name here with a process ID and actually again looking with our correlating with our system on logs and again I'm a great you know believer in system on believe every company should be running it and we quickly discover that actually printer setup is not a printer setup it's potentially mini cats so grabbing the hash that we see in that particular event ID and we can just copy and paste the hash into virustotal or I'm all up for automation so we can use Smart Response and actually you automate this either automatically or just have a bit of more manual control over this but we can actually integrate out of the box with virustotal and you know if we saw a future occurrence for instance of this type of activity we can actually just get the smart response to automatically go out and do the lookup and query against the virus total database so potentially at this stage we know a little bit about mini capsule we mainly know lots about mini cap so it could be a golden ticket or a silver ticket or a Kerberos didn't type of attack and you know the ad security website you know great great information from Shawn but in particular just want to draw your attention to a couple of common or at least for the majority of golden ticket types of attack so the account domain is fully qualified to main name but it should in fact be the short domain name and for the event ID for 672 it should be blank so it should be short name but it is in fax blank so using that information freely available information will go out and have a look at these two particular event IDs so on the Left we have 464 and on the right we have event ID for 672 and we see that in the domain impacted we have the short name for both of them so okay we don't hit the criteria so does this mean that this isn't a golden ticket attack and it kind of comes back to doing your own testing and making sure you understand how things look on your network because for this particular build of mini cats it doesn't actually populate the short that sorry with the fully qualified domain name so it's just because by chance I happen to be using the newer version of Mimi Katz trillion in a bit further of what we see in fact slightly different that isn't necessarily documented as we see a user that's used administrator privileges to execute mini cats on the remote machine and so using this information we see that they do a network log on and they successfully authenticate and looking again this isn't a great example but if we had you know more information they you know we could potentially see you know something you know stand out in the trend graph um again we could use Network Monitor the Network Monitor dashboard to pull out further network communications and actual facts on that particular day what they did in fact it was they pulled down Mimi Katz from just a free file upload or download a web site so kind of all this kind of you know that started out from something very simple can turn up you know loads more results and as I say it doesn't always necessarily have to be malicious to kind of consider the fret hunt as you know successful or not issues should no I don't personally think Frampton should be a success or failure because ultimately you're always going to learn stuff about your infrastructure so kind of just wrapping that up you know lots of automation that can be included for a future hunt because let's say for example you want to go and perform the same fret hung against PS exec against your sis admins in another couple of months time but if you can automate some of this and if you understand how some of this for example many cats might look using JP sir information or using the attack matrix by miter and all the other great resources out there eventually you can start automating not just your reactive detection security detection day-to-day but also your proactive for a hunting and lots of things you can do there also you can look at trend detection so the more you understand about for example authentications within your organization you can then start start setting up trends or baselines comparing you know moving average say a 7 or 2 week average of unit logins to that particular domain controller or even a group of to make controller and also looking for patterns of behavior so certain events that were observed or maybe not observed within an expected time frame and just from my testing and this is not as far as I would have liked it to be but just you know just from my own observations kind of going back to JP sir we're currently working on JP sir internally seen how we can incorporate that into a future module but it goes to show that just you know without actually going off and testing and even JP sir has you know it doesn't necessarily show the full picture for every single environment it's not a one-size-fits-all type of document you still like you know I still highly recommend you to go and do as much Testament as you can but just for my test purposes these were some of the event IDs that I've found you know that will repeat it in my appointment and I'm sure you know some of those would probably over that so yeah there we go awesome edge thank you so much all right we have a couple of minutes like literally two minutes for for questions you can of course submit questions to us via email and we'll make sure we get those relayed to the appropriate parties as well I'm sure one of the questions is where are the slides we will send you the slides there may be a little more of a delay on slides as I stated to those joining the webcast a little earlier pretty much about half of our security weekly team is still stuck in Orlando due to weather conditions so it may take a little longer to get the the slides together so John and Andrew slides will be available to all of those who registered for this webcast in addition to the video as well as when you register for webcasts we do provide you with all of the materials that are sent to you afterwards so and get those if you have other questions the best email that reaches the most people here at security weekly they're in a position to respond is PSW at security weekly comm that's GSW at security weakly calm that's kind of a general list that we have that includes all of us here that work for security weekly in addition to all the hosts that host all of our shows and webcasts so PSW at security weekly comm if you have questions I don't think there were any someone asked about running Konza from a UNIX box to collect all of this info I'm not sure John had to actually drop off so I will have John post an answer to that question if you want to email whoever asked that question if you want to email it to us actually we can see who if they ask that question in GoToWebinar well maybe we'd get you a response to that from John I think cons is just a windows tool though Andrew I don't know if you're familiar with that tool though I thought it was just when days but I could be wrong okay awesome well thank you everyone for watching and listening to this program today Andrew thank you very much for coming and presenting thanks to John as well and again we're going to send out all of the resources for this webcast today to everyone who registered so thanks Arun we'll see you next time