Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Internet Storm Center Internet Storm Center

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Is Threat Hunting the new Fad?

Published: 2020-01-25
Last Updated: 2020-01-26 12:08:40 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

Over the past two years a lot of articles, processes, techniques and tools have been published on how to do Threat Hunting. I have been following the trend with great interest whether it be which process works best, methods and procedures to follow and adapt to your environment, and finally logs or tools that can help the hunt.

I have taken a simplistic approach to Threat Hunting and for me it is: Proactively searching for threats missed by every defenses in the enterprise. We are Threat Hunting for the unknown! Assume something is already compromised.

That is a tall order, where do we start? There first step is to know the network I'm defending. In order to do this well, it means to have a pretty good knowledge what the network looks like (i.e. network diagrams, traffic flows, client → server relationship, etc) and the type of activity considered normal. Anything deviating from that "normal" need to be investigated.

The next step is to collect the logs that will help with the hunt; such as host and network logs to fuse traffic flow in a way that can help identify unusual pattern of activity.

Some of the logs that might be important to collect (not exhaustive) might be: proxy, web & application servers, DNS, host-based, antivirus, EndPoint Detection Response (EDR), firewall, etc. In the end, each organization is unique. Using the Mitre ATT&CK framework can help the hunt by identifying the tactics and techniques that will help capture the most promising logs to detect and identify unusual behavior happening in the network.

Over the years, several handlers have published various articles on Threat Hunting whether it be process, methods or tools like rita [1][2] or HELK [3] to help with the hunt.

If you are interested in learning how to conduct Threat Hunting in your network and missed Active Countermeasures' last course, they are conducting another free, one-day, Cyber Threat Hunting Training online course on the 4 April where you can see the course content and register here.

[1] https://isc.sans.edu/forums/diary/DeepBlueCLI+Powershell+Threat+Hunting/25730
[2] https://isc.sans.edu/forums/diary/Using+RITA+for+Threat+Analysis/23926
[3] https://isc.sans.edu/forums/diary/Threat+Hunting+Adversary+Emulation+The+HELK+vs+APTSimulator+Part+1/23525
[4] https://www.activecountermeasures.com/free-tools/rita/
[5] https://register.gotowebinar.com/register/6883873380989840395
[6] https://attack.mitre.org/

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

0 comment(s)

Visibility Gap of Your Security Tools

Published: 2020-01-25
Last Updated: 2020-01-25 16:31:07 UTC
by Russell Eubanks (Version: 1)
0 comment(s)
I have been focusing on visibility lately and often specifically on gaps. Visibility gaps demand the attention of every cybersecurity professional. Success often hinges on how quickly these gaps get closed. The very act of which helps us achieve what they need the most - greater visibility. Solving for these gaps will equip us by catalyzing transformation. No need for Artificial Intelligence or Machine Learning, just an advanced persistent drive to close these visibility gaps!
 
I introduced this idea in a previous Diary Is Your SOC Flying Blind?  This time, I want to focus on your security agents. Are they working and providing their intended value? How do you know? What would it look like to have an Agent Health Dashboard that answered two fundamental questions all day long:
        Is the agent installed?
        Is the agent performing its expected role?
 
I like to include practical ideas when I am the Handler. To that end, I developed several ideas across several diverse dimensions for you to consider. Perhaps next week, you will use this as a checklist to complete or perform a spot check.
 
Visibility for your developers and DBAs
  Number of active sessions
  Number of runaway sessions
  Application performance metrics
 
Visibility for your physical security
  Camera feeds
  Badges that show to be both inside and outside of the building at the same time
 
Visibility for your networks
  Netflow volume
  Traffic volume 
  New ports and services
  Trends over time for each
 
Visibility for your Servers and Workstations
   Day log volume
   Communication patterns
   Lateral movement detection
   Trends over time for each
   Alert when devices stop sending their logs 
   Activity performed by administrators
 
Application question - What visibility gaps exist, and what can you do next week on purpose to close one of them? Please leave your ideas and suggestions in our comments box!
 
Russell Eubanks
Keywords: cyber visibility
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Why Phishing Remains So Popular?
Jan 24th 2020
2 days ago by Xme (0 comments)

German language malspam pushes Ursnif
Jan 23rd 2020
2 days ago by Brad (0 comments)

Complex Obfuscation VS Simple Trick
Jan 23rd 2020
3 days ago by Xme (0 comments)

DeepBlueCLI: Powershell Threat Hunting
Jan 21st 2020
5 days ago by Russ McRee (0 comments)

Citrix ADC Exploits Update
Jan 20th 2020
6 days ago by Renato (0 comments)

View All Diaries →

Latest Discussions

Zip password recovery
created Jan 17th 2020
1 week ago by Anonymous (0 replies)

Strange Google-ish domain name lookups after update to Android 10
created Dec 21st 2019
1 month ago by jauntysankey (0 replies)

SANS IP data inconsistency
created Dec 14th 2019
1 month ago by phbits (0 replies)

Are SANS ISC InfoSec News RSS Feed broken?
created Dec 11th 2019
1 month ago by Rumahpods (0 replies)

"slow" half open tests (preparation for attacks?)
created Oct 28th 2019
2 months ago by Anonymous (0 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
7 months ago by Brad (0 comments)

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
2 years ago by Brad (0 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
2 years ago by Johannes (0 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
2 years ago by Renato (0 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
2 years ago by Russ McRee (0 comments)