Mastering the Art of Threat Hunting: A Cybersecurity Deep Dive

Show Notes

Embark on an enthralling expedition with me, Bobby L Sheppard, as I welcome the formidable Jay D. Anderson to dissect the crucial elements of threat hunting in cybersecurity. Drawing from his extensive background as a US Army Special Forces operator and federal police officer, Jay D. Anderson infuses our conversation with hard-earned wisdom, differentiating the proactive approach of threat hunting from the reactive nature of threat monitoring. Together, we dismantle common myths that shackle threat hunters to alert responses and illuminate the profound impact of robust threat intelligence on the success of hunting exercises. Our exchange is more than just a peek behind the curtain—it's a master class for professionals eager to elevate their cybersecurity game.

The digital battlefield is ever-evolving, and this episode lays bare the tactics and tools that define an effective cyber defense strategy. As Jay and I navigate the treacherous terrain of cybersecurity, we underline the indispensability of fine-tuning tools like Splunk and the vigilance required to stay ahead of Advanced Persistent Threats. We dissect the delicate interplay between monitoring and hunting, turning apparent traffic spikes into golden opportunities for seasoned threat hunters. Our banter is not just theoretical but grounded in the gritty reality of today's cyber landscape, offering you the inside scoop on operating standalone as a threat hunter, armed with resources like Hacker News, to stay abreast of the latest in cyber warfare.

Our discussion for the astute business owner morphs into a strategic briefing on how threat hunting translates into a robust return on investment. We outline the case for considering threat hunters as a critical insurance policy for your enterprise, safeguarding against the insidious nature of dormant cyber threats. Wrapping up our dialogue, we reflect on the intersection of threat intelligence and security, setting the stage for more enlightening dialogues on the future of American security. So, if you're vested in fortifying your digital ramparts, this episode is one you can't afford to miss. Join us, stay informed, and reinforce your cyber defenses with the insights and expertise shared in Our American Security. See you in the digital trenches!

Buzzsprout - Let's get your podcast launched!
Start for FREE

Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Our American Security is brought to you by BRaaSS
Business Resilience as a Service

Learn How to Improve the Operational Security of Your Employees with BRaaSS

If you have any questions for the OAS team, please contact oas-podcast@braass.io

Connect with us on LinkedIn
https://www.linkedin.com/company/braass-consulting/

Connect with us on Twitter
https://twitter.com/OAMSECURITY

Visit our Sponsors (our) BRaaSS Website
https://www.braass.io/

BRaaSS Pricing Plans
https://www.braass.io/consulting-plans

Chapters

• 0:01: Understanding Threat Hunting in Cybersecurity
• 13:59: Key Aspects of Threat Hunting
• 24:45: Threat Hunting and Sigma Rules
• 35:36: Essentials of Cyber Threat Hunting
• 43:05: Maximizing ROI With Threat Hunters
• 51:56: Security Intelligence Podcast Featuring Threat Hunters

Transcript

Speaker 1: 0:01

Welcome to Our American Security. I'm your host, bobby L Shepherd. Our American Security is brought to you by Brass LLC. Brass business resilience as a security service is a new and innovative consulting firm which provides world-class intelligence, monitoring and analysis on emerging threats specific to your organization and its priority areas of concern. Your Brass subscription will provide monthly or quarterly audits for operational security, physical security and cyber security, as well as liaison with federal agencies and help see suite executives to strategize and plan for crisis events.

Speaker 1: 0:43

Alright, alright, alright. Welcome to the second episode of Our American Security. Today we are going to be talking about threat hunting, threat hunting, how proactive cyber defense is done. We're going to have our co-hosts, which is JD Anderson, be the one that's going. I'm basically going to be interviewing him about you know how threat hunting is done. He is a threat hunting expert and you know, being that he's a you know former US Army Special Forces operator and a former federal police officer and special agent. He has his own take on how this stuff ought to be done. You know, as far as you know how you think about threat hunting not just about you know the actual technical actions of it, which we get into quite a bit it's a pretty interesting take. I'm more on the intelligence side cyber threat, intel, all source intel, intel, intel, intel, and which is a very important part of threat hunting, but I think people often conflate the two and that's something we talk about as well. So I hope you enjoy it and here we go, thank you, hello, welcome back.

Speaker 1: 2:05

This is Bobby Shepherd, in another episode of Our American Security. Today we are talking again, well. Well, first of all let me introduce my partner, partner in crime, which is really ironic. I say partner in crime but technically we've been law enforcement and you know, doing on the right side of the law, you know most of our adult lives. But but, yeah, jay Anderson. Jay Anderson is the co host here of our American Security, and so what we do here very so often and this is going to be a new tradition is that we basically, you know, we talk about the.

Speaker 1: 2:41

You know, our normal podcasts are about the events and issues that are going on as far as security, how it affects America, how it affects the world and how, and through the lens of our experience. And this time, you know, every so often we will have a podcast which we really talk about industry knowledge or we talk about on my side of the fence industry knowledge that deals with some of the, some of the products and services that we're putting out outside of the podcast. Jay is an industry expert when it comes to multiple, multi discipline, multiple disciplines, that that being threat, cyber threat, military special operations, law enforcement and some Intel, and so he has all kinds of experience, man, and so what we're going to do is not just kind of just talk, talk it up for the you know, you know what's going on in the world as much, but also try to give you some hardcore industry knowledge that can aid you in your job and businesses as well. And so today we're going to deal with a topic that everybody talks about real sexy sounding, but truthfully it seems like it's a little bit of a misnomer and we don't really quite know exactly. I mean, when I say we, I'm talking about the world around us don't really know exactly what it is, you know. So we say here threat intelligence and that is a credit is something that we're getting to later as well.

Speaker 1: 4:13

But threat hunting Alright, threat hunting, man, that sounds bad, that sounds like you know. Threat hunting like you like, like that hunt for red October, like Rambo hunting up some, some big car. I mean, threat hunting sounds like we're going to grab somebody, you know AR 716, ar 15 m 16 and run up in somebody and hunt something down. I mean that's what it sounds like. You know threat hunting is it's hunting a threat, right? So pretty much, pretty much right.

Speaker 1: 4:42

But the thing, is the thing is, you know, I mean, it's actually not quite that dangerous and sexy. So I mean, honestly, it's, it's really about cyber, you know. I mean it's, you know, really, in the terminology that's been used most commonly. Now they're talking about cyber threat, alright, and so we're going to talk about the day, you know, threat hunting. It's one of the things that we consult on in Jay in particular, and have another guy on the team who does it right and tell which is more cyber oriented, and but it is a art and it is a discipline, and we're going to kind of try to give you a brief but informative synopsis of what it is. So, jay, we're going to start, man, I'm going to ask you a couple questions and just go ahead and go with this. You know, stream stream of consciousness, man. So we went over this last time. I'll let Jay talk. So, jay, you know, can you tell us, like basically, before we start, like, why you might be qualified to talk about threat hunting and what it is?

Speaker 2: 5:54

Well, threat hunting Okay, you know it's a little bit different than threat monitoring, which is what you typically see in organizations these days. And threat monitoring is basically you know you are waiting for any type of alerts that have populated and you triage those alerts, you know, and basically conduct your investigation and send the report or whatever format that you're going to use up to. You know whether it's a client or your organization, if you just doing it specifically for your organization and just letting them know. Hey, this is what my findings are for this particular alert. So it's a very reactive way to basically Managing environment. Yeah, so threat monitoring.

Speaker 1: 6:46

Okay, so this is threat monitoring, right, so this is typically.

Speaker 2: 6:49

This is typically what happens when you are a threat hunter. You basically switch roles from being you know that passive individual within the organization to becoming proactive, and that's the major difference. So when you are a threat hunter, your job is to not wait for an alert to populate, which you know it's very much needed. But unfortunately, a lot of companies just don't do threat hunting, you know, they prefer to just like well, let's just monitor. We've got 3040 alerts that popped up. We need a team of guys to manage each one and to let us know which ones are false positives and which ones are legitimate. But when you have a threat hunter, a lot of times alerts may not trigger, particularly when you talk about advanced, persistent threats. So what you want to do is you actually want to go into the client environment and you want to run searches and queries and hopefully you have somewhat of a team that can assist you with exactly what you need to look for.

Speaker 1: 7:55

Okay so. So let me tag that for you so I can kind of give them a little more. You know, because APT, or is another way of saying it. Now let me advance persistent threat. Is it called? Advanced something else, now new, a new terminology for it.

Speaker 2: 8:07

Well, I mean, apt is the most commonly used terminology that you're going to hear. You know what is it, but what is exactly? So, basically, an advanced, persistent threat is is any, so it can actually be a threat actor. You know whether it's some, you know some lone hacker, or it could be, you know, a nation state entity. We have a lot of countries like Iran and China and Russia that love to basically gain a foothold within an organization and they maintain a persistent presence on their network. And you know, studies are shown that a lot of these APT's, once they infiltrate your network, it takes approximately 195 days before they're actually discovered. And and though the alerts have been triggering and things like that, it may not actually trigger what they are actually doing, which is why you need a threat hunter.

Speaker 1: 9:01

Exactly so, like so. So just could for clarity for the audience, right. So you know, a lot of times the APT may literally, you know, infiltrate your network and sit there and wait and sit there and wait for a call, a remote call for them to actually activate could be a warm, some sort of executable right, some sort of executable where they may actually execute on your network and then begin like siphoning off or doing some kind of disruptive activity. So when they so, when there's we talked about, so the plate date, like Jay said, you know, an APT, they can say like there's an APT called 30, whatever, but there's also the actual APT's that are like actually on your network, which are, which are? We are actually sitting there waiting to in constantly, clandestinely, apparently recognizing or doing reconnaissance, you know, on your system to figure out where and where and how to to disrupt or use some sort of social engineering. Would that be accurate?

Speaker 2: 10:00

Yes, I call it the sleeping tigers. That's basically what they are. They just kind of go into your network, gain a foothold of, tried to do some lateral movement and even try to gain administrative privileges to create their own accounts.

Speaker 1: 10:15

Yeah, lateral movement, because I'm gonna, I'm gonna take things, things. You say I'm gonna try to lead to help people, because these are the terminologies that, like you know, maybe be talking to some clients and a cyber threat, intel or somebody who's familiar with it. It might be okay, but you know, when you say I'm gonna talk to everybody else, that's what it sounds like. You talk about a football or something like that. You're trying to like lateral. We, you know, throw a football, move hands, stick out. You know. But lateral movement why? You know, like it's honestly, because I just I honestly just did something with with the last organization I work with talking about lateral movement once it got into a payload and the thing about lateral movement. Why is that so dangerous? Lateral?

Speaker 2: 10:53

movement.

Speaker 2: 10:54

Well, the reason why it's dangerous, okay, is because it has the potential to cause additional damage to the, to the Environment, the network.

Speaker 2: 11:05

So it's one thing to have a breach, okay. So let's say that they actually use a combination of social engineering which includes fishing or or fishing or whatever case there to gain credentials, to gain access to one Individuals computer, and maybe that individual is just a basic regular employee of the organization. All right, so they've gained a foothold onto that one machine, all right. But then again, maybe they actually want to look for higher classification of information to either steal the damage or to alter or something of that nature. So what they want to do is they want to look for a way to pivot or move laterally on to other machines and Either infect them with let's say, the most common that I've seen is ransomware, or they can say okay, now I want to gain access, since I'm in this machine, this machine is on a network, so that means they're all connected. So now I want to move laterally to a different machine and maybe escalate my privileges so that I can actually have more access to the environment and do as much damage as possible right.

Speaker 1: 12:11

So once they're in and they can, they start executing a lateral movement, I mean you could move up from. The scary part is, once they end, they might be able to get in an Unclassified area of whatever you're using, then move into a TS area where actually there are things that could be, you know, you know, grave damage to grade damage to national security, which is something that was in the realm I was working in and then we were considering that it's an open source situation. But basically, you know, one of the things we were looking at with payloads and to Going into space, and some of those payloads Are. Usually, when you do payloads, basically they put an unclassified payload right next to some super secret sap payload and the thing is if, if a person enters, if a APT hits that that network and gets into the unclassified one, technically they're on the same, they own that, they're on the same network strip Basically, even though there was other requirements to get into here. Once they get in, they have the ability to move laterally Into that super secret sap payload and and see and disrupt the world of hell they want to do in there which is which is super, which is dangerous, and in something that why cyber, cyber security and cyber threat intelligence and cyber hunting is is super important.

Speaker 1: 13:32

Once again, absolutely yeah, like I said, you know, you know we want to be gonna really try to bring out this kind of stuff into you know, like I said, all these to be.

Speaker 1: 13:41

You know we talk these things every day, but you know, like somebody who's never really they hear you, these things, threat hunting, and yeah, so we're gonna let you know what generally, what we're talking about and you know, please, you know you'll get some, some knowledge out of this podcast. So let's see here. So I would say this man, let's talk about some aspects of where folks kind of get it wrong about threat hunting. Like, like generally, like you know what do they generally get wrong about it? Like I'm talking about like bosses and supervisors and managers, not not like the general public. I'm talking about like you know, when you, when you basically all right, jay, I want you to be a threat hunter you know what do they do wrong, because what I've seen is that they try to give them, you know, basically monitoring and alert duties and all these multiple other things and it pulls away from the actual Need and in job of doing threat hunting. Can you talk to that? Speak to that a little bit.

Speaker 2: 14:46

Yeah. So I would say that there's a lot of Misconceptions about what threat hunting should be To when it comes to people that are running the organization or running a cyber section, you know, one of the biggest things that they get wrong is they just don't do it enough. Like you mentioned a lot of your threat monitors or giving an additional task of hey, I also want you to do threat hunting. Well, the problem is is that when you have, you know, a large number of alerts coming in, they're going to spend a majority of their time trying to triage all these alerts and they're just not going to have time to do threat hunting. So you know, one of these things is that threat hunting should not be looked at something that you do as like an extra Size. Okay, like I'm going to go in, I'm going to do threat hunting today, and then you may not do it again for two or three weeks, and that's that's kind of the wrong answer. So you know, and also a lot of these, you know Leaders of these organizations they don't really know how to you know how to take advantage of an actual threat hunter skill. A lot of times they might say, well, we don't really do that? Because, no, either they themselves don't understand it, but they think it's too difficult.

Speaker 2: 15:54

You know some people think, well, we can just automate that. You know you cannot fully automate threat hunting. You know, just like you cannot fully automate you know threat intelligence. You know, in a national security world I mean, just imagine a computer and we're trying to run all that you're going to need that human element involved A lot of times. You know supervisors think that, well, don't we need like a lot of you know Requirements and a lot of these. You know high speed tools and especially these small to medium-sized businesses, when really you can just use the typical normal security tools that you have. So you know being underutilized, it's like probably the major thing, or companies just flat out Don't do it at all. What they think of it is well, my guys do threat hunting. You know they. They are finding threats and I'm like no, they're actually just responding to alerts, which means they're being reactive in the environment and not being proactive, right?

Speaker 1: 16:48

So so how about this? Can you do? You think you could briefly, like I know we've spoken about it in private before, but you know, can you walk us through Generally? You know what are the steps in the threat hunting process, not just with the threat, like you know. We, like we spoke before, we said okay, um, you know, when there's a threat, the threat hunting process generally starts from Having a good threat intelligence team and receiving receiving.

Speaker 1: 17:15

You know, like you said, the threat hunter themselves can do some of the intel. But having um, a direction from the threat intelligence team is going to be Hair amount, because that's gonna, because you're going to be able to have a lot of reach back into Some of where that threat came from and basically it's going to basically make you provide you a way for you to do an intelligent hunt Rather than you know just kind of, uh, you know, okay, I'll just try to see if this is in here today. You know you just, but but instead you'll be like okay, you know, this is probably apc, so-and-so, this is a known threat actor. Um, generally they usually do this based on the mitre attack, um, behavioral information on this. You know, whatever that, whatever point, whatever it is Um, that means a lot, because what I've seen, uh, from some of the alerts are as a, b and c, and I'll know where to start here. You know, I mean it doesn't work, something like that. I mean, what's, what's the process, would you say, jay?

Speaker 2: 18:14

Well, definitely, um, I think you're right on point there. So one of one of the things that's going to make a threat hunter effective is actually having a whole government approach to threat hunting, which means you can have an individual or a group of individuals that are assigned to be threat hunters. Um, and maybe they're very good, you know, maybe they understand the tools they're working with very, very well, uh, but that does not mean that they're going to be effective threat hunters. I mean, they may be able to proactively conduct searches and queries in the environment, but then again, if they're not um In the know of what actually is taking place on the outside world, because typically Cyber threat monitors and hunters do not have time to conduct any sort of, you know, threat intelligence research To find out what was the latest trend, okay, this latest hack that just occurred yesterday.

Speaker 2: 19:06

You know who was responsible. You know what? Um did they use python? Did they use power shell? What did they take advantage of? Was it so? You need a cyber intelligence um he to actually provide you with that type of information. You know, and just like in the military world, we call them, you know, those priority information requirements. You know, having p? Ir's Um is definitely going to Help guide those threat hunters on what exactly you need to look for, um. So it's one thing to go looking for something Um, it's another thing to know exactly what you're looking for in a particular instance and and this should be like a continuous communication between your threat intelligence analysts and as well as your threat hunters.

Speaker 1: 19:51

So for example somebody yeah, go ahead, sorry, sorry, sorry. I just wanted. I'm just trying to get this part straight in my head. So, between the threat intel team, threat hunters, um, how do you think the threat monitors fit in there though?

Speaker 2: 20:05

So what a threat monitor they're basically?

Speaker 2: 20:08

You know, obviously, if the you know, if I was in charge of a cyber intelligence analyst section, I would make sure that we conduct some sort of at least weekly or bi-weekly meetings and send out constant updates and reports to all, both threat hunters and threat monitors, just so everyone understands exactly what's happening out there in the world.

Speaker 2: 20:33

It's going to help both parties. It's going to help both your monitors and your threat hunters, just because your monitors are going to be monitoring for any alerts and they're typically going to. You know, especially if the pool is not tuned, they're probably going to have a large number of alerts to have to deal with and having an understanding like, for instance, if the threat intelligence team says hey, these are specific IP addresses that are being used by these advanced, persistent threats that are out there, these are specific malware hashes that are being used, these are indicators of compromise for this particular type of attack, if you know those things. So even when you're doing threat monitoring, you can be looking for those particular things as opposed to just writing down okay, writing down all the information and IP. You can say, hey, this right here and let me go back and look at that report again. It's the same one, so maybe this is one of the same. Yeah, yeah.

Speaker 1: 21:30

Yeah, like I was thinking, like you know, this is why, like, threat intelligence is probably going to be a totally different thing. Because basically, you know, like the threat monitor, first of all, threat monitoring and threat hunter are actually two like a two pronged sort more or less, to find these threats, but then the threat intelligence team is going to basically inform the entire operation. And you're saying, basically, that's like we'll get into that a little deeper but later on. And like the, whereas, whereas the threat monitors are picking up these alerts and these IOCs indicators are compromised, they still like. Because I remember I actually spoke to a guy who was doing threat monitoring work for forgot what way worked and he was like, well, how do you know? He said we get like I think it's a hundred to thousands of IOCs and he's like, how do you know which ones to pay attention to? And I was thinking, and I didn't really I didn't do, I did threat intelligence, but not not that you know, not that type, and I, but I gave him a load of advice. I was like you know, I said basically, I said hey, what? Basically where? Where's your, where's your intelligence pointing? You know what I mean. I said you know where's your PIR.

Speaker 1: 22:29

You know, because the only way, the only way for you to be able to discern what's important with all those hundreds and thousands of IOCs coming through is if you start with a level, with a PR, with a priorities list. Basically, you know what is your priority intelligence requirements, like what's going to freaking, bring down the house for this particular organization guys. You know what's your critical areas of concern. That's something I talk about with in brass a lot Pretty critical areas of concern. You know where's that? If you want to find your critical areas of concern, then you can figure out. You know, you're not. You're not just looking at general IOCs again Now. You're looking at things that that matter to your specific, specific operating environment. You know which is hugely important, man. You know they don't. I never really hear that man, but let's focus in on what are the critical areas of concern for your operating environment.

Speaker 1: 23:19

You know, find those PIRs, those priority intelligence requirements, or, you guys, information around 10,000 intelligence requirements, and then go from there. You know, then start, then start. You know, okay, this IOC, I'm going to, like you know, disregard one third of these IOCs because they don't matter to my financial institution. This is something that works more for an energy company, it would be more scary for them, whatever you know. But, right, you know I'm generalizing, I'm generalizing, but you know what I mean, but that's, that's generally what I'm trying, what I what I see. So, okay, so just going back, I'm just throwing more clarity for for everyone involved and I just think that that's a very important point that we touched upon right there.

Speaker 1: 23:58

All right, so sorry guys. So go ahead back to, like you know, looking at the whole threat hunting process. So start being with threat intel, threat monitoring. You guys are two pronged sword. That's going to, you know. Basically, you know, discover in the difference between threat monitors is that they alert you to the threat and the threat hunter. What do you mitigate the threat or do you stop the threat?

Speaker 2: 24:23

What do you know basically? Basically, if you are a threat monitor, your job is. I mean the threat may or may not have already occurred. Their job is simply to monitor the network environment for any alerts that populate, so that they can actually work and triage those alerts and you know, basically report what their findings are. So and that's, that's about 80% effective, you know, when you have an entire team of people working, particularly like in a sock environment where you have 24 hour coverage of whatever clients that you're working. And now it's pretty effective up to about 80% as long as everyone is doing their due diligence on the job.

Speaker 1: 25:03

But what about the?

Speaker 2: 25:03

other 20%.

Speaker 1: 25:05

What do you think will happen? Yeah, go ahead. No, but what happens though? I mean? So we say 80% effective, what are they right?

Speaker 2: 25:14

Well, because typically, you know, as long as the tools that they're using have been optimized okay and have been tuned you know, tuning is something that's an underappreciated thing, is one thing to set up, like this splunk for an environment, but if you don't tune it, you know you can literally, you know, be looking at in a month's time, no, over 6,000 alerts, you know. And if you've got a small team, that's just all you're going to do is just be triaging alerts all day long. You're not going to care if there's an APT that's been sitting in your environment for, you know, six months, because all you're trying to do is clear out the alert board. Because a lot of times people say why don't we have so many alerts and there's still like 500 alerts? Who's supposed to be working these alerts? And I need people to get up, you know. So that's why you need, that's why you're going to need Thread Hunters as well to go into the environment to say you know what, I'm not going to be looking at these alerts. You know we have people designed specifically to do that. I'm going to be looking in the environment, particularly for things that just recently came out in the latest intelligence reports by our Cyber Thread Intelligence team.

Speaker 2: 26:19

So some of those things can be. For example, there's a new string of ransomware attacks that have been occurring and here's some of the artifacts that was found within the lines of code. That's when they when they actually implement that ransomware within your environment. So now I know okay. So when I see these particular strings or these particular lines of code, okay, I'm going to query specifically for those things. All right, so, because one of the things that I used to do is I used to take a look at okay.

Speaker 2: 26:51

So we have all these different APT groups right in every group. You know, just like every military unit, every law enforcement, they have their way of doing business. It goes the same thing for these malicious actors. They have a way to do. It's like their signature. You know, they may always use a particular type of, whether it's a programming language or it might be a particular type of document that they use to infect, such as PDFs or Word documents.

Speaker 2: 27:18

So as long as you understand what those things are and you're only what you're going to understand, as if you received that information from your CTI folks they can help you to know exactly what you need to search for. So this way when I'm looking for. Okay. So here's a line when I see this particular string, I know that this is this particular type of ransomware that I'm dealing with. So now I would draw my own report saying I'm doing threat hunting, looking for blackbites, ransomware, indicators of compromise or artifacts or whatever the case. So then I know, based on the intelligence report that they gave to me, these are the things that I need to be looking for, in addition to things that I would normally be looking for. Okay, so the spikes in traffic and things of that nature.

Speaker 1: 28:04

Okay. So the spikes in traffic, would that mean you'd be kind of doing, okay, is that the spikes you know? Taking a look at spikes in traffic would you say that's a threat monitoring thing or it could be, it could be Specifically to a 300,.

Speaker 2: 28:17

You know, it would be for both, actually, because sometimes some tools can be tuned to where if a certain amount of data, like once it exceeds a certain limit, it may trigger an alert, but then again, in some environments it may not ever trigger an alert. But then to me, when I see stuff like that, I'm like, okay, let me take a look at, historically speaking, what is the traffic been like? Why is there always a spike at this particular moment? You know, particularly when you look at what time did it occur? Is it two o'clock in the morning? You know somebody trying to do data exfiltration, you know. So there's a lot of things that, just based on your knowledge, training and experience working in these environments, that's going to help you as a threat hunter. That's my question, david to identify Yep, go ahead.

Speaker 1: 29:02

That's my question, though, jay. It's like you know. You know, from a threat intelligence aspect, we have, you know, quite a few tools to kind of help us, not to mention all the databases and then the mitre attack to figure out behavioral action, activity, and now we got a lot of stuff you know. So do you, does a threat hunter have like sort of you know? I mean, are you, are you purely relying on your threat intelligence team to figure out, how, does how to basically, you know, figure out if there's a, there's something going on in their APT or something going on in network? I mean, are you purely relying technically on your threat intelligence team, or or, or is there a way for for you to have, like you know, is there a? You know? Can you be a threat hunter in an isolated environment, you know, without a team?

Speaker 2: 29:52

You can. You can. You just have to kind of do a little bit of your own research on your own, which is one of the things that I used to do all the time. You know, there are certain websites out there, like Hacker News, that does a really good job of putting out okay, anytime there's a new patch, updates, anytime there's any sort of cyber attack that occurred, all the information is right there, and then they'll not only just tell you hey, a cyber attack occurred on this day, this is a group that was responsible and this is how they did it. So then you can say, okay, I'm going to take all this information that came out today and I'm actually going to do threat hunting in all of the environments that I'm responsible for to see whether or not I can identify any of these artifacts or indicators of compromise within the environment. Now, what you can do to make your life a little bit easier because you can manually do all these searches and queries and things- like that.

Speaker 2: 30:40

Which takes a considerable amount of time, or you can actually create from, like the website SOC Prime. You can create a Sigma rule. That's basically a script that's written in YAML that can help you automate your basically your threat hunts. So it helps a lot when you can do something like that, because it does take a little bit of extra time to do it manually.

Speaker 1: 31:09

So where do these Sigma rules come from? And I was going to do we were talking about automated versus manual and manual. Basically, you just briefly explain it. You basically are going in and doing your own intelligence, data research on what's going on, probably based on, hopefully, some kind of PIR.

Speaker 2: 31:26

Well, I'll tell you what if you had a really good cyber intelligence team, right, they could give you all the information that you need to plug into your Sigma rules to run it.

Speaker 2: 31:38

Because you have to put certain information in there, because you can make a very general one, right. The thing is is, when you make a very general one you're going to come up with and you run that script in whatever tool that you're using, it may come up with just a million things. You know what I mean. Like, if you're looking at event logs, for example, and that's all you're looking for, there's event laws for everything that occurs on the network, for you know, all the time. So then you're going to have, like, too much data to sift through yourself. But if you know, okay, so this particular attack that occurred recently yes, it was any event laws, but it was also specifically pertaining to PDF documents that were downloaded from an outside entity Now you can say, okay, now that narrows it down, your search, right, and then you can actually program these or input that data into your Sigma rules to kind of help you identify more quickly. You know whether or not there's actual threat inside your environment that's hit.

Speaker 1: 32:39

Can a Sigma rule only be run from SOC Prime or can it be run from any of the systems that you use? Like no?

Speaker 2: 32:47

you can. You can run it as like. The thing is, the good thing about SOC Prime is that not only can you create your Sigma rules there, you can test it to see if it's actually going to work. And the other thing is, if you don't know what you're doing you did that just say you use a notepad, because you can definitely use notepad on any Windows machine. Create a Sigma rule and you can run it and say, oh, it came up, nothing you know, but maybe you was missing a comma or something in there and so you didn't even know if it actually worked tonight, which is why I prefer to use a SOC Prime website. But yes, as long as, but once you create templates, you can create templates for particular types of things you're looking for, and then all you can say okay, so here's a couple that I have specifically designed looking for ransomware. Here's another one that I'm looking, that I have looking for, you know, any types of particular vulnerabilities that came up?

Speaker 1: 33:38

So can you walk us through, like, like. I mean honestly, can you like just pretend like you know, like you know you talk to the dumbest person in the world? No, maybe not, maybe not that bad, but no, but just no, just imagine just, can you walk us through from from from beginning to being able to run it? And when you say notepad, I mean I know what you mean, but I mean let's, let's pretend you know, we don't know what you're talking about. And I'm starting out and I have to do this.

Speaker 1: 34:04

I mean I just got this job and I was hired to be a threat Intel person, but then all of a sudden they're telling me to be a threat hunter. And I never done no threat hunter. I could, I could, I can find information all day so that that part of it's taken care of right. But now I've got all this data about this financial network that I'm protecting and now they want me to start doing some threat hunting and I'm just like, I don't have time to read.

Speaker 1: 34:31

I just, you know, I just need a. I need a nice short and short and, you know, quick, easy, step by step way for me to go ahead and automate this, this a very thorough threat hunt so I can keep doing the threat Intel portion by the same time get information to make sure that the network is clean or that we're not being currently attacked, and so you know, can you run us through like a step by step man, like where would I start? Okay, you, you know you have the threat Intel, but but how do you start the hunt? Man, can you, can you walk us through that man?

Speaker 2: 35:09

Well, I mean, it's kind of hard to do this without actually, you know, doing a demonstration on a computer to kind of show you what it looks like. So basically, so basically, what you want to do is you want to, you need the information first. Okay, you can't just do threat hunting with no information.

Speaker 1: 35:25

Right, we got the information you don't know what you're right.

Speaker 2: 35:27

So you, you have the information, whether you did your own research or you obtained it from your cyber threat intelligence team. Right, and so you're right. So then, once you have that information, then this is when you have to be familiar with your actual tools that you're using.

Speaker 1: 35:44

So so you right.

Speaker 2: 35:46

So like, for instance, splunk and CrowdStrike you know there's just two. You have carbon black response. You got RSA net witness. You know there's a lot of tools that are out there. You know IBM's Q radar. So, as long as you are familiar with these tools and how to actually conduct searches so, for example, in Splunk, you know there is a search bar in Splunk.

Speaker 2: 36:08

Okay, if you just go and type in a bunch of stuff in there, it's not going to work because Splunk uses particular syntax. So that means you have to understand how that syntax is. So for threat monitor, for example, they should be familiar with that, but they may. They may go in and say, okay here's, it shows me, this is how many high alerts we have. And we have, you know, two critical alerts. So I'm going to start with the criticals and then you know next thing you know about a time they finished doing all that stuff their day is over with.

Speaker 2: 36:35

So they didn't actually have to do any sort of proactive searches within the environment. But if you got to do an actual search within Splunk, you have to understand the sentence syntax and the symbology that you need to use to make sure, because if you just type something in there. It's going to probably come up, or there's nothing here, but that doesn't mean that it was in there. It just means that you didn't know how to properly conduct a query or a search within Splunk, which is when that experience and training comes into play. So, and obviously understanding, like the CBEs that come out on a pretty much on a daily basis, you know, following the US cybersecurity infrastructure security agency, they are always putting out, you know CBEs. You know, for example, I think one came out today is CBE dash 2020, dash 3255.

Speaker 1: 37:22

For those who don't know, cbe is a vulnerability, common numeral vulnerability. What is this common vulnerability enumeration? Something like that Yep, yep. Basically it's a vulnerability. That is that basically, whatever software or network or kernel, whatever hell it's going to tell you about, it's going to tell you what vulnerability is, what's going on inside your network. So knowing your CBEs, or being able to check on your CBEs or go to hacker news and see what the latest threat is cyber threat is, which usually comes with a CBE is very helpful to your, to your hunt. It's okay. So then you know, you go through. You got Splunk, you got Crowdstrike. Let's say okay. Let's say okay. Well, you, generally you got to know how to actually manipulate the tool, bottom line, exactly, yep. So you can manipulate the tool, but you can plug in it with Splunk or Crowdstrike, be aware of the CBE that came out, or anything like that. Or how does that work?

Speaker 2: 38:20

It depends upon how it was actually set up. A lot of times they may not. They may not. They may have some particular because, using the way these tools are or initially set up, they're set up to trigger or specific types of activity. So they may say, okay, if someone is downloading Over this, this amount of megabytes or whatever case, it's going to trigger an alert or it's going to block the activity. If you have an outside entity that's trying to make communications or send information Inside the network, it may automatically be blocked and it's going to trigger an alert. So you know, because CBEs come out constantly, it's impossible for a system to actually Trigger on those specific CBEs, but it what it may trigger on is the activity that's contained within the CBE. Is typically how it works, which is why a lot of these systems, if they're not constantly being tuned, will trigger Thousands upon thousands of alert on a daily basis.

Speaker 1: 39:24

Okay, so know your tools. Alright, so you got to know your tools. So then we won't move into. We are, so we know, we know where the threat is, so we know where the threat is. We know our tools, know our operating environment, or does it? We already talked about that. The PIRs, or understanding environment, that you're working within, so like a Financial network, is gonna be different than a manufacturing network. A whole different, whole slew of different PIRs and Potential IOCs are gonna be in that network. So you generally have to know what you're looking at on a daily basis to be effective as a threat hunter and even a threat Intel person, right, but it makes them a yeah, okay, so so then after that J. So you say so we got, you know, know your. You know, know your tools, know your operating environment. We just said you know, know your threat. What's the? What was the other one we're talking about? What is there another one out there we should consider?

Speaker 2: 40:22

So you know we talked about those Persistent threats, or as well I like to call hidden threats or sleeping tigers. You know because that's pretty much what they are. You know because you would, you want to be able to identify and detect. It is what you want to do, as opposed to just responding to alerts, because if you can identify it in a tech, detect the, then you can respond to that particular threat that did not you know or may not have triggered, particularly if they've been in your network for a long, long time, which is extremely a you know, possible in most environments. You know, particularly in your small to medium-sized businesses and even in some larger ones. So you definitely want to. You know those are like the main things that you're gonna be looking for. Obviously, you know any sort of indicators of any of the. You know ransomware is always a huge thing. That that's triggers and plagues most companies because no one likes to have their stuff encrypted. And then you know it because it can shut down an entire Organization right, especially if it's not backed up.

Speaker 1: 41:24

You don't have any redundancies, right, right, yeah, but so so. So finally, like no, no, no, your hunt, you know we. So, basically, like we covered us. So no, your know your hunt. Well, so basically, I'm automated versus manual, manual, have had they basically manual. A manual hunt has their own has, has its own steps, basically that that a person can take, you know, and they usually goes back to the knowing, the tools and buttons and exactly. But there's still a step-by-step sort of a you know thing you want to go through to do a manual hunt, and a good one. All of it still still goes back to you know. Knowing where to hunt mean you know, know your threat, intelligence, knowing you know your operating environment, knowing your tools. I mean, those are, those are the essentials of threat hunting for my. What I understand Is that was that be accurate?

Speaker 2: 42:17

Yes, it'd be extremely accurate. You know, just like you say knowing where to hunt in a cyber environment. That's really true for any environment. If you are a deer hunter, you know You're not going to be standing in the middle of the ocean in a boat looking for deer, right? You need to know exactly where to go, right. You know you may not go to a burn a part of the force has been burned down. You know there's gonna be hanging around there either.

Speaker 2: 42:38

So you kind of have to know. Someone has to tell you hey, this is a good spot. It's just like fishing. You know, if you're standing with your feet barely touching the water trying to catch a fish, you know you may be standing until you have long beard. So you have to have that intelligence. Say hey, you might want to go out in this area right there, that's where most people have been catching fish or whatever case. So that's, you know that's. That's kind of part of it too as well. It's not just knowing what to look for, but how to look forward and where to look forward so.

Speaker 1: 43:05

So, from a, from a Owner perspective, like, okay, so I'm the owner of a of a company and I hired your team. You know how do I get my return on investment from you guys? I mean just because you. What do I mean? Because what's gonna what? Why do I care? I'm not, I'm not a cyber person, I'm just a person that don't that I want my stuff compromised, you know so. So what is it what I'm gonna? What am I gonna get from you? You know what? What should I want to achieve from a ROI perspective, as as the boss you know, from you guys? I mean what, what am I? What am I hired you? Why am I hiring you what? Because I mean, okay, yeah, everybody knows we don't want to my my Organization to collapse From an attack or to lose a ton of money, but what, specifically as a threat hunter, can you do besides find a threat?

Speaker 2: 43:57

So I mean, basically, when you have a threat hunter that's in addition to a threat monitor Um, and usually it's going to be a team of each you're not going to have just one threat hunter, um, because, you know, unless he's a robot that can work 24 hours a day, it's just, it's just not feasible. You're gonna need a team of hunters and, and collectively you can greatly reduce your chances of being, um, you know, attacked, because not only do you have someone who's monitoring your Current alerts that are triggering on a daily basis, but you also have someone who is proactively engaged and looking for those Specific advanced, persistent threats that may be in your environment. And it's not just the advanced, persistent threats is also, um, those indicators you know of, you know potential where ransomware, it could be, payloads that it could have been dropped in a dormant state, um, you know, it's like a ticking time bomb, uh, like the trojan horse. So I mean, uh, a good threat hunter can actually do those things and they can actually, you know, create reports, not just a report. Yeah, I worked this alert and I triaged and it was a false positive. They can say I actively looked for these particular um.

Speaker 2: 45:14

And one of the things I would say too, is is understanding the entire like. You have to make sure that you understand your operational environment, like we talked about earlier, which also includes knowing what's running on your network. You know, you need to know what servers are running, what programs, what software do we have, because each one of those things are going to have their own individual vulnerability. Um, because hackers are, all you know, a board hacker is a dangerous hacker, because then they start finding things to do and then they might say you know what I'm going to target. You know they've been using Cisco, you know I'm going to target Cisco and they've been using firewalls of a particular next gen. I'm going to target those.

Speaker 2: 45:52

So every, not only you you have to worry about things like ransomware attacks and apts getting into your environment, but all of these other little software In devices that you have. What vulnerabilities do they have? So once you can actually show that, hey, there was a. You know we use Apache on our network. Um, I did a threat hunt looking for those particular things. Um, we did not find it in a network and here's my report. So I mean, I I think from a the c-suite perspective, to be able to say, okay, we have alerts that are being worked by our team that the um, the, the tools themselves have been tuned to the point to where we are, have reduced number of alerts, I mean yeah, which means the alerts that actually do trigger have a higher likelihood of being something that we need to pay attention to. And then I have a group of threat hunters who are actively looking for Um threats that are particular to the tools and the software that we particularly use at this organization.

Speaker 1: 46:52

So, so, so this way, and so so I'm, so I'm, so I'm hiring, so I'm hiring insurance basically.

Speaker 2: 46:58

Basically. Yes, it's kind of like an insurance, because you you definitely will greatly reduce your chances of being uh, I'm not going to say targeted, but definitely being compromised.

Speaker 1: 47:09

Okay, okay, so I mean so that's this really? I mean, that's not gonna be a small business sort of Expense, jeremy speaking.

Speaker 2: 47:18

Well, I mean it could be, it just depends, right. So, like the thing is, you know a lot of small businesses. If you have a business as like nine to five, right, and those are the same hours that your security team is gonna be working, so what happens after 5 pm Until you come back to work the next morning? Let's just say five or six am. Usually those are the times when a tax is going to occur. They're not gonna do it in the middle of the day, where they know everyone's looking right. They're gonna do it in those off hours. So if you do not have coverage which I always recommend that people you at least have an on-call person that's monitoring or doing something you know, I mean. So once you just leave yourself wide open, you mean anything could happen, right.

Speaker 1: 48:01

So once you guys find something, is that where the incident response team comes in and, in the name of day, go ahead and mitigate or or try to so much on her.

Speaker 2: 48:11

So that that right there is gonna be driven from top down. So policy should be written about how do you handle certain Incidents. So you're gonna have, for example, an alert may may not necessarily Develop into an incident. So when I think of an incident, I think if something is actually happen, so you have an actual incident, right, you're gonna have Classifications of the incident. I mean, is it a, is it a low-level incident? Or you know a lot of companies that I've seen they have, you know, critical, high, you know incidents. So if it's something like a medium or low incident, you know they may or may not want you to, they just may want you to report it. But if it's a critical or high incident, which means, yes, we have somebody that is in our environment, or yes, we did find evidence of this particular Payload, of this ransomware in our environment, so you, then you would have to follow whatever those Incident steps that were developed by the organization.

Speaker 2: 49:10

Because now, if you don't have anything like that, the only thing you can do is to say, hey, you know, let your you know Immediate supervisor know and say, hey, this needs to be pushed up. And if you're working for a client, like as an MSSP, like I was doing. You have to not only notify your own Chain of command, you have to notify immediately the Whichever is on the that, the alert rosters I like to call it the contact list for incidents for that particular client, to let them know. This is what we found, which means you got to kind of have your your ducks in a row at that point. So, right, you send an email out. You know you need to make sure you're not missing information.

Speaker 2: 49:50

So because if you do, then they're gonna be saying, well, what about this? And I don't understand, you know. I mean, so there's like a process, and this is when policies and things like that should be created at the top, to say, if you Do have to communicate with a client because it's something that you found, this is how you know, this is the information that needs to be Included. You know whether it's in an email or if there's an actual incident report template that you can create and something of that nature and I know you, I know you went through a couple of forensic courses and stuff like that.

Speaker 1: 50:21

I mean, I mean what I mean, what I mean. I'm not a good, that's probably a totally different podcast, but you know what, generally, once they find this potential APT executable worm, malware, you know or, or they have a Kinetic threat like some kind of DDOS attack that's constantly hitting a, you know whatever I mean, like generally, how do they stop that stuff, man?

Speaker 2: 50:47

How do you say, how do you stop it? Yeah, I mean, the first thing you got to do is you have to isolate the machine. Okay, so you're not. You obviously you're gonna leave the machine on and running, but you're gonna isolate it from the network so that lateral movement that we talked about earlier cannot occur. So as soon as I know, as soon as I see a machine that's been compromised right, we call it, I'm gonna break it, which means it's just gonna be a standalone machine, is not gonna be able to interact with any other machine on the network, but we still want that activity to take place on that machine so that you can get gashik, go in and do some forensics on it.

Speaker 1: 51:24

Okay, very interesting, all right and great, great, great information, great podcast. Appreciate the time and the patients with me coming in and trying to give more clarity to the audience and even to me a couple times. So good stuff, man. I really appreciate it, all right. Um, that it. That's it for today, guys. Hopefully, hopefully, you got some information, some some. You could take this and start doing your own research or you can Look some of the notes in the podcast or give us a call and we'll be happy to answer some of your questions.

Speaker 1: 51:56

Man, me and Jay are here. I'm more the threat intel side of things, intelligence in general. I've been an intelligence person for a long time through a. Jay has a multi-discipline threat hunter. I didn't get into his, his skill set, but well you'll. You probably heard that at the beginning of the podcast, but before, right now. That's it for it. That's it for today, guys. Thanks for joining us and we will talk to you soon. This has been an episode, second episode of the new year of our American security. Thanks so much. Take care, folks.