Login Papers Register

Need an account to vote? Register to attend at gsec.hitb.org/sg2017/

<< previous next >>

Threat Hunting: Be The Hunter, Not The Prey

Hamza Beghal

4 vote(s)

Threat Hunting took the Information Security world by storm in 2016. Its introduction as the solution to the now outdated SOC model has created a new breed of security professionals – Threat Hunters. People with both offensive and defensive skills who proactively hunt through the unknown for the next APT.
This talk aims to continue the discussion around Threat Hunting but also move onto how to actually become an effective Threat Hunter in 2017. Areas such as skillset, APT hunting and what the role entails day to day will be covered through a series of technical case studies based on the years of experience of the best Threat Hunters in the industry. This is an unprecedented opportunity for both security professionals and enthusiasts to find out exactly what it takes to be a Threat Hunter.

At present, many professionals who hold cyber security roles find that their skillset is not broad enough to carry out effective Threat Hunting within their organisation. Others are interested in pursuing this up and coming role as a new career path, but cannot find the roadmap they need to prepare themselves adequately. This presentation will cover all the relevant areas needed to solve this problem. The world needs more Threat Hunters and you can do something about it.

You may be asking, what is all this information based on? The answer is in the case studies chosen to demonstrate the key areas discussed in this presentation, and are accompanied by some fascinating stories straight from the front lines. But first, here is a breakdown of what will be covered in this presentation.

To begin with, we will be going through a quick overview of the current security roles in the industry, both on the offensive and defensive side. Getting a good understanding of the skills involved in each role and the level at which they are practiced will be important for the rest of the talk.

From there, the workflow of a Threat Hunter will be broken down with a focus on how to always keep on progressing and becoming more experienced and effective at Threat Hunting. This part will be based on how a newly formed team of Threat Hunters evolved over two years. It will look at incident investigations on the job but also research time and how to combine both for the best results. Incidents can come in many forms and often change in severity over time. The ability to quickly determine the severity of threats will be explained through the application of the skills involved at each stage of an investigation. On the research side, having access to more resources and freedom to investigate a particular threat will present a different side to Threat Hunting. One where a rigorous process in involved, from data collection through hypothesising and testing to use case development and write up.

This will lead into two case studies which will demonstrate how the previous talking points apply day to day in the real world. The first will be based on APT29’s POSHSPY backdoor. This fileless backdoor will allow us to look into using WMI event subscriptions a customisable persistence mechanism. Dealing with conditional triggers in the filters is a challenge which threat hunting aims to resolve. PowerShell will come into play, as it always does, with a look at interesting post exploitation modules. These range from sneaky hiding methods in the file system to using steganography in C&C methods. We will then look at how to deal with these techniques when coming across an unknown malware sample when Threat Hunting. More importantly, the skills involved in turning these investigative techniques into use cases which improve your capability of catching malware behaviour.

The second and final case study will focus on the evolution of the Andromeda malware family since 2013. The way it has evolved over the years makes it a prime candidate to demonstrate how Threat Hunting allows you to predict and effectively deal with how malware will try to evade you next. The concept of understanding malware techniques rather than relying on signatures will highlight how this kind of methodology allows you to hunt the unknown by recognising similar techniques elsewhere, even if they are not identical. In this case, manipulating regex searches, circumventing Anti-VM/Debug methods and how to catch malicious use of PowerShell will be discussed in detail. Tracking its C&C infrastructure will show an interesting way of hunt for and differentiate between command and plugin domains, using API hooks as a stealthy way of enumerating system information and blending in using legitimate beaconing activity. The technical skills involved here such as malware reversing and network analysis will be shown under a new light when used in the context of Threat Hunting.

To conclude, study material will be recommended to get started as a Threat Hunter and quickly be in a position to work as one in the industry. This talk aims to have a balance of technical material and effective ways of using it in the context of Threat Hunting. Given that this will be presented at HITB GSEC, it will also be a special call to women who are passionate about security to apply for this unique role.

About Hamza Beghal

I am a Threat Hunter for Countercept since 2015. I joined right after completing my degree in Computer Security at De Montfort University. Since then, I have investigated thousands of incidents, achieved both OSCP and CRIA status as well as having presented to both clients and security audiences alike.