A Hunting We Will Go

This weekend, in my midnight forays on Twitter (I do sleep, just not when you think I do), I discovered these graphs. As they say, a picture is worth a thousand words. These are worth far more because they visually represent high-level concepts on attackers and hunting. All credit goes to Jack Crook @jackr on Twitter, whose site is findingbad.blogspot.com.  We know how this game is played, that the attackers have been living in our networks far longer than we realized. Defence isn’t passive. It can’t be. We need to be actively monitoring all the things. We need to be expanding the Cyber Kill Chain past the perimeter and into the depths of our realm, to play this game of cat and mouse.

I’ve been pursuing my love of threat intel over these past months, and shared my learnings via talks at my local DC416 chapter, and then – fireworks and music – at Wall of Sheep at Defcon this year. OMG!  Reading Jack’s work just fires up my urge to learn more, and these depictions show what I want to say so very well.

“Enumeration”. Per Jack

Enumeration is an attacker need. They need to know where they are, where they can go, where’s the data they’re after.

“Credentials”. Jack says

Attackers need credentials if they’re going to move laterally within your network. Here’s some ideas to go digging for.

“Powershell”. Jack adds

Here are some additional things to think about when looking at Powershell

And I saved the best for last! How will they execute?

Process execution is an attacker need. There’s opportunities for developing creative ways to find when malicious.

Thank you, Jack, for sharing this wisdom. And thank you for reading!

Advertisements

Guess What I Get to Do Next?!

INT16_1611016_Speaker_ABOUT_SECURITY-1200x630

Yes indeedy! I’ll be speaking about one of my very favourite things, Threat Intel, with one of my very favourite people, Haydn Johnson. Let’s just say we’ve put everything into this talk. We’ve finessed and enriched all our accumulated knowledge from previous works into something we are so proud to deliver.  Click here to learn more.

If you want to attend, you still can! Register for #InteropITX with my promo code & save 20% off any pass. Go to www.interop.com and use code: https://l.feathr.co/interop-itx-cheryl-biswas-c

My Approach to Threat Intel

In my role at work as a Threat Intel analyst, I track developments using various media feeds, and put together a succinct daily report of several key items that are pertinent to our clients and business lines.  Of course, I share my findings on Twitter and LinkedIn because that’s how the security community flourishes: collaboration. And to say I love what I do would be an understatement.

I don’t pretend to be an expert at what I do, nor will I say I have the definitive definition of what Threat Intel is. There is so much information to capture and analyze, and the learning is continuous. For me, my love of threat intel is in the hunt: looking for trends, patterns, new developments, things that reappear.  If you seek, you will find. There are many ways to search, and I am always trying to learn from people who have been doing this longer. It’s like fine-tuning a guitar, so I’ll always be looking at how to improve what I do.

I have go-to sources I read regularly, people online I follow specifically. My twitter feed is huge and categorized. But if I want to know something right away, it’s usually on there. I also have other sources to check in with directly. I collate information on malware, Advanced Persistent Threats (my most favourite things), specialized systems and their unique vulnerabilities.  This has helped me develop a baseline understanding over the time I’ve been doing this, so that I can understand who the players are when it comes to exploit kits, ransomware or DDoS.  And I try to make sure I know who the experts are, so that when they find something I am paying attention. That’s the head’s up.

When I’ve talked on Blue Teaming with my awesome pal, Haydn Johnson, we refer to the importance of knowing your baseline, watching patterns, so that you can identify anomalies. Those are your threats. That is your head’s up.  I find the same thing here as I track tweets, stories, advisories, reports and blogs.  I look for evolutions in how malware is delivered, so changes in exploit kits, or for kits to disappear from site. That means those kits are going to reappear with a new twist that our standard levels of detection and protection may not recognize, so attackers can access systems. Or, it could mean a larger scale attack, like Carbanak, when a massive crime gang operates on a global level and banks get taken for $1 billion. I play a lot of “what if” because I find I need to think beyond the normal realm to expect the unexpected. After all, the attackers are going where we aren’t looking.

In the weeks to come, I will be trying to bring in more information to widen my search. I’m researching all I can on what experts think best defines Threat Intel and Hunting. Because to really capture what’s out there, we need to broaden our scope.  I want to be looking ahead of the curve in this chase, anticipating their next move based on the wealth of information we have at hand, and factoring in what we know about human behavior. Next gen tech has spawned next gen threats, and as always, the attackers are ahead of us. And here is the thrill of the hunt.