threathunting   209

« earlier    

Hacker Hurricane - blogspot
Thursday, July 12, 2018
Come learn how to hunt on Windows quickly - SANS Threat Hunting & IR Summit
threathunting  cybersecurity  blog  eventid  windows 
4 weeks ago by bwiese
Splunk App for Windows Event Logs
The Interesting Processes section from the Processes dashboard is partially based on a presentation by Michael Gough from "The Top 10 Windows Event ID's Used To Catch Hackers In The Act". See for the presentation slides and information on how to enable the auditing of processes, including command-line based ones. The list of "interesting processes" is based on a study by JPCERT CC (Japan Computer Emergency Response Team Coordination Center) on detecting lateral movement through tracking of event logs. The list is stored in C:\Program Files\Splunk\etc\apps\eventid\lookups\interesting_processes.csv and it can be adjusted with a text editor if needed.

The XML dashboard is design to report Windows events rendered from the XML by using the renderXML stanza. The renderXML option reduced the volume of data to about 25% of the regular events, however some details such as the full description of the event are no longer recorded. See Feature Overview: XML Event Logs for more details.
splunk  threathunting  audit  eventid  windows  cybersecurity 
4 weeks ago by bwiese
The ultimate goal of is to improve the performance of automated systems so that they can block previ…
threathunting  from twitter_favs
5 weeks ago by roens
RT : Do you consider the threat's perspective when developing security defenses? You should...
threathunting  redteam  from twitter
6 weeks ago by gaelicWizard
Cheat-Sheets — Malware Archaeology
The Windows ATT&CK Logging Cheat Sheet
The Windows LOG-MD ATT&CK Cheat Sheet
windows  cybersecurity  threathunting  eventlogs  cheatsheet  reference  attack 
6 weeks ago by bwiese
SANS Digital Forensics and Incident Response Blog | Favoring Frameworks for Intrusion Detection and Prevention (2011)
The only way to empower analysts in such a way is to present network and host data structured as it will be used, for arbitrary analysis limited only by the capabilities of the underlying O/S and hardware.

these solutions need to be able to support:

Bulk surveillance or data collection
Offline analysis, with latency tolerance in detection mode
Inline analysis, with latency intolerance in prevention mode
Data structured according to its context (network/protocol, host/file/process), and corresponding metadata, available for custom analysis
Integration of custom analytical code taking any executable form recognized by the underlying O/S
Classic signature-based analysis
A modular architecture for analysis procedures
Scalability in the form of a tiered or distributed architecture
analytics  threathunting  history  cybersecurity  framework  2011 
6 weeks ago by bwiese
FIRST - Publications (2017)
APT Log Analysis - Tracking Attack Tools by Audit Policy and Sysmon -
Active Directory : How To Change a Weak Point Into a Leverage for Security Monitoring
Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk)
Analytical Results of a Cyber Threat Intelligence Survey
cybersecurity  conference  first  apt  threathunting  dfir  splunk  cyberthreatintel 
6 weeks ago by bwiese
Hunting vs. Incident Response vs. Just Doing Your Job – Robert M. Lee
Hunting is a hypothesis-led approach to testing your environment for threats. The purpose, to me, is not in finding threats but in determining what gaps you have in your ability to detect and respond to them. -- would ever be able to detect and respond to the latest tradecraft observed by $ActivityGroup?

As an output of hunting, you should have gaps to address as well as detections you can now create as a result of your hunting (i.e. threat hunting cannot be fully automated but the output of your hunting should be more automation in your environment against the threats you hunted for).

If you’re measuring the value of threat hunting on how many threats you find you’re likely not to be able to justify it at all compared to just doing proactive security work. Threat hunting, in my opinion, should be a much more structured test against hypotheses that is pushing your organization forward and ensuring you’re prepared against “styles” of threats.

Back to the original question of “where do you put your hunt team?” I really wouldn’t have a dedicated threat hunting team. I’d treat threat hunting as a multiple times a year or at least once a year assessment against the scenarios that are most concerning to you and your organization. Bringing together people from across the security organization and even outside that organization can be really useful to thinking outside the box about your hypotheses generation efforts. Having a dedicated team can make the process stale and cause too much group think. I’d rather see people “take turns” in that role if there’s a need to have a dedicated function.
threathunting  cybersecurity 
6 weeks ago by bwiese
Open Sourcing HASSH – Salesforce Engineering
There are many examples of fingerprinting both unencrypted and encrypted protocols such as TLS. However somewhat surprisingly, no open source scalable fingerprinting method has been developed for one of our most common and relied upon encrypted protocols SSH — an integral component of the internet. Enter, the HASSH.
ssh  cybersecurity  tls  fingerprint  threathunting 
6 weeks ago by bwiese
Open Sourcing JA3 – Salesforce Engineering
A JA3 hash represents the fingerprint of an SSL/TLS client application as detected via a network sensor or device, such as Bro or Suricata. This allows for simple and effective detection of client applications such as Chrome running on OSX (JA3=94c485bca29d5392be53f2b8cf7f4304) or the Dyre malware family running on Windows (JA3=b386946a5a44d1ddcc843bc75336dfce) or Metasploit’s Meterpreter running on Linux (JA3=5d65ea3fb1d4aa7d826733d2f2cbbb1d). JA3 allows us to detect these applications, malware families, and pen testing tools, regardless of their destination, Command and Control (C2) IPs, or SSL certificates.

JA3 gathers the decimal values of the bytes for the following fields; SSL Version, Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats. It then concatenates those values together in order, using a “,” to delimit each field and a “-” to delimit each value in each field.

The field order is as follows:
ja3  cybersecurity  tls  crypto  threathunting  cyberthreatintel  netflow  bro  suricata 
6 weeks ago by bwiese
TaoSecurity: More on Threat Hunting
Where would you place your security researchers/hunt team?

I replied:

For me, "hunt" is just a form of detection. I don't see the need to build a "hunt" team. IR teams detect intruders using two major modes: matching and hunting. Junior people spend more time matching. Senior people spend more time hunting. Both can and should do both functions.

For the term "hunting," I give credit to briefers from the Air Force and NSA who, in the mid-2000s briefed "hunter-killer" missions to the Red Team/Blue Team Symposium at the Johns Hopkins University Applied Physics Lab in Laurel, MD.

Tony Sager, who ran NSA VAO at the time I was briefed at ReBl, described hunting thus:

[Hunting] was an active and sustained search for Attackers...

For us, "Hunt" meant a very planned and sustained search, taking advantage of the existing infrastructure of Red/Blue Teams and COMSEC Monitoring, as well as intelligence information to guide the search.

"Hunt" emerged as part of a unifying mission model for my Group in the Information Assurance Directorate at NSA (the defensive mission) in the mid-late 2000's. But it was also a way to unify the relationship between IA and the SIGINT mission - intelligence as the driver for Hunting. The marketplace, of course, has now brought its own meaning to the term, but I just wanted to share some history.
cybersecurity  threathunting  nsa  history  comsec 
6 weeks ago by bwiese
TaoSecurity: Even More on Threat Hunting
Nevertheless, we must remember that threat hunting methodologies were invented to find adversary activity for which there were no IOCs. Hunting was IOC-free analysis because we didn't know what to look for. Once you know what to look for, you are matching. Both forms of detection require analysis to validate adversary activity, of course. Let's not forget that.
threathunting  cybersecurity 
6 weeks ago by bwiese

« earlier    

related tags

2011  ai  analysis  analytics  anomali  anomaly  apt  attack  audit  auditing  automation  azure  bash  blog  blue  book  bro  c2  carbonblack  certificates  cheatsheet  china  commandline  comsec  conference  course  crypto  cryptocurrency  cryptojacking  cuckoosegg  cyberkillchain  cyberreason  cybersec  cybersecurity  cyberthreatintel  defenderatp  dfir  dlp  dns  download  dragos  drupal  edr  elasticsearch  email  eventid  eventlogs  exfil  fileless  fingerprint  first  flash  forensics  framework  gdpr  github  goldenticket  graphs  history  host  html  hunting  ibm  ics  incidentresponse  informationsecurity  infosec  isc  ja3  jpcert  jumpbox  kerberos  lateralmovement  lockheedmartin  machinelearning  malvertising  malware  metasploit  mht  microsoft  mimikatz  misp  mitre  monitoring  netflow  network  nsa  office365  ossec  passivetotal  pdf  pentest  philosophy  playbooks  podcast  powershell  presentation  producerconsumerratio  psexec  python  quote  r  ransomware  redcanary  redteam  reference  registry  sans  satellite  scom  scripting  scrm  securid  security  segmentation  siem  sigma  smtp  soar  software  splunk  sqrrl  ssh  supplychain  suricata  symantec  sysmon  threatactors  threatstream  thrip  tls  todo  tools  tor  training  ueba  unittest  url  video  vimeo  virustotal  vulnerability  webinar  whitelisting  whitepaper  whois  windows  winrm  wmi 

Copy this bookmark: