Threat Hunting Summit 2020 Summary

 

    This year's SANS Threat Hunting Summit was virtual due to the current Covid-19 pandemic. I had the opportunity to attend and participate as part of the advisory board. A big congrats to the first time\veteran presenters and a thank you to the SANS team for making the summit possible. We had great content that was well received by attendees. 

    A great quote from the summit was "Adversaries shouldn't feel safe" from Ashley Pearson's The SOC Puzzle: Where does threat hunting fit? presentation. As threat hunters we control the home turf and have a say whether an adversary will continue to persist or to what point within their objectives will they reach. Therefore they should not feel safe as we will detect, hunt them down, remediate and learn. <--- my take on the quote 😉

Below are some topics I noticed from the presentations.

Have a focus in your hunts

• It is important to focus on a certain topic when performing a hunt whether it is a threat of concern applicable to a business unit, a TTP, or an adversary group. By doing so a hunt is kept on track and helps avoid deviations from topic.

Cultivate an adversary mindset

• As defenders we must think like the adversary, what systems, personnel will they target? Or how will they perform an objective once a foothold is established; discovery, credential access, lateral movement, collection, exfiltration, etc. Great resources to get into this mindset are books, or taking courses like the OSCP, GPEN, PTP and others.

Documentation

• Documenting what search queries are used to prove/disprove a hypothesis and centralizing this information is key so that hunters do not have to start from scratch in future hunts. Afterwards it is important to report on what was the outcome of a hunt. It is OK to not find an adversary but are there other findings? Did a security control not trigger on a threat behavior? Is the reason to not finding adversary activity due to a discrepancy in the logs? Such findings can help sell the value of hunting. 

Normalization of data

• As threat hunting gains traction in various industries it is becoming important that data be in a common format so that hunting leads or detection logic is generic and not tool specific.

Machine learning and advanced analytics can augment a threat hunting capability not necessarily replace it

• I truly believe that a human element cannot be removed from threat hunting. I think that technologies such as machine learning and automated workflows augment a threat hunt capability with furthering analysis but not take the place of a human analysis.

Open and inclusive to others to build a diverse team

• David Bianco's keynote on the second day delivered a powerful message on being inclusive within the InfoSec community. As a realist i recognize this is something that will not go away overnight but as an individual one can commit to empower more women/minorities to join the field and be an ally against gate-keeping and those who wish to bestow negativity upon them.

WinSCP for exfil

• Mari DeGrazia had a great presentation on artifacts related to WinSCP usage and how adversaries take advantage of the Linux subsystem in Windows 10. Going back to the cultivated an adversary mindset, threat hunters should look at other features within their environment's technology stack and think of ways these could potentially be misused or abused by an adversary.

Cloud hunting will focus more on access and content logs

• As IT is abstracted from maintaining hardware and to some extent configuration of operating systems on cloud platforms then our focus as defenders will be the access and content logs these platforms generate.