Threat Hunting

[00:00:00] يا سهي ، هذا هو Zahmed here

[00:00:02] و today we are going to talk about a thrilling journey into the world of thirteenth hunting

[00:00:07] Imagine yourself as a digital detective

[00:00:09] shifting through the logs and your environment landscape

[00:00:12] Judd Smart and seeing adversaries

[00:00:15] and since you already know about the podcast

[00:00:17] I assume that you are really familiar with the term adversaries

[00:00:20] and adversaries are the cyber gangs, nor cyber criminals

[00:00:24] who want to invade your network

[00:00:26] و with bad guys around, that's why we need our heroes who defend our network

[00:00:30] and this is what they do every day

[00:00:32] I mean the defenders of course and threat hunters

[00:00:35] so let's decode and understand the internals behind this art

[00:00:39] grab your gears, we are going hunting

[00:00:44] You're listening to this cyber Riddler

[00:00:47] where we decipher the offensive and defensive side of the cyber world

[00:00:52] Ahmad Almorabea

[00:01:22] This is a very simple and simple story

[00:01:24] it's like knowing there is a needle on the haystack

[00:01:27] and diving into finding it before it pricks someone

[00:01:30] Hunters form some sort of hypothesis based on their knowledge of adversaries and environments

[00:01:36] and then investigate to prove or disprove these theories

[00:01:40] but it's not about having the right tools

[00:01:43] it's about the hackers mindset or the mindset in general

[00:01:46] you are like Sherlock Holmes in this type of space

[00:01:49] piecing together clues from different dialogues, network patterns and anomalies

[00:01:53] and you think from a hacker perspective

[00:01:56] not only that, you are trying to think outside the box

[00:01:59] to try to change some vulnerable component in your network

[00:02:02] and think if someone has tempered with it

[00:02:04] Now let's step into a story that is to read just how crucial this can be

[00:02:10] but before we jump into this exciting story

[00:02:14] let's take a brief detail into cyber security terminology

[00:02:17] and describe what is threat hunting

[00:02:19] so threat hunting is like doing a project on your security logs

[00:02:23] and like 3 detection

[00:02:25] threat hunting is a manual investigation effort

[00:02:27] that starts with expert defenders coming up with thesis like

[00:02:31] if there was a threat actor in the system

[00:02:33] what he can do?

[00:02:34] not having to describe anything more than this theory

[00:02:37] means that threat hunting can be effective at catching the ghosts in the environment

[00:02:43] so let's dive into the story

[00:02:45] this story is from Snowflakes on security team

[00:02:49] the team had been spending time studying hackers toolkit

[00:02:52] especially those that were breaking new ground and attacking infrastructure hosted in AWS

[00:02:57] one of these toolkits was the Paco offensive framework

[00:03:01] released by Renault Labs

[00:03:03] analysis of these attack tools

[00:03:05] guided the threat hunting tactics that would soon pay off

[00:03:08] historically hacker groups at all levels

[00:03:11] tend to read the same literature

[00:03:13] and even reuse the same toolkit

[00:03:15] trust me they use the same open source toolkit at all times

[00:03:19] the Iranian APT group known as copy kittens

[00:03:23] successfully compromised targets using the open source metasploit toolkit

[00:03:27] and trial version of its commercial cousin

[00:03:30] Koppelstrike

[00:03:31] by studying the Paco's payload

[00:03:33] the Snowflakes security team knew

[00:03:35] what kind of access denied error would be triggered

[00:03:38] by the use of the hacking tool in its environment

[00:03:41] a red team exercise was initiated a few months later

[00:03:44] without the knowledge of the most member of the security team

[00:03:47] the higher-preinteration testers using techniques

[00:03:50] that had proven successful at the previous engagements elsewhere

[00:03:53] began feeling around the environment

[00:03:55] the reconnaissance techniques

[00:03:57] however had been influenced by the same payloads studied by the team

[00:04:01] and tripped alarms that pointed Snowflakes threat hunters

[00:04:05] to the activity of the red team

[00:04:07] having logged data from both the servers and the cloud environment

[00:04:11] in one Snowflakes database

[00:04:13] enabled the hunt team to investigate related activities

[00:04:16] and quickly uncover the pentasters

[00:04:19] in a brief session after the exercise was completed

[00:04:22] members of the red team wrote

[00:04:24] wow I'm really curious what tipped them off

[00:04:27] if it wasn't access denied error

[00:04:29] and what he means by that he accidentally ran a command

[00:04:32] from the wrong profile

[00:04:34] and then he completed

[00:04:36] or just the IP address that looked out of the ordinary

[00:04:39] or related to us

[00:04:40] we were not doing much more than distinct directories

[00:04:43] and checking permissions

[00:04:44] so they didn't do anything except for one

[00:04:47] wrong command from the wrong profile

[00:04:50] and then the access denied error that were studied

[00:04:52] tipped them off

[00:04:54] the exercise demonstrated the importance of research

[00:04:57] and preparation for effective threat hunting

[00:04:59] with that you can measure and study many things

[00:05:02] that could be flagged and can be used by attackers

[00:05:05] in your environment

[00:05:07] another form of preparation involves the data serving

[00:05:10] the threat hunters

[00:05:12] your adversaries will move from endpoints

[00:05:14] to corporate directories to cloud APIs

[00:05:17] and back again

[00:05:18] this means hunting them down

[00:05:20] require unifying and normalizing data

[00:05:23] from all systems that may be involved

[00:05:25] achieving and maintaining comprehensive visibility

[00:05:28] is an important challenge to tackle

[00:05:31] as shown in the story

[00:05:33] a rich set of security data

[00:05:35] that analyzed with attacker's technique in mind

[00:05:38] enables hunting down threats

[00:05:40] in a board range of scenarios

[00:05:42] instead of defenders needing to succeed all the time

[00:05:45] an attacker needing to succeed just once

[00:05:48] you can flip the script

[00:05:49] and it could have flipped the coin

[00:05:51] and apply pressure on the bad guys

[00:05:53] if this live up just once

[00:05:55] you will have them

[00:05:56] and they will be cut immediately

[00:06:00] you have been listening to the cyber Redgar

[00:06:02] threat hunting is fun

[00:06:04] but you have to be updated all of the time

[00:06:06] to tackle the bad guys

[00:06:08] share this episode with anyone you think he or she could be interested in this topic

[00:06:12] for also an X at

[00:06:14] and more about lm, or a, b, e, a

[00:06:17] and cyber redgar

[00:06:19] see you in the next episode