SlideShare a Scribd company logo

Maturing your threat hunting program

Cybereason
Cybereason

A closer look at threat hunting. Beyond the Basics

Technology
1 of 16
Download to read offline
Total Endpoint Protection: #1 in EDR & Next-Gen AV Threat Hunting 102: Beyond The Basics, Maturing Your Threat Hunting Program
Total Endpoint Protection: #1 in EDR & Next-Gen AV Who Am I? Jayson Wehrend Senior Sales Engineer, Cybereason Former Tech Consultant, RSA
Total Endpoint Protection: #1 in EDR & Next-Gen AV Why We’re Here Today o Quick hunting refresher o I’m hunting! Now what? o Giving back & process integration o Expanded PowerShell use case
Total Endpoint Protection: #1 in EDR & Next-Gen AV REFRESHER: HUNTING DEFINED. The process of proactively discovering undesirable activity to illicit a positive outcome.
Total Endpoint Protection: #1 in EDR & Next-Gen AV REFRESHER: WHY? Prepare? It’s very hard to defend what you can’t see and don’t understand. Be proactive? Don’t wait for the bad to happen, then have to react to fix. Fix stuff? Especially before it breaks!
Total Endpoint Protection: #1 in EDR & Next-Gen AV Time to Change. Intelligence is the ability to adapt to change. -- Stephen Hawking
Total Endpoint Protection: #1 in EDR & Next-Gen AV The Hunting Process Motivation + Hypothesis Data Collection Tooling / Analysis Outcomes Automation
Total Endpoint Protection: #1 in EDR & Next-Gen AV I’m Hunting! Now What? o We’re Giving Back! – Incidents – Detection improvements / new collection techniques – Prevention with confidence – Improve response / triage – Configuration management / compliance / audit
Total Endpoint Protection: #1 in EDR & Next-Gen AV Incident Response Process Prepare Detect Respond Contain / Eradicate Post- Mortem / Prevent
Total Endpoint Protection: #1 in EDR & Next-Gen AV Prepare Detect Respond Contain / Eradicate Post- Mortem / Prevent Motivation + Hypothesis Data Collection Tooling / Analysis Outcomes Automation* Incident Response Process Hunting Process Use blind spots/gaps as sources of motivation + hypothesis High fidelity detections Escalated incident New data collection & analysis techniques improve triage & response SOPs
Total Endpoint Protection: #1 in EDR & Next-Gen AV Hunting: A Deeper Dive o Previous outcomes create new motivation + hypothesis’ o Introducing new datasets to expand previous outcomes o Data stacking becomes more crucial to the journey to analysis/data science
Total Endpoint Protection: #1 in EDR & Next-Gen AV EXPANDED HUNTING: POWERSHELL
Total Endpoint Protection: #1 in EDR & Next-Gen AV File-less Techniques PowerShell Process Execution Persistence Network Comms Service Registry Hidden Obfuscated Encoded Download Commands Shellcode DLL Execution Parent/child Profiling Int2Ext Profiling DNS Queries Service = commandline:powershell or .ps* Registry = commandline:powershell or .ps* commandLine:hidden|1|-nop|iex|- invoke|ICM|scriptblock, commandLine:`|1|^|+|$|*|&|. commandLine:nop|nonl|nol|bypass|e|enc|ec commandLine:DownloadFile|IWE|Invoke-WebRequest|IRM|Invoke- RestMethod|DownloadString|BITS commandLine:dllimport| virtualalloc Parent:wscript|mshta|M SOffice|Browser|WMI* Connections à Filter:isExternalConnection:True URL: .ps* DNS Query: TXT C2 DNS Query: Received vs. Transmitted Ratios
Total Endpoint Protection: #1 in EDR & Next-Gen AV Giving Back…Incident Escalation o Incident 1: PowerShell Web Client – Downloading Stage 2 Payload o Incident 2: Remote .ps file execution / invoking shellcode o Incident 3: Mismatched Services – Adversarial use of .ps o Incident 4: Data Exfil – Powershell BITSTransfer
Total Endpoint Protection: #1 in EDR & Next-Gen AV Giving Back…Prevention o Block execution of PowerShell.exe on all systems where it’s not in use for administrative purposes o Force specific Parent/Child Process Relationships – MSOffice|Wscript|Mshta|Browsers|WMI spawning Powershell.exe o Anchor PowerShell scripts to a specific server directories, block .ps* from running directly on a system o Use endpoint firewall to prevent PowerShell.exe from connecting to non- approved Ips o Block “Bypass” “Hidden” “Download String” “WebClient” “DLLImport” “VirtualAlloc” as a command line argument for execution by an unauthorized user o See #2 for allowing valid applications
Total Endpoint Protection: #1 in EDR & Next-Gen AV Thank you! Questions? jayson.wehrend@cybereason.com @cybereason

Recommended

Protecting the healthcare industry
Protecting the healthcare industryProtecting the healthcare industry
Protecting the healthcare industryCybereason
 
The attack lifecycle. Cybereason can help you answer: Are you under attack?
The attack lifecycle. Cybereason can help you answer: Are you under attack?The attack lifecycle. Cybereason can help you answer: Are you under attack?
The attack lifecycle. Cybereason can help you answer: Are you under attack?Cybereason
 
The Cyber Attack Lifecycle
The Cyber Attack LifecycleThe Cyber Attack Lifecycle
The Cyber Attack LifecycleCybereason
 
The Incident Response Checklist - 9 Steps Your Current Plan Lacks
The Incident Response Checklist - 9 Steps Your Current Plan LacksThe Incident Response Checklist - 9 Steps Your Current Plan Lacks
The Incident Response Checklist - 9 Steps Your Current Plan LacksCybereason
 
Protecting the manufacturing industry
Protecting the manufacturing industryProtecting the manufacturing industry
Protecting the manufacturing industryCybereason
 
Hunting The Shadows: In Depth Analysis of Escalated APT Attacks
Hunting The Shadows: In Depth Analysis of Escalated APT AttacksHunting The Shadows: In Depth Analysis of Escalated APT Attacks
Hunting The Shadows: In Depth Analysis of Escalated APT AttacksF _
 
Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation ApproachesPriyanka Aash
 
Purple team is awesome
Purple team is awesomePurple team is awesome
Purple team is awesomeSumedt Jitpukdebodin
 

Recommended

Protecting the healthcare industry
Protecting the healthcare industryProtecting the healthcare industry
Protecting the healthcare industryCybereason
 
The attack lifecycle. Cybereason can help you answer: Are you under attack?
The attack lifecycle. Cybereason can help you answer: Are you under attack?The attack lifecycle. Cybereason can help you answer: Are you under attack?
The attack lifecycle. Cybereason can help you answer: Are you under attack?Cybereason
 
The Cyber Attack Lifecycle
The Cyber Attack LifecycleThe Cyber Attack Lifecycle
The Cyber Attack LifecycleCybereason
 
The Incident Response Checklist - 9 Steps Your Current Plan Lacks
The Incident Response Checklist - 9 Steps Your Current Plan LacksThe Incident Response Checklist - 9 Steps Your Current Plan Lacks
The Incident Response Checklist - 9 Steps Your Current Plan LacksCybereason
 
Protecting the manufacturing industry
Protecting the manufacturing industryProtecting the manufacturing industry
Protecting the manufacturing industryCybereason
 
Hunting The Shadows: In Depth Analysis of Escalated APT Attacks
Hunting The Shadows: In Depth Analysis of Escalated APT AttacksHunting The Shadows: In Depth Analysis of Escalated APT Attacks
Hunting The Shadows: In Depth Analysis of Escalated APT AttacksF _
 
Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation ApproachesPriyanka Aash
 
Purple team is awesome
Purple team is awesomePurple team is awesome
Purple team is awesomeSumedt Jitpukdebodin
 
2018 CISSP Mentor Program- Session 6
2018 CISSP Mentor Program- Session 62018 CISSP Mentor Program- Session 6
2018 CISSP Mentor Program- Session 6FRSecure
 
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardBirds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardHITCON GIRLS
 
2018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 32018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 3FRSecure
 
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...HITCON GIRLS
 
FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10FRSecure
 
Worst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are DetectedWorst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are DetectedAshwini Almad
 
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017FRSecure
 
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013beltface
 
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...Clare Nelson, CISSP, CIPP-E
 
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...MITRE - ATT&CKcon
 
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017FRSecure
 
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear SafeguardsVulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear SafeguardsRoger Johnston
 
2018 FRSecure CISSP Mentor Program Session 8
2018 FRSecure CISSP Mentor Program Session 82018 FRSecure CISSP Mentor Program Session 8
2018 FRSecure CISSP Mentor Program Session 8FRSecure
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseAshwini Almad
 
Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Barry Greene
 
2019 FRSecure CISSP Mentor Program: Class Nine
2019 FRSecure CISSP Mentor Program: Class Nine2019 FRSecure CISSP Mentor Program: Class Nine
2019 FRSecure CISSP Mentor Program: Class NineFRSecure
 
2019 FRecure CISSP Mentor Program: Session Two
2019 FRecure CISSP Mentor Program: Session Two2019 FRecure CISSP Mentor Program: Session Two
2019 FRecure CISSP Mentor Program: Session TwoFRSecure
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...MITRE - ATT&CKcon
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing ExplainedRand W. Hirt
 
The Best Just Got Better, Intercept X Now With EDR
The Best Just Got Better, Intercept X Now With EDRThe Best Just Got Better, Intercept X Now With EDR
The Best Just Got Better, Intercept X Now With EDRNetpluz Asia Pte Ltd
 
Threat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the BasicsThreat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the BasicsCybereason
 

More Related Content

What's hot

2018 CISSP Mentor Program- Session 6
2018 CISSP Mentor Program- Session 62018 CISSP Mentor Program- Session 6
2018 CISSP Mentor Program- Session 6FRSecure
 
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardBirds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardHITCON GIRLS
 
2018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 32018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 3FRSecure
 
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...HITCON GIRLS
 
FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10FRSecure
 
Worst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are DetectedWorst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are DetectedAshwini Almad
 
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017FRSecure
 
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013beltface
 
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...Clare Nelson, CISSP, CIPP-E
 
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...MITRE - ATT&CKcon
 
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017FRSecure
 
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear SafeguardsVulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear SafeguardsRoger Johnston
 
2018 FRSecure CISSP Mentor Program Session 8
2018 FRSecure CISSP Mentor Program Session 82018 FRSecure CISSP Mentor Program Session 8
2018 FRSecure CISSP Mentor Program Session 8FRSecure
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseAshwini Almad
 
Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Barry Greene
 
2019 FRSecure CISSP Mentor Program: Class Nine
2019 FRSecure CISSP Mentor Program: Class Nine2019 FRSecure CISSP Mentor Program: Class Nine
2019 FRSecure CISSP Mentor Program: Class NineFRSecure
 
2019 FRecure CISSP Mentor Program: Session Two
2019 FRecure CISSP Mentor Program: Session Two2019 FRecure CISSP Mentor Program: Session Two
2019 FRecure CISSP Mentor Program: Session TwoFRSecure
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...MITRE - ATT&CKcon
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing ExplainedRand W. Hirt
 

What's hot (20)

2018 CISSP Mentor Program- Session 6
2018 CISSP Mentor Program- Session 62018 CISSP Mentor Program- Session 6
2018 CISSP Mentor Program- Session 6
 
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardBirds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
 
2018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 32018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 3
 
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
 
FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10
 
Worst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are DetectedWorst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are Detected
 
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
 
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
 
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
 
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
 
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
 
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear SafeguardsVulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
 
2018 FRSecure CISSP Mentor Program Session 8
2018 FRSecure CISSP Mentor Program Session 82018 FRSecure CISSP Mentor Program Session 8
2018 FRSecure CISSP Mentor Program Session 8
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet Noise
 
Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1
 
2019 FRSecure CISSP Mentor Program: Class Nine
2019 FRSecure CISSP Mentor Program: Class Nine2019 FRSecure CISSP Mentor Program: Class Nine
2019 FRSecure CISSP Mentor Program: Class Nine
 
2019 FRecure CISSP Mentor Program: Session Two
2019 FRecure CISSP Mentor Program: Session Two2019 FRecure CISSP Mentor Program: Session Two
2019 FRecure CISSP Mentor Program: Session Two
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)
 
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing Explained
 

Similar to Maturing your threat hunting program

The Best Just Got Better, Intercept X Now With EDR
The Best Just Got Better, Intercept X Now With EDRThe Best Just Got Better, Intercept X Now With EDR
The Best Just Got Better, Intercept X Now With EDRNetpluz Asia Pte Ltd
 
Threat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the BasicsThreat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the BasicsCybereason
 
Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMBGA Cyber Security
 
Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Cybersecurity
 
How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)Dinis Cruz
 
Foundations_Optimum_Security_Overview_AP_Marketing_EN_GLB.pptx
Foundations_Optimum_Security_Overview_AP_Marketing_EN_GLB.pptxFoundations_Optimum_Security_Overview_AP_Marketing_EN_GLB.pptx
Foundations_Optimum_Security_Overview_AP_Marketing_EN_GLB.pptxchuwc
 
Three Considerations To Amplify Your Detection and Response Program
Three Considerations To Amplify Your Detection and Response ProgramThree Considerations To Amplify Your Detection and Response Program
Three Considerations To Amplify Your Detection and Response ProgramMorphick
 
Ask me anything: A Conversational Interface to Augment Information Security w...
Ask me anything: A Conversational Interface to Augment Information Security w...Ask me anything: A Conversational Interface to Augment Information Security w...
Ask me anything: A Conversational Interface to Augment Information Security w...Matthew Park
 
Protecting endpoints from targeted attacks
Protecting endpoints from targeted attacksProtecting endpoints from targeted attacks
Protecting endpoints from targeted attacksAppSense
 
AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering Aaron Rinehart
 
Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_EndgameInc
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defenseChristiaan Beek
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...Adrian Sanabria
 
Cyber Attack Lifecycle
Cyber Attack LifecycleCyber Attack Lifecycle
Cyber Attack LifecycleShannon Sevor
 
12 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 201712 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 2017Paula Januszkiewicz
 
Increasing DevSecOps Maturity Level in 2021
Increasing DevSecOps Maturity Level in 2021Increasing DevSecOps Maturity Level in 2021
Increasing DevSecOps Maturity Level in 2021Alexandre Rebert
 

Similar to Maturing your threat hunting program (20)

The Best Just Got Better, Intercept X Now With EDR
The Best Just Got Better, Intercept X Now With EDRThe Best Just Got Better, Intercept X Now With EDR
The Best Just Got Better, Intercept X Now With EDR
 
Threat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the BasicsThreat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the Basics
 
Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAM
 
Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration
 
How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)
 
Foundations_Optimum_Security_Overview_AP_Marketing_EN_GLB.pptx
Foundations_Optimum_Security_Overview_AP_Marketing_EN_GLB.pptxFoundations_Optimum_Security_Overview_AP_Marketing_EN_GLB.pptx
Foundations_Optimum_Security_Overview_AP_Marketing_EN_GLB.pptx
 
Endpoint Protection Comparison.pdf
Endpoint Protection Comparison.pdfEndpoint Protection Comparison.pdf
Endpoint Protection Comparison.pdf
 
Three Considerations To Amplify Your Detection and Response Program
Three Considerations To Amplify Your Detection and Response ProgramThree Considerations To Amplify Your Detection and Response Program
Three Considerations To Amplify Your Detection and Response Program
 
Ask me anything: A Conversational Interface to Augment Information Security w...
Ask me anything: A Conversational Interface to Augment Information Security w...Ask me anything: A Conversational Interface to Augment Information Security w...
Ask me anything: A Conversational Interface to Augment Information Security w...
 
Protecting endpoints from targeted attacks
Protecting endpoints from targeted attacksProtecting endpoints from targeted attacks
Protecting endpoints from targeted attacks
 
AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOps
 
Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 
Laura Bell (SafeStack)
Laura Bell (SafeStack)Laura Bell (SafeStack)
Laura Bell (SafeStack)
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
 
Cyber Attack Lifecycle
Cyber Attack LifecycleCyber Attack Lifecycle
Cyber Attack Lifecycle
 
12 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 201712 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 2017
 
Increasing DevSecOps Maturity Level in 2021
Increasing DevSecOps Maturity Level in 2021Increasing DevSecOps Maturity Level in 2021
Increasing DevSecOps Maturity Level in 2021
 
New Horizons SCYBER Presentation
New Horizons SCYBER PresentationNew Horizons SCYBER Presentation
New Horizons SCYBER Presentation
 

More from Cybereason

Antifragile Cyber Defense
Antifragile Cyber DefenseAntifragile Cyber Defense
Antifragile Cyber DefenseCybereason
 
An Introduction to the Agile SoC
An Introduction to the Agile SoCAn Introduction to the Agile SoC
An Introduction to the Agile SoCCybereason
 
Protecting the financial services industry
Protecting the financial services industryProtecting the financial services industry
Protecting the financial services industryCybereason
 
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...Cybereason
 
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Avoiding Sophisticated Targeted Breach Critical Guidance HealthcareAvoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Avoiding Sophisticated Targeted Breach Critical Guidance HealthcareCybereason
 
Some PowerShell Goodies
Some PowerShell GoodiesSome PowerShell Goodies
Some PowerShell GoodiesCybereason
 
Ransomware is Coming to a Desktop Near You
Ransomware is Coming to a Desktop Near YouRansomware is Coming to a Desktop Near You
Ransomware is Coming to a Desktop Near YouCybereason
 

More from Cybereason (7)

Antifragile Cyber Defense
Antifragile Cyber DefenseAntifragile Cyber Defense
Antifragile Cyber Defense
 
An Introduction to the Agile SoC
An Introduction to the Agile SoCAn Introduction to the Agile SoC
An Introduction to the Agile SoC
 
Protecting the financial services industry
Protecting the financial services industryProtecting the financial services industry
Protecting the financial services industry
 
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
 
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Avoiding Sophisticated Targeted Breach Critical Guidance HealthcareAvoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
 
Some PowerShell Goodies
Some PowerShell GoodiesSome PowerShell Goodies
Some PowerShell Goodies
 
Ransomware is Coming to a Desktop Near You
Ransomware is Coming to a Desktop Near YouRansomware is Coming to a Desktop Near You
Ransomware is Coming to a Desktop Near You
 

Recently uploaded

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 

Recently uploaded (20)

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 

Maturing your threat hunting program

  • 1. Total Endpoint Protection: #1 in EDR & Next-Gen AV Threat Hunting 102: Beyond The Basics, Maturing Your Threat Hunting Program
  • 2. Total Endpoint Protection: #1 in EDR & Next-Gen AV Who Am I? Jayson Wehrend Senior Sales Engineer, Cybereason Former Tech Consultant, RSA
  • 3. Total Endpoint Protection: #1 in EDR & Next-Gen AV Why We’re Here Today o Quick hunting refresher o I’m hunting! Now what? o Giving back & process integration o Expanded PowerShell use case
  • 4. Total Endpoint Protection: #1 in EDR & Next-Gen AV REFRESHER: HUNTING DEFINED. The process of proactively discovering undesirable activity to illicit a positive outcome.
  • 5. Total Endpoint Protection: #1 in EDR & Next-Gen AV REFRESHER: WHY? Prepare? It’s very hard to defend what you can’t see and don’t understand. Be proactive? Don’t wait for the bad to happen, then have to react to fix. Fix stuff? Especially before it breaks!
  • 6. Total Endpoint Protection: #1 in EDR & Next-Gen AV Time to Change. Intelligence is the ability to adapt to change. -- Stephen Hawking
  • 7. Total Endpoint Protection: #1 in EDR & Next-Gen AV The Hunting Process Motivation + Hypothesis Data Collection Tooling / Analysis Outcomes Automation
  • 8. Total Endpoint Protection: #1 in EDR & Next-Gen AV I’m Hunting! Now What? o We’re Giving Back! – Incidents – Detection improvements / new collection techniques – Prevention with confidence – Improve response / triage – Configuration management / compliance / audit
  • 9. Total Endpoint Protection: #1 in EDR & Next-Gen AV Incident Response Process Prepare Detect Respond Contain / Eradicate Post- Mortem / Prevent
  • 10. Total Endpoint Protection: #1 in EDR & Next-Gen AV Prepare Detect Respond Contain / Eradicate Post- Mortem / Prevent Motivation + Hypothesis Data Collection Tooling / Analysis Outcomes Automation* Incident Response Process Hunting Process Use blind spots/gaps as sources of motivation + hypothesis High fidelity detections Escalated incident New data collection & analysis techniques improve triage & response SOPs
  • 11. Total Endpoint Protection: #1 in EDR & Next-Gen AV Hunting: A Deeper Dive o Previous outcomes create new motivation + hypothesis’ o Introducing new datasets to expand previous outcomes o Data stacking becomes more crucial to the journey to analysis/data science
  • 12. Total Endpoint Protection: #1 in EDR & Next-Gen AV EXPANDED HUNTING: POWERSHELL
  • 13. Total Endpoint Protection: #1 in EDR & Next-Gen AV File-less Techniques PowerShell Process Execution Persistence Network Comms Service Registry Hidden Obfuscated Encoded Download Commands Shellcode DLL Execution Parent/child Profiling Int2Ext Profiling DNS Queries Service = commandline:powershell or .ps* Registry = commandline:powershell or .ps* commandLine:hidden|1|-nop|iex|- invoke|ICM|scriptblock, commandLine:`|1|^|+|$|*|&|. commandLine:nop|nonl|nol|bypass|e|enc|ec commandLine:DownloadFile|IWE|Invoke-WebRequest|IRM|Invoke- RestMethod|DownloadString|BITS commandLine:dllimport| virtualalloc Parent:wscript|mshta|M SOffice|Browser|WMI* Connections à Filter:isExternalConnection:True URL: .ps* DNS Query: TXT C2 DNS Query: Received vs. Transmitted Ratios
  • 14. Total Endpoint Protection: #1 in EDR & Next-Gen AV Giving Back…Incident Escalation o Incident 1: PowerShell Web Client – Downloading Stage 2 Payload o Incident 2: Remote .ps file execution / invoking shellcode o Incident 3: Mismatched Services – Adversarial use of .ps o Incident 4: Data Exfil – Powershell BITSTransfer
  • 15. Total Endpoint Protection: #1 in EDR & Next-Gen AV Giving Back…Prevention o Block execution of PowerShell.exe on all systems where it’s not in use for administrative purposes o Force specific Parent/Child Process Relationships – MSOffice|Wscript|Mshta|Browsers|WMI spawning Powershell.exe o Anchor PowerShell scripts to a specific server directories, block .ps* from running directly on a system o Use endpoint firewall to prevent PowerShell.exe from connecting to non- approved Ips o Block “Bypass” “Hidden” “Download String” “WebClient” “DLLImport” “VirtualAlloc” as a command line argument for execution by an unauthorized user o See #2 for allowing valid applications
  • 16. Total Endpoint Protection: #1 in EDR & Next-Gen AV Thank you! Questions? jayson.wehrend@cybereason.com @cybereason