The Hunter’s Handbook Endgame’s Guide to Adversary Hunting Karen Scarfone, CISSP, ISSAP Foreword by Jamie Butler The Hunter's Handbook—Endgame's Guide to Adversary Hunting Published by: CyberEdge Group, LLC 1997 Annapolis Exchange Parkway Suite 300 Annapolis, MD 21401 (800) 327-8711 www.cyber-edge.com Copyright © 2016, CyberEdge Group, LLC. All rights reserved. Definitive Guide™ and the CyberEdge Press logo are trademarks of CyberEdge Group, LLC in the United States and other countries. All other trademarks and registered trademarks are the property of their respective owners. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, without the prior written permission of the publisher. Requests to the publisher for permission should be addressed to Permissions Department, CyberEdge Group, 1997 Annapolis Exchange Parkway, Suite 300, Annapolis, MD, 21401 or transmitted via email to [email protected]. LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICAL LY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ. For general information on CyberEdge Group research and marketing consulting services, or to create a custom Definitive Guide book for your organization, contact our sales department at 800-327-8711 or [email protected]. ISBN: 978-0-9961827-2-0 (paperback); ISBN: 978-0-9961827-3-7 (eBook) Printed in the United States of America. 10 9 8 7 6 5 4 3 2 1 Publisher’s Acknowledgements CyberEdge Group thanks the following individuals for their respective contributions: Editor: Susan Shuttleworth Designer: Debbi Stocco Publishing Coordinator: Steve Piper Table of Contents Foreword ...............................................................................................................v Preface ...............................................................................................................vii Introduction .........................................................................................................ix Chapters at a Glance ........................................................................................ix Helpful Icons .....................................................................................................x Chapter 1: The Power of Hunting ......................................................................1 Advanced Threats .............................................................................................2 Adversaries .........................................................................................2 The kill chain ......................................................................................3 Weakening Defenses .........................................................................................4 Hunting Basics ..................................................................................................5 The Benefits of Hunting ....................................................................................7 Chapter 2: The Hunt Process .............................................................................9 Hunt Cycle Overview ........................................................................................9 Survey Phase ....................................................................................................11 Select assets .......................................................................................11 Monitor assets ...................................................................................13 Secure Phase ....................................................................................................14 Detect Phase .....................................................................................................15 Detect attacks ....................................................................................15 Perform analysis ................................................................................16 Respond Phase .................................................................................................17 Remove the adversary ......................................................................18 Report findings ..................................................................................19 Chapter 3: The Challenges of Hunting ............................................................21 Expediting the Hunt .......................................................................................22 Enabling Automated Analysis ........................................................................23 Supplementing Signature-Based Detection ...................................................24 Concealing the Hunt from Adversaries ..........................................................24 Chapter 4: Hunt Readiness ..............................................................................27 Defining Hunting Roles and Responsibilities ................................................27 Common roles and responsibilities .................................................27 Hunters and the hunt team ..............................................................30 Scoping the Hunt ............................................................................................30 Cyber risk assessment report ............................................................31 Policy development ..........................................................................32 Rules of engagement development ..................................................34 Building and Maintaining Hunters’ Capabilities ...........................................35 Chapter 5: The Hunt Experience ......................................................................39 The Hunt Scenario ..........................................................................................40 Preparation......................................................................................................40 Determine hunt priorities .................................................................41 Review available IT asset and network information ........................41 Understand what’s considered normal activity ...............................42 Configure and deploy hunt sensor software ....................................42 iv |The Hunter’s Handbook: Endgame’s Guide to Adversary Hunting Investigation ...................................................................................................43 Scoping the investigation .................................................................43 Gathering and analyzing information ..............................................45 Expanding the investigation ............................................................46 Reprioritizing the hunt .....................................................................47 Adversary Removal .........................................................................................47 Synopsis of the Hunt .......................................................................................49 Hunt Reporting ................................................................................................51 Chapter 6: Hunt Technology Selection ............................................................53 Stealth .............................................................................................................53 Automation .....................................................................................................54 Workflow Support ...........................................................................................55 Enterprise Integration ....................................................................................55 Scalability ........................................................................................................56 Glossary .............................................................................................................58 Foreword A s new data breaches surpass previous breaches in size and scope, it’s clear that perimeter firewalls and antivi- rus detection are inadequate for today’s threat environment. Cyberespionage and cybercrime have proliferated, with attack- ers bypassing defenses at will to steal unprecedented amounts of intellectual property and personally identifiable informa- tion. Even small companies are becoming targets for their IP and as a means to access partner or customer companies within a supply chain. Clearly, the status quo is broken. We all recognize that incidents are inevitable. Now, how do we act on this knowledge? What can we do differently to prevent a breach? The industry requires a new approach that’s as dynamic as these threats and the enterprise environments they target. Organizations are seeking ways to get “left of boom” by detecting and blocking adversaries before damage occurs. Looking in the rearview mirror and responding after the fact are no longer adequate. Unfortunately, security solutions haven’t advanced at the same pace as adversaries. The industry continues to apply new names to obsolete solutions, embellishing the terminology while the technology remains stuck in time. Hunt remains almost as ill-defined as other buzzwords – big data, cloud, APT, etc. Hunt is frequently confused with indicator search capabilities or glorified log sorting. This misunderstanding fails to capture the full promise of a hunt approach. We see hunting as an essential component of security. It is the proactive, stealthy, and surgical detection and eviction of adversaries inside your network without known indicators of compromise. Hunting is an offense-based strategy; hunting is thinking like the attacker. If you were the adversary, what would you attack, for what purpose, and how? Attackers have a mission. Hunting must be able to derail that mission. Why is hunting suddenly in vogue? I think the industry’s reactionary mentality continues to hinder enterprise security while adversaries enjoy a free-for-all, easily circumventing vi |The Hunter’s Handbook: Endgame’s Guide to Adversary Hunting traditional defensive stacks and exfiltrating record-breaking amounts of data. We can no longer wait until the CISO gets a call from law enforcement saying there’s a problem. Hunting can help shift the balance in the defender’s favor, but it requires changing from a reactionary posture to an attacker’s mindset. You can’t stop a breach if you don’t know exactly which attacker techniques must be blocked. Most adversaries – regardless of their objectives – must be able to gain initial access, escalate privileges, steal credentials, move within and across assets, evade defenses, and persist in networks. Detecting these functions is a key component of hunting because it tells you where to hunt. Instead of focus- ing retrospectively as each malware variant is discovered or indicators of compromise are revealed, organizations can hunt for and prevent whole classes of techniques, thus defending against unknown threats. Further, systematic hunting allows an organization to easily collect and analyze the right data across assets to find suspicious or malicious activity. Hunting is often confused with “hacking back.” However, retaliation must be left to the government and law enforce- ment, because attack attribution is surprisingly hard and revenge against adversaries with strong retaliation capabilities is a losing strategy. Instead, we can make life harder for adver- saries by continuously hunting to detect, block, and evict them – to the point where it is no longer time and resource efficient for them to attack us. Our goal in this book is to dispel misperceptions about the hunt mission and provide recommendations for structuring hunt teams and practical insights on employing cutting-edge hunt techniques. By adopting an offense-based strategy, enter- prises can regain control of their networks and protect their most critical assets. Jamie Butler Chief Technology Officer Endgame Preface No matter their industry sector, organizations around the world share a common challenge: finding an effective approach for rapidly identifying and acting on cyber threats. With an average “dwell time” of nearly 150 days before discovery, attackers have ample opportunity to plan and carry out the theft of intellectual property, customer data, and other valuable information – or to cause physical destruction. Moreover, with easy, inexpensive access to sophisticated hacking tools and “rent-a-hacker” services via the dark web, attackers have increased the variety and number of their attacks every year. To make it too hard for attackers to succeed, we need to leverage emerging technologies to harden our organizations and assets. Existing attack detection tools look backwards in time. To discover what happened, they apply classic big data approaches such as discovery or search to collections of historical log data. Once a successful attack is discovered, they create rules to guide detection of the next occurrence of the same attack. The goal is to learn from the past to protect against future attempts. There’s just one problem: the next attack will probably be different. Fortunately, we’re finding new ways to eliminate exposure to novel threats and vulnerabilities. These approaches rely upon blends of new technologies, including advanced data science, major advances in chip-level processing, and powerful cognitive visualization techniques. Two stand out. The first is hunting, which seeks to turn the tables on attackers by establishing an active offensive motion against them within the virtual confines of the network footprint. Simply put, if you’re only defending, you’ll stay one step behind attackers and never take control. Hunting takes the fight to the front lines. It finds attackers before they do damage—not afterwards. Hunting makes it harder for attackers to succeed. The second approach creates awareness of current activities based on behavior. Individual abnormal events and viii | The Hunter’s Handbook: Endgame’s Guide to Adversary Hunting combinations of connected events are quickly highlighted for investigation. These include malicious, never-before-seen actions and movements hiding within the noise of normal events. Behavior-based solutions, such as Accenture’s Cyber Intelligence Platform, maximize real-time awareness and harden defenses while taking advantage of current attack intelligence. Hunting and behavior-based intelligence platforms address the need for state-of-the-art cybersecurity tools. Together, they enable organizations to rapidly “point and shoot” adversaries. For more information, or to arrange a demonstration of either approach, please visit https://www.endgame.com. Vikram Desai Managing Director, Global Lead Security Analytics Accenture Introduction F or many years, we (the security community) fought the good fight against the adversaries attacking our organizations’ systems. We applied patches for our operating systems and applications as quickly as feasible. We configured and reconfigured software to comply with security checklists and benchmarks while still providing the necessary functionality. We relied on antivirus software, firewalls, intrusion prevention systems, and other tools to prevent attacks. It’s time to admit that the conventional approach to enterprise security is insufficient. We need to take a step back and reconsider our assumptions. Instead of focusing all our energy on reactive security and waiting for an alert, we should take a proactive approach to security, striving to find adversaries and purge them from our environments as quickly as possible. This doesn’t mean that we throw away existing security controls for prevention; prevention is still incredibly important. But it does mean being more proactive in order to detect adversaries and evict them from our networks. The best way to accomplish the shift from a reactive to proactive posture is to hunt, which is the focus of this book. Anyone who has responsibilities for securing or monitoring the security of systems and networks, detecting attacks, or responding to compromises will benefit from this book. Chapters at a Glance Chapter 1, “The Power of Hunting,” explains the basic concepts of hunting, the motivations for hunting, and the benefits of hunting. Chapter 2, “The Hunt Process,” looks at each of the major components of the hunt, including the technical details of what’s involved in executing each component.