Building a Threat Hunting Program with Open Source Tools


My name is Travis Smith, I’m a security researcher
here with Tripwire and today I want to talk about how to build a threat hunting program
using free and open-source tools available to anybody. So the first step in building out a threat
hunting program is you need to get data to ingest somewhere so you can actually hunt
something, you need to be able to have data to look at for various data sources. If you’re confused at what data sources you
want to be able to get at, looking at something like MITRE ATT&CK, they have a lot of very
different tactics and techniques and one of the great things is you can look at these
tactics and techniques specifically the techniques and they list out all the different data sources
that you’d want to look at for being able to detect the abuse of these various techniques. So you can have things like files or process
or network data or registry. All these different things that are available
to you, so we can get them using free tools that are available. If you’re looking at network data a great
tool is something like Zeek, the tool formerly known as Bro. If you’re looking at process level data, you
have something like Sismont and a lot of different tools to be able to pull data, file data,
registry data off of an endpoint. And then bringing all that into a centralized
location, usually something like a SIM or a log aggregator. One of the great tools available to people
is the ELCSTAC, which is Elastic, Search, Log Stash, and Cabana. Particularly, it’s an elastic search and cabana,
so you can store all your data, all this different telemetry within an elastic search
and use all the great tools available from cabana to be able to dig into the data and actually
start your threat hunting program. So once you have all that data in and actually
the act of threat hunting you have to not just have different things that are gonna
spike up alerts saying “this process ran, or this IP address was triggered.” It’s more about the hunting out the adversarial
behaviors and taking that a step higher looking at the TTPs, the tactics, the techniques and
procedures that adversaries are gonna be going through and ATT&CK again is a great source
being able to see that a specific APT group, there’s only a few of them that are actually
active at any given time, are gonna be using these handful of different techniques, so
you don’t need to be able to detect everything, maybe just a tad if they’re creating new
scheduled tasks or if they’re exfiltrating data via FTP or whatever it could be, if you
just have that one level of detection you can then start scaling that back, so using
these tools you can start looking at, okay I detected this one thing, lets start looking
forward, looking backwards and digging into the various different events.

Leave a Reply

Your email address will not be published. Required fields are marked *