Threat Hunting Shorts – Collecting The Right Data – Video Blogs
Video – Threat Hunting Shorts – Collecting The Right Data
Hey folks, I’m Chris Brenton and welcome to the final video in our Threat hunting short series. And this particular video I wanted to go through and talk about collecting the right data in order to be able to go through and do successful threat hunts. So what data do we need? Well, we need a couple things, right? First, we need to be able to collect, to collect data. That’s going to help us identify when do we have a persistent connection taking place, because those are the ones we’re going to want to investigate to make sure there’s some form of business need behind them. We need a way to go through and analyze that network traffic. If we see something that looks a little suspicious, it’d be nice to be able to break down the protocol, see if there’s anything odd taking place there. We need a way to be able to investigate those external systems that our hosts are talking to.
You know, who are they? Where are they? Why are they there? What’s going on? We need a way to investigate our internal systems and we also need a way to investigate remote users. You know, we may have people working from home that are directly connected to the internet, but also connected to our internal network, which could make them a potential threat. We need a way to be able to investigate those systems as well. So it all kind of starts with our network architecture and making sure that’s set up correctly. So here we’ve got an internal network. It’s connecting out to this firewall to get to the internet. And as part of that internet connection we’re going through and we’re using a spin port on our switch to monitor all the traffic going in and out of the internal interface of the firewall. Well, this is cool because now everybody going out to the internet and the replies that come back, we’re going to be able to see all that data.
So that’s going to allow us go in and, and target connection persistency. It’s also going to allow us to go in and do any type of a protocol analysis here. I’m using Zeek to go through and do my captures. You could do P caps. My only grip of P caps is they do take up an awful lot of storage space. I can keep my Zeek logs for a longer period of time. They’re also faster to process. It’s easier to go through and go looking for things when I’m working with Zeek. So my Zeek system is just monitoring all the traffic that’s coming in that’s coming in from that spin port, making a record of it. And now I can take copies of that logs, move those over to another system where I can then go through and do processing. So in this example here, I could be using AC Hunter or I could be using Rita.
I want to use some tool that’s going to help me process those Zeek logs in order to be able to find interesting bits of information. For any of my other internal endpoints, I might want to run Sysmon or some other similar tool to go through and do data collection on these internal systems. Sysmon’s cool because I can go through and I can collect pretty much anything you want to off of that system, right? With Sysmon I could go in and say, Hey, I want to see registry key changes. I want to see every process running and memory. I want to see, you know, when user information changes. There’s also sorts of stuff I can keep track of. Of course, the problem there is once I start collecting tons of data, I need to move it across the network from all of my endpoints. I need to collect it into an database from all my endpoints. My queries become slow, I run out
Out of space quickly. What do I actually need to keep track of? For me personally, what I want to see off my endpoints kind of universally is what are the applications doing on the network? Think about this. If somebody breaks into that system or if that system is talking to a commander control channel, or if that compromised system is trying to move laterally and attack other systems and every single one of those cases, it’s going to be an application talking on the network. So if I record that information, ignore everything else, that gives me that nice little minimum baseline to be able to go through and investigate what’s going on. And there’s some really cool tools I can use for that. So for example, one of the tools we have that allows you to go through and make heads and tails of this data is beaker.
So Beaker will leverage Sysmon to collect ID threes Id threes with Sysmon is just net network applications talking on the network and it allows you to go in and do very quick simple queries to figure out what’s going on. So for example, let’s say I identified this internal system was talking to that external system and it’s connecting on a very regular basis throughout the course of the day. And I want to find out some more information off of that. While if I’m running Sysmon with Beaker to collect that data off of this internal system, I could just go into Beaker and say, Hey, when this IP address is talking to that IP address, what application is making that connection? Well, here I can see it’s PowerShell. Now that I see it’s PowerShell, I know yeah, I need to be nervous. <Laugh>, why is PowerShell connecting to an external system?
That might not be a good thing. I need to investigate this further. Now, if I had seen Slack, and I know we’re a Slack shop, okay, that’s probably okay. So being able to identify the application, make responsible for all these connections that can really help us run a run down if this is something we need to be concerned about or not. Well what about remote users? How do we collect data off of them? Well, we could certainly use espy for them as, excuse me, we could use Beaker for them as well, right? Use Sysmon to go in and collect that data to see what the applications are doing on the network. That would be helpful. But we lose the network telemetry we saw with Zeek because they’re not going through the internal firewall anymore. They’re correct. Connecting directly to the internet. Well, one of the tools you can leverage that will do that for you is espy.
espy is another open-source project that we run and espy leverages Sysmon, which if you’re running Beaker, it’s there already anyway. And one of the cool things about espy is not only is does it collect that telemetry data for you it stores it in Zeek log format. Well that’s awesome because that means any tool, you know, like AC-Hunter or reader or whatever that is capable of processing Zeek logs, you can process those Zeek logs even though that system didn’t pass its traffic through a Zeek sensor. That makes it really super easy to be able to go in and work with. Hey, if this stuff is fun and you want to learn more, we have a level one
Threat hunting class coming up next week. So this is an intro class. It’s designed to kind of get you up to speed on what is threat hunting. How does it work? It’s about half lecture, half hands-on labs. We have a virtual machine you can download to be able to do the hands-on labs. And the way the classes really run is I’ll kind of walk you through, hey, this is how to do threat hunting. And then you do it and you do it with the support of myself as well as the threat hunting community that shows up for this. We usually get a pretty good turnout to be able to go through and figure out how to do proper threat hunting. So again, if that sounds interesting to you, feel free to follow the link that’ll get you into the class. So with that said I really hope you’ve enjoyed this series. I’ve had an awful lot of fun recording these videos. Take care of everybody.
More Threat Hunting Shorts
Interested in threat hunting tools? Check out AC-Hunter
Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!
Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.