Version v.1.0.0

lecture: Advanced Threat Hunting


Many threat intelligence teams are small and must make limited resources work in the most efficient way possible. The data these teams rely on may be quite high volume and potentially low signal to noise ratio. The tools used to collect and exploit this data have finite resources and must be leveraged at the highest utilization possible. Additionally, these tools must be applied to the most valuable data first.

This talk presents a process that your team can implement to make your threat and malware hunting more efficient. The core of this process uses YARA rules to process files from an arbitrary source in volume. From that core, it covers methods of prioritizing the output of the rules based on the team’s priority and the confidence in the quality of the rules. Using this process, files are submitted to sandboxes for automated analysis. The output of each of these systems is then parsed for certain qualities that would increase or decrease the value of the information to the team. Attendees will take away not only a solid process that they can implement in their own organizations, but also a list of gotchas and problems that they should avoid.

1. Introduction
1. Who am I?
2. What is this advanced threat hunting process?
1. Problem definition
1. Small teams
2. Limited resources
1. Paid data feeds
2. High data volume
3. Signal to noise ratio
4. Limited tool capacity (sandbox resource limits)
1. Limited time
1. Analysts need to spend time analyzing not doing busy work.
1. Basics of solution
1. YARA rule extensions to handle priority and confidence
2. Automation of processing based on prioritization
3. Maximization of sandbox and tool resources
4. Centralization of workflow and data flow across the team
1. YARA rule deployment
1. Keeping your rules organized
1. How to use revision control for rule maintenance
2. The wrong ways:
1. File server
2. Someone’s laptop
3. Many people’s laptops
1. Automated deployment of rules from repos
1. Processes for automation
2. Gotchas
1. Prioritization meetings
1. Process for deciding which rules are most important
2. Measuring false positives and noise
3. Applying and tuning rules over time
4. Optimizing the prioritization categories
1. Non-intuitive ordering (high priority, low confidence and medium priority, low confidence should be lower than medium/high and medium/medium)
2. What happens when these values change, and how often values should be reviewed
1. Automation
1. Why have an analyst moving data around rather than analyzing?
2. Collection system automation
3. Exploitation system automation
4. Connecting disparate products and tools together
1. Maximizing resource utilization
1. Tuning rules to make sure that sandboxes are running at full utilization.
2. Metrics for measuring utilization.
3. Once utilization is measured and understood, numbers can be used to assist in budget discussions. CFOs are amenable to budget increase when it can be demonstrated that resources are used 100%.
1. Workflow methodology
1. Scoring each threat based on data quality
2. Methods for how to distribute a triage process across a small team.
1. Successes
1. Kasperagent targeting Israel and Palestinian Territories
2. Point of Sale malware, specifically leading to profiling of “zed556677” threat actor.
1. Conclusion
1. Gotchas and pitfalls
2. Outline of all takeaways


Day: 2017-09-15
Start time: 14:30
Duration: 01:00


Concurrent events