My key takeaways
- threat hunting runbook
- Identify connection persistency
- Identify if there is a business need
- Protocol analysis
- Investigate external IP address
- Investigate internal IP address
- Threat hunting is stealthy
- only when in IR mode, the adversary should be allowed to notice we are after him
- set the TCP timeout from 5min to 1h in your local zeek file
- options to create a safelist for RITA
- Parse RITA output with a script prior to review
- preferred because easy to rollback
- RITA’s NeverInclude & NeverIncludeDomain
- BPFilter prior to Zeek capture
- adds performance
- Parse RITA output with a script prior to review
- a dash behind the protocol in RITA means that the connection probably started before the collection started in Zeek
- eliminating long connections like windows notification service might reduce the load significantly
- working through 24h of data is doable in about 1h
Env
-
Provided by Active Countermeasures
-
Speaker
additional links
- https://www.activecountermeasures.com/filtering-out-high-volume-traffic/
- https://www.activecountermeasures.com/building-a-global-ignore-filter/
- https://www.activecountermeasures.com/improving-packet-capture-performance-1-of-3/
https://www.activecountermeasures.com/ac-hunter-ctf-challenge/ - https://www.activecountermeasures.com/threat-hunting-false-positives/
- https://www.activecountermeasures.com/?s=malware+of+the+day
- https://docs.zeek.org/en/master/scripts/base/protocols/conn/main.zeek.html
User comments
-
Keith – ACM BHIS — heute um 20:32 Uhr
RITA does not currently have safelisting/whitelisting built-in. -
3l t0r0 — heute um 20:34 Uhr
how do you make a differentiation between an endpoint on for only 8hrs vs one on for 24hrs within the same analysis?
wstearns-ACM — heute um 20:35 Uhr
You could feed the raw pcap into tcpdump to filter on the IP address and use capinfos on the result:tcpdump -r original.pcap -w justoneip.pcap 'host 8.8.8.8' capinfos justoneip.pcap