Webinar takeaway – Applying The Threat Hunter’s Runbook

My key takeaways

• threat hunting runbook
  1. Identify connection persistency
  2. Identify if there is a business need
  3. Protocol analysis
  4. Investigate external IP address
  5. Investigate internal IP address
• Threat hunting is stealthy
  • only when in IR mode, the adversary should be allowed to notice we are after him
• set the TCP timeout from 5min to 1h in your local zeek file
• options to create a safelist for RITA
  • Parse RITA output with a script prior to review
    • preferred because easy to rollback
  • RITA's NeverInclude & NeverIncludeDomain
  • BPFilter prior to Zeek capture
    • adds performance
• a dash behind the protocol in RITA means that the connection probably started before the collection started in Zeek
• eliminating long connections like windows notification service might reduce the load significantly
• working through 24h of data is doable in about 1h

Env

• Provided by Active Countermeasures

• Speaker

  • Chris Brenton

additional links

• https://www.activecountermeasures.com/filtering-out-high-volume-traffic/
• https://www.activecountermeasures.com/building-a-global-ignore-filter/
• https://www.activecountermeasures.com/improving-packet-capture-performance-1-of-3/ https://www.activecountermeasures.com/ac-hunter-ctf-challenge/
• https://www.activecountermeasures.com/threat-hunting-false-positives/
• https://www.activecountermeasures.com/?s=malware+of+the+day
• https://docs.zeek.org/en/master/scripts/base/protocols/conn/main.zeek.html

User comments

• Keith - ACM BHIS — heute um 20:32 Uhr RITA does not currently have safelisting/whitelisting built-in.

• 3l t0r0 — heute um 20:34 Uhr how do you make a differentiation between an endpoint on for only 8hrs vs one on for 24hrs within the same analysis? wstearns-ACM — heute um 20:35 Uhr You could feed the raw pcap into tcpdump to filter on the IP address and use capinfos on the result: tcpdump -r original.pcap -w justoneip.pcap 'host 8.8.8.8' capinfos justoneip.pcap