Webinar Takeaway: Cyber Threat Hunting Level 1

My key takeaways

• the juicy stuff is the traffic leaving the network: is there a business need for it?
• Bro / Zeek : Bro old, Zeek new, almost same
• Figuring out beacons best over long period of times, eg 24h
• almost all c2 beacons are encrypted, use meta information to detect them
• today heartbeats without jitter timing: 50% chance of a false positive
• ==RITA does not install on Ubuntu 20.04==

Env

• Provided by Active Countermeasures
• Presenter: Chris Brenton
• Moderator: Bill Stearn

additional links

• https://www.activecountermeasures.com/cyber-threat-hunting-training-course/
• https://jensoroger.wordpress.com/2021/02/22/attending-cyber-threat-hunting-level-1-w-chris-brenton-4-hours-and-want-to-run-the-vm-in-qemu-kvm-this-is-how-i-got-it-to-work-activecmeasures-activecountermeasures-aihunter-threathunting-bea/
• https://cheatography.com/mbwalker/cheat-sheets/tshark-wireshark-command-line/
• https://github.com/markusthilo/PyZeekCut
• A fake SSH server that lets everyone in and logs their activity
• https://www.bc-security.org/post/ja3-s-signatures-and-how-to-avoid-them/
• http://www.gnu.org/software/datamash/
• https://explainshell.com/explain?cmd=cat+conn.log+%7C+bro-cut+id.orig_h+id.resp_h+duration+%7C+sort+%7C+grep+-v+%27-%27+%7C+datamash+-g+1%2C2+sum+3+%7C+sort+-k+3+-rn+%7C+head+-10
• excercise with pcaps
• Whitelisting in Rita
• Recording from v1 of this training: