This past Saturday, Joe Pisano and I had the privilege of presenting “Threat Hunting on a Budget” at BSidesDFW. Joe is a Senior Threat Hunter at the Air Force Computer Emergency Response Team (AFCERT) and a good friend who shares my passion for InfoSec and homelabbing. Dalton Ireland, the current Lead Threat Hunter at the AFCERT, is also a close friend who contributed to the presentation but was unable to make the actual event.
When we set out to put this presentation together we wanted to make sure it was approachable from even an entry-level InfoSec professional’s perspective. Threat hunting doesn’t get nearly as much attention or love as many of the other aspects of cybersecurity and the more people we can bring into this subset of the community the better off the security of our organizations will be. As such, we ensured to include content regarding what threat hunting is, why an organization should consider implementing a threat hunting program, and ultimately how to perform a threat hunt. All of this was discussed within the understanding that starting a threat hunt program takes a lot of time and money. Money is a finite resource and starting a fledgling hunt team is an easier sell to management if costs are minimized as much as possible. In keeping with this spirit we ensured to only discuss tools which are available for free.
Additionally, knowing that “actions speak louder than words” we wanted to put our money where our mouth was, so to speak. To do so, we implemented a small lab environment comprised of six hosts, a domain controller, and two Ubuntu servers running Kolide Fleet and ELK (Elasticsearch, Logstash, Kibana) respectively. On the hosts we utilized a basic Sysmon install running alongside Winlogbeat to ship the logs to ELK. Also, we installed the OSQuery agent on the hosts and linked them to Kolide Fleet.
Our goal was to run attacks against the environment “blind” in order to make the simulated threat hunts as realistic as possible but we ran out of time to do so. Our co-worker and resident Red Team Operator, Samuel Kimmons, provided a few basic ideas to run in the lab since we were having a hard time envisioning what kinds of attacks would make for good examples. It’s also worth noting that Sam provided a lot of moral support and helpful advice in crafting the overall message of the talk as well as how to build a solid presentation. In the end, we employed two different attacks with different sets of tools and tactics, techniques and procedures (TTPs) in order to create a more robust example of how flexible threat hunting is.
The presentation itself went well, Joe and I were definitely nervous speaking in front of an audience of approximately seventy people. That being said, if the audience noticed they did not seem to mind as we had several great questions at the end and received a lot of support afterwards. Our experience was absolutely positive and the BSidesDFW team was great to work with and put on a fantastic event.
As mentioned earlier, we had the help and support of Samuel but we were also supported by fellow Threat Hunter Ashley who helped research some of the reference material we cited and also provided valuable input regarding the slides and content. Without the help of our peers this presentation would not have been a success.