Threat Hunter Profile – Danny Akacki
Hunt Team for a Fortune 100 Company
Proxy, Firewall, IDS, AV, endpoint logs
Preferred Hunting Techniques
Behavioral detection, breadth scoping, miconfiguration searching
FireEye TAP, Splunk, Wireshark, Bro, Moloch, Security Onion
Who are you?
My name is Danny Akacki. You stole my data, prepare to die.
Why do you hunt and what is your experience hunting?
I’ve been learning from people far smarter than I for the past 4 years. I’ve hunted evil at places like Mandiant, GE Capital and currently reside in the financial sector.
I hunt because it’s who I am. For as long as I can remember, I’ve known when someone was trying to hide something from me, lie to me or otherwise be generally shady. I was an analyst before I knew what the word meant. I got started, with Hunting at least, working for David Bianco while at Mandiant.
How would you define Threat Hunting?
Looking for ways to discover Evil doing Evil things.
What projects and organizations are you involved with right now?
I’m currently trying to “try harder” for my OSCP because I don’t think I can be all the Hunter I can be if I don’t know how the other half lives. I’ve also just become interested in picking all the things and became a card carrying member of Toool. I support as many different BSides as I can before my wife divorces me for travelling too much. Whether speaking or volunteering, it’s important to me. I also maintain a blog in the loosest sense of the word at over at pcwf.co.
Which of the hunts you’ve carried out was the most interesting or challenging?
In my mind, the most interesting hunts are the least “sexy”. Being able to uncover things in your environment like unpatched software, device misconfigurations, or just users doing “uneducated” things. These also tend to be the most challenging, especially when I was a consultant, because you never truly know what “business as usual” means from client to client. You have to make a strong case as to why these seemingly simple things are really a huge threat to any organization.
What hunting techniques, tools, and datasets do you use most frequently?
Techniques:There are a few different roads I go down to focus my hunts on a regular basis.
Behavioral identification: I consider this to be the most crucial technique to master. Intelligence plays a huge part here, especially when hunting on TTPs of a specific threat actor. “%CREW% likes to use X family of malware in conjunction with Y persistence mechanisms”, etc.
Breadth Scoping: I like to spread wide before diving deep. For example, if we know there was an uptick in recent phishing campaigns and I can catch wind of it in my environment, I immediately scope how many people received the phish, who clicked, what they downloaded, where their box talked to next, who else talked to that box and so on. When I feel i’ve scoped as far as I can, I start digging deeper into the traffic.
Misconfiguration searching: Arguably the least sexy of any technique, it can bear the most fruit. Things like outdated software, device misconfiguration, improper logging; individually they make for a very broad attack surface, but when you can (and you will) find all of them in a single environment having gone unnoticed, they make for a deadly cocktail.
Tools: My primary expertise lays with Mandiant’s Threat Analytics Platform (TAP). Outside of that I’ve done much of my work in tools like Splunk, Wireshark, Bro, Moloch and of course the all powerful Security Onion (Thank you Doug!!). I would be remiss if I didn’t echo here what i’ve stated in past talks, never become complacent or too reliant on a single tool or group of tools. Admittedly, I am a cautionary tale. The bulk of my Hunting has been in TAP, so much so that I tend to ignore or forget about what other organizations who don’t have the means for TAP need to use for their hunts. No matter how awesome your tool of choice is, someday, in one form or another, it will fall down and you’ll need to pivot elsewhere. The analyst makes the tool, not the other way around.
Datasets: Give me logs or give me….just gimme your logs. Proxy, FW, IDS, AV, Endpoint, Email, etc. Anything that enhances context and makes pivoting easier.
What types of friendly intelligence are most useful for a hunter to have in an investigation?
Nothing beats internal intel. Lessons Learned/After Action reports. If you live in a single environment, internal intel should be your bread and butter to drive your hunting program forward. This also includes detailed network/asset information. What are your crown jewels? Who needs what protected? You’ll never have your house completely in order, but before you go looking for outside OSINT, look within.
What general advice do you have for new Threat Hunters?
Diversify. You can’t be an effective Blue Team/Defender/Hunter/Whatever without knowing how the bad guys are going to come at you. Don’t get so lost in your hunting craft that you forget to see all the angles.
What hunting procedure would you recommend for a new threat hunter?
Learn your environment. This is so important I want create a cast iron mold of those words and smack you in the head with it. Use cases are great, but the thing about low hanging fruit is that it will always rebloom. Learn your environment so you can target your endeavors to catch the bigger fish.
What parts of a hunt could you see as being most successfully automated or assisted by a machine?
Finding the weird in the normal. Finding the outliers that can only come from baselining. Why did X host, who has only ever communicated with X server, suddenly start spewing connections all of the the place? Also, timelining an incident.
What would you like to see Threat Hunting develop into across the industry in the future?
Something that fosters relationship building within an organization. This thing won’t work and can’t possibly be effective without buy in from lots of different people across lots of different business units.