THREAT HUNTER PROFILE – MIGUEL DIAZ
Full packet capture, Netflow and Firewall Logs
Preferred Hunting Techniques
ELK Stack, Graylog
Who are you?
My name is Miguel Díaz, cybersecurity specialist and ethical hacker. I’ve been working on the computer science field my whole life and I love it! I started doing some silly hacks as a kid (mainly school-hacks), that forced me to learn coding, networking and computer architecture at early stages in my life. Few years later I dedicated myself to software development, but I made my way back to cybersecurity 5 years ago. Nowadays I work as a security researcher and on cybersecurity response.
What is your experience with Threat Hunting and for how long?*
At least 6 to 7 months. I heard about it watching DFIR SANS security talks and reading papers from Sqrrl. Nonetheless I it’s something that, in a way, I already was doing on my spare time as security investigations (grabbing some logs from different sources, and trying to explain their behavior, looking for anomalies).
How would you define Threat Hunting?
It’s an iterative process that seeks to search for any abnormal behavior that needs to be analyzed. In a way, it’s a process that allows you to make questions and looks for answers, if there is a process, port, netflow, connection, service wandering around and you don’t know why? That’s something worth of analysis.
What projects and organizations are you involved with right now?
Today, I’m in charge of the Intelligence branch of our Cyberintelligence centre (we have 3 branches: Operations, Core and Intelligence), and as an MSSP we work with several clients. I’m working with two of our clients as a test ground, doing Threat Hunting to their infrastructure and seeing what we find.
Which of the hunts you’ve carried out was the most interesting or challenging?
Nothing too “fun” yet, mostly unsuccessful hunts of abnormal behavior that ended being normal from a business perspective. For example, we started our hunt because we discovered a weir port usage outside business hours… and it was an IoT machine transmitting data to a cloud server. We were really eager to study more but it was a raspberry from a devOps team. We are still waiting for a big hunt.
What hunting techniques, tools, and datasets do you use most frequently?
We divided the hunt in two processes: Hypothesis creation and Hunting. The first part is where we create an hypothesis based on data analysis. This is where we have our automatized systems (it’s just an IoC matcher for now, we want to add Machine Learning by the end of 2018) and data visualization tools. We use aggregations to try to detect non-obvious behaviours (As an example, as oppose of the Top10 most visited sites, we check the Top10 less visited sites). Once we have something worth of being analyzed we create an hypothesis of why that is happening and start the hunt from there. For the hunting phase we process data and gather evidence manually (port mirror usually helps). We have in scope by the end of 2018 to have an automated tool to grab the data we need automatically.
As for tools, we do a pre-parsing logs using Logstash, and we ship them to Graylog to have it match with IoCs (OTX for now, we are trying to have an alliance with X-Force) and more advanced parsing. Once they are parsed, they are stored at our Elasticsearch (without X-Pack). From there we extract interest analytics using Kibana. We complement that using plotting python scripts.
What value do you actively see come out of your hunting activities?
Questions! Being able to have a knowledge base that explains different scenarios at a company level it’s done by questioning everything. And to be able to perform this questions hunting it’s a really good tool.
What types of friendly intelligence are most useful for a hunter to have in an investigation?
The client knowledge, but from a risk perspective, not from threat intelligence. He’s the one eager to know more about the risk that may affect his company. He provides (or manages to get) more pinpointing information. On my experience it’s more productive to work with Risk management rather than IT, because they have a different perspective of the importance of hunt this threats.
What general advice do you have for new Threat Hunters?
To get your hands dirty, don’t waste hours and hours just reading literature and papers. Get your hands on at a lab, study and go back to the lab. Other thing that I recommend it’s not to limit yourself because you don’t have a big lab or hypervisors advanced infrastructure to hunt. Start simple, a pc with 4GB ram, that runs ELK Stack it’s a good start.
What hunting procedure would you recommend for a new to Threat Hunter?
I recommend start of what their main skills are, if its networking start with netflow or firewall logs, if its forensics, start with OS processes, registry key changes, file access behavior, if it’s hacking, look for data exfiltration and recon techniques. It all depends of what you know the most.