Threat Hunter Profile – Pietro Bempos
Endpoint logs/process data, windows event logs, DNS logs, server application logs
Preferred Hunting Techniques
Threat mapping, IP stacking (outlier detection), asset prioritization and investigation
Linux command line, custom scripting (Python and Bash), custom tools
Who are you?
Hello, my name is Pietro Bempos. I wrote my first computer program on my Amstrad CPC 6128 on 1989, and since then I haven’t stopped working with computers. I’ve worked professionally on IT for 10+ years and most recently have become a full time Threat Hunter. You can find more info on my LinkedIn profile or find me on twitter. Feel free to contact me with any questions or just for a chat about hunting.
Why do you hunt and what is your experience hunting?
I’ve worked as a full time hunter for about a year. My previous roles in threat intelligence and security research, as well as an interest in offensive security, helped me quickly understand what was required for threat hunting. I have spent a good amount of time grasping what’s needed to build a successful threat hunting team, including the tools, techniques and datasets. Apart from that I have been developing tools which help me in my daily hunting work.
What should a hunter consider when choosing techniques, tools, and data sets?
When thinking about tools and techniques, you have to think about your target hunt environment. Overall there is no good or bad tool/technique/data-set (TTD) there is only a TTD for your target environment. A good approach to choose the correct TTDs is to consider which are the most valuable assets as well as what are the most frequently targeted systems. Of course this is easy to say, but can be challenging in practice. If there is a doable way to identify those critical assets then the next step would be to check what kind of endpoints they are.
Is this a workstation?
If yes, then do you have endpoint logs? For example, ability to fetch registry entries, AV logs, running processes and generally any info in bulk that would be helpful in a forensic investigation?
If yes, then this is probably worth further investigation.
If no, then you have to consider other options or to add new data sets, tools and techniques to your arsenal. I know that this has been mentioned again and again, but I think that everyone should go to www.threathunting.net and get some specific ideas as well as contribute your own techniques through the GitHub page. I am certainly aiming to do that from my own side.
On the other hand, if this is not a workstation but a server, what can we do?
For servers this process might be a bit trickier as there are many types of servers and there are no catch-all approaches. However there are always some generic ways. Endpoint logs are useful when we deal with servers, as they are with workstations , but there are plenty of other parameters to consider. For example, server application logs, servers facing the internet, a forgotten server that still has default credentials. The question then is do I have the tools to get the application logs? Are the data-sets available? Can I get a list of external facing servers or a list of servers that have default credentials? If the answer is yes then you are on the right path. Those are some sample questions that threat hunters can pose to help them identify which are the correct TTDs to use and at the same time help them understand if they needs to add new data sets, tools and techniques to the arsenal.
What value do you actively see come out of your hunting activities?
Hunting is primarily useful for finding previously undetected threats. However this is not its only source of value. During a hunt, you will enumerate and understand the environment and gather useful Intel for yourself and for your organization. Apart from that, you might find misconfigurations, non-compliant systems, and other protections gaps.
What types of intelligence are most useful for a hunter to have in an investigation?
Intelligence is a step beyond information; it is not just an IP address or a hash value. Intelligence is a source IP address that used the shellshock vulnerability; the time was 13:45 GMT+2 and the attack was successful. Intelligence is a hash value of proxy evasion software found on a domain controller running during a public holiday.
Some good examples for intelligence useful to a hunter might be:
- Who is attacking the company under investigation? This can be as simple as common IPs, domain, geo-location or more complex as a specific threat actor.
- Commonly targeted systems, most vulnerable systems and most valuable systems.
- Trending TTP’s targeting the industry as well as common TTP’s targeting the company
What general advice do you have for new Threat Hunters?
A famous quote from Abraham Lincoln is probably the best general advice I can give to a Threat Hunter:
“Give me six hours to chop down a tree and I will spend the first four sharpening the axe.”
There is no golden rule or specific procedure that applies to every case. Each environment is different and each individual has their own background. From my perspective there are two key rules that someone should follow to be successful with threat hunting. Those are: know thyself, and understand the target environment. If you don’t feel comfortable with Windows systems then start your hunting on your Linux servers. Focus your hunting efforts starting with the skills you are strong at and improve your weaknesses based on the target environment.
Don’t forget this is a live and constantly changing ecosystem you are working in. What works today might not always work tomorrow. You need to have your own and your opponent’s TTPs up-to-date if you want to be successful.
What hunting procedure would you recommend for a new to Threat Hunter?
A good starting point for a new threat hunter can be to focus on techniques that provide value on multiple levels, are relatively easy skill-wise, and will help you understand the target environment.
One interesting hunting procedure with those characteristics is mapping external attackers and using intelligence gathered for hunting purposes. An easy way to get actionable data like this would be to look at alerts. The alerts can come from your AV’s, Firewalls, WAF’s or any other systems that produce alerts for suspicious or malicious activity.
Next a hunter can ask questions like the following:
- Who is scanning your network from the outside?
- Who is attempting brute force entries?
- Who is trying to use exploits against us?
- Which exploits are most commonly used?
- Are any of those alerts not in block mode?
By mapping and trying to understand who is attacking from outside the network, a hunter can gather intelligence of great value. This on its own is a win for the organization. At the same time this will help a hunter understand the environment he is working for. Next a hunter should start making sense of the intelligence gathered. At this point all data gathered should be carefully organized and correlated.
For example you can take the top 100 offending IPs and see if any of those IPs are beaconing from inside to the outside. If yes, then you can try to understand why. However the threat hunter needs to be careful on how he gathered and organized the info as he might suddenly be drowned in a large sea of data. I would recommend starting looking at more specific scenarios like for example only checking brute force SSH attempts. Not to mentioned that having an SSH port open on the Internet can be in many cases a security risk of its own. Alternatively you can take all the data and put them in a custom, commercial or open source threat intelligence repository and make queries from there. You may find many ways to use the intelligence gathered to find patterns, the limit is only your imagination.
What would you like to see Threat Hunting develop into across the industry in the future?
I would like to see a community that continually shares ideas and knowledge. Beyond that I would like to see threat hunting become a defacto standard for all security teams.