Kicking off the Endgame Threat Hunting Workshop Series
Last night, we kicked off our first Threat Hunting Workshop Series in the Endgame Arlington office. Guided by Endgame and Capital One practitioners, hunters and incident responders from the government and the commercial sector (with industries ranging from telecommunications to legal to entertainment) engaged in a hands-on, collaborative and informative discussion about proactive threat detection. We covered a range of use cases, as well as tips for justifying and evaluating your team and involving leadership, and provided additional networking time for follow-on questions and conversation. This is just the first of these workshops, and we hope to continue the discussion at future events both in the DC area and across the United States.
We have previously written about open source hunting tools and techniques, including hunting in memory, hunting on the cheap and hunting for persistence. We have also presented our research at industry conferences such as Blackhat, Defcon, Derbycon, SANS Threat Hunting & IR Summit, and SANS DFIR. In these cases, the information flow tends to be unidirectional, with readers and attendees frequently requesting additional time and outlets for more information and additional interactions. Based on these experiences, as well as input from customers and those in the community, it was time to integrate this expertise and lessons learned into an interactive workshop.
Endgame researchers Paul Ewing and Devon Kerr, both experienced in threat detection and incident response, were joined by threat hunting expert Roberto Rodriguez from Capital One, to lead attendees through three hunt use cases: hunting for persistence, lateral movement, and credential theft. Using a range of open source tools and techniques, participants learned the details of each of these adversary techniques, the evidence necessary to see them, analysis techniques to generate high fidelity detections, and how each of these fit into the broader MITRE ATT&CK matrix. Importantly, MITRE’s ATT&CK matrix helped move the conversation from very specific, tactical questions - such as those pertaining to specific devices or operating systems - to more broadly thinking like an attacker. Knowing how attackers operate at each phase of the attack lifecycle and understanding how they might adapt to an environment is essential for teams proactively looking for threats.
Clearly, successfully identifying these malicious techniques is a core component of the process. However, technical insights alone don’t make the successful hunter; there are often organizational constraints that can make or break this capability. Our trio of facilitators armed participants with resources and quantifiable models to help justify the value of the hunt within an organization. A key challenge hunt teams encounter is that the analyst may come up empty handed, which itself provides measurable but often overlooked value. This notion of assessing or measuring the value of your program cannot be overstated, and is a topic we’ll cover more deeply in a subsequent technical blog, especially when considering the challenges surrounding scalability.
We had a great time sharing our experiences and insights, and helping to grow the threat hunting community. This was just the beginning, and we look forward to building community and exchanging insights with other threat hunters across the United States. Future workshops will continue last night’s discussion, and expand across additional use cases, analyses, industries, and geographies. To request a workshop in your area, please complete this form.