Name: Hem Karlapalem
Organization: Global Fortune 100 Company
Years hunting: 3
Favorite datasets: Proxy, DNS, Domain controller and endpoing logs
Favorite hunting techniques: Time series analysis, linked data analysis
Favorite tools: SysInternals, Wireshark/tcpdump, ELK suite, Powershell
Who are you?
Hem Karlapalem, a threat hunter from a Fortune Global 100 company. I have an overall experience of 8+ years in information security, working across telecommunications, banking & automotive sectors through TAC, development, professional services & cyber threat fusion centers. My expertise is in incident handling & response (including hunting), malware analysis, reverse engineering, troubleshooting, and tool automation.
Why do you hunt and what is your experience hunting?
I've been hunting for just above 3 years now. With the growing number of APTs out there, a new form of defense has become necessary for companies, which I think has come in the form of Hunting, or proactive threat detection, and an effective usage of the abundant amount of data available; aka "Big Data".
How do you define Threat Hunting?
As the name suggests, it’s all about going after threats in a proactive way, especially once you can focus in on behaviors and attributes, namely Indicators of Compromise (IOCs). Aside from that, it's about continuously questioning about a breach and tracing the paths an attacker might take towards their goals, from defensive stand point. Throughout a hunt, you might come across more suspicious patterns which can uncover a fuller scope of a threat actor hiding in your network.
What projects and organizations are you involved with?
I love to work on automation tools and in my free time I build tools using python & powershell, and contribute to the open source community through Github & Cybrary. I'm also part of Bangalore NULL Chapter and ISF.
Which of the hunts you've carried out was the most interesting or challenging?
Any hunts that involve network data [Proxy, DNS, Mail] & AD I would say are the challenging ones, considering the amount of data that one has to go through and the kind of attacks that target these devices.
In one of the earlier organizations I worked for, we uncovered an IP Camera that was being used for C2 activity, communicating with an external domain at random intervals. After having conducted a more thorough analysis, we didn’t observe any notable exfiltration of data, but it was clear that the camera was infected. We extracted a few IOCs from that hunt to see if the attacker was seen anywhere else in the network. The investigation to identify the sources of the communication went on for weeks because the clues were hidden in a much larger data set, and we had never encountered an unorthodox C2 method like that.
What hunting techniques, tools, and datasets do you use most frequently?
For hunting techniques, I would say that time-series analysis and linked data analysis are the best techniques to narrow down a large data set and still create a holistic picture for an investigation.
My favorite datasets to work with are proxy, DNS, domain Controller & endpoint logs. I find that these datasets give me the best insight on environmental changes, which are critical in finding malicious behaviors.
As far as tools go, there are numerous open source tools I like, including SysInternals, Wireshark (or tcpdump), ELK suite, python & Powershell, etc.
What types of friendly intelligence are most useful for a hunter to have in an investigation?
Any information about what a threat actor is after will help to enrich the data by which a hypotheses can be improved. For example, when analyzing a proxy data set, the IOCs from an actionable intelligence perspective like commonly targeted assets, IPs, Domains, and certain tactics that might be employed for exfiltration or payload download will help to focus a hunt in the right direction. A good threat intel partner [especially if you can afford to buy one] is always good investment to have for effective hunting!
What general advice do you have for new Threat Hunters?
Enter the mindset of an attacker and start going through your network the same way an attacker would and I’m sure you will uncover many surprises! Threat Hunting, in my experience, rarely gives you a quick yield. It requires patience and perseverance.
Whatparts of a hunt could you see as being most successfully automated or assisted by a machine?
The initial search process for sure. When analyzing a lot of data, finding a specific pattern on your own can be extremely tedious, especially the first time. If that part can be automated using machine learning, you can save a lot of time.
Check out our full Hunter Profile series for different takes, tips and tricks on threat hunting from the experts!