Name: Samuel Alonso
Years hunting: 2
Favorite datasets: AV, firewall, proxy, IDS and passive DNS
Favorite hunting techniques: Stack counting, anomaly detection and visualization
Favorite tools: Volatility, Passive Total, Santoku and Kali Linux
Who are you?
My name is Samuel Alonso, I am a Senior Cyber Security Analyst at KPMG. Despite spending 7 years doing business development, I switched careers and landed in the cyber security industry. I started to break into things at an early age…
Out of work, I like reading, sports, videogames, travelling and the outdoors.
Why do you hunt and what is your experience hunting?
I've now been hunting for 2 years. I hunt for a few different reasons, including to put new techniques into practice, test or create new content for automation, and overall reduce the risk posed to my organization by taking a proactive approach to threats
How would you define Threat Hunting?
Threat hunting can be defined in many different ways, however the common factor in all definitions is proactivity. Adversaries and technology have evolved very fast and these days I often see automation mechanisms being defeated. It is not enough to have automation in your organization’s network. In fact, there is an increasing need for specialized knowledge and solutions capable of proactively uncovering, tracking and eliminating threats from an organization’s network.
What projects and organizations are you involved with right now?
I currently work in KPMG’s Global SOC where I lead a shift of analysts protecting the organization’s network from threats. I also research and maintain my personal cyber security blog and attend different industry trainings. I am currently interested in and researching data analytics tools, including as Sqrrl, and keep working towards improving my hunting skills in the core network.
Which of the hunts you’ve carried out was the most interesting or challenging?
I have done hundreds of hunts, but the most technically demanding and difficult to carry out are those related to the core network of the organization. It is relatively easy to discover malware beaconing (C2, or command and control), but it requires experience and knowledge to detect an intrusion in your domain controllers or signs of lateral movement in the network.
Skilled attackers will compromise your user and their machines, but eventually they will want to own more of your network and information. To do so they need to compromise the heart of your network which is the domain controllers and the amount of information and complexity of these systems make the task of pinning intruders down in them a challenge.
What hunting techniques, tools, and datasets do you use most frequently?
The datasets I use depend on the part of the network where I am hunting. Hunting in the perimeter requires you have different datasets such as firewall, proxy, IDS and passive DNS however when you hunt in the endpoint you may want to have AV logs, System logs and forensics artifacts to mention a few.
The tools I use also vary, but I think it is a must for any good practitioner to use at least 2 to 3 different solutions since the tools have different limitations and approaches for detection. A combination of SIEM and a data analytics hunting tool will provide the hunter a good visibility in the network. On the endpoint, it's also important to have tools for memory analysis and native OS commands to get the results you are looking for.
With regards to techniques, the most common ones I use are stack counting, anomaly detection and visualization. These three techniques are essential for the day to day work of a threat hunter. For example, stack counting is useful when hunting for rogue user agents egressing your perimeter or when hunting for potential compromised user accounts.
Anomaly detection is maybe my favorite because it requires a hunter to have a deep understanding of how a system works in order to ascertain when something is displaying behavior that does not match the baseline. A typical example is system processes, understanding how they behave, their function, and other characteristics allows the hunter to recognize anomalous behavior and a potential attacker inside your organization.
Visualization may be overall the most powerful technique. Many times when you do not find the connection/link when stack counting or looking for anomalies, visualization helps to make sense of the information when all the other techniques failed.
What types of friendly intelligence are most useful for a hunter to have in an investigation?
The most useful friendly intelligence hunters can have is often general intelligence about their own environments. Knowing the environment not only technically, but also business wise will help the hunter to understand the threat profile of its organization. Understanding all the systems an organization is obviously useful, but so is understanding in which markets the organization operates, who their clients are, what goods and services they provide, who their competitors are, who else may benefit from the organization’s information (without paying of course), any history of previous attacks, business processes, etc.
Very often, organizations fall in the trap of relying on feeds and intelligence that has nothing to do with the nature of their business while neglecting their own intelligence. Their own intelligence is far more relevant than any other intelligence. It is that knowledge of itself that will provide an organization the biggest chances to stand and repel a threat.
What general advice do you have for new Threat Hunters?
Threat Hunting is a ‘relatively new’ field, however there is a real need for it as an experienced discipline now. Threat hunters are knowledge workers, their activity is heavily driven by knowledge, so learning and teaching is part of their role. If the challenge appeals to you join the movement and do not forget to give back to the community.
What hunting procedure would you reccomend for a new threat hunter?
I highly recommend understanding some basics such as the logs, devices and network you work with. Additional skills such as scripting and data analytics will also help, since the amount of data we have in the Enterprise is otherwise unmanageable.
When you are confident with these, try to baseline and recognize any potential anomalous process in your organization’s systems or detect anomalous activity through Windows Event logs. It is a good start!
What parts of a hunt could you see as being most successfully automated or assisted by a machine?
There will always be an increasing need for threat hunters to discover new attacks and exploits as they happen. It is when these attacks are well documented and they have become commodity when they can be automated. Not that much has changed compared to years past, besides the heavy reliance on information and the unstoppable rise of illegal activities over internet against organizations and individuals.
What would you like to see Threat Hunting develop into across the industry in the future?
I do not know exactly the path that threat hunting will take, however I can tell that the current developments in the community are happening incredibly fast and the people supporting them are incredibly knowledgeable. We are a community that supports and shares among its members to benefit everybody’s organizations, and this is our biggest achievement today.