A Process is No One: Hunting for Token Manipulation

Presented at Black Hat Europe 2017, Dec. 7, 2017, 10:15 a.m. (60 minutes).

Does your organization want to start Threat Hunting, but you're not sure how to begin? Most people start with collecting ALL THE DATA, but data means nothing if you're not able to analyze it properly. This talk begins with the often overlooked first step of hunt hypothesis generation which can help guide targeted collection and analysis of forensic artifacts. We will demonstrate how to use the MITRE ATTACK Framework and our five-phase Hypothesis Generation Process to develop actionable hunt processes, narrowing the scope of your Hunt operation and avoiding "analysis paralysis." We will then walk through a detailed case study of detecting access token impersonation/manipulation from concept to technical execution by way of the Hypothesis Generation Process. Along the way, we will detail some of the most common access token manipulations in use and detail the defensive detection implications for each of these cases. This comprehensive case study will better arm both attackers and defenders with how to better utilize their toolset to detect or avoid detection of token theft and manipulation.


Presenters:

  • Robby Winchester - Adversary Detection Lead, SpecterOps
    Robby Winchester is an experienced threat hunter and penetration tester with six years of experience in information security. Over the course of Robby's career, he has developed and supervised penetration testing, physical security, and breach assessments for Fortune 100 clients. Robby worked two years for the U.S. Air Force Information Aggressors, providing full-scope network and physical red team operational assessments to the Department of Defense. Prior to that, Robby developed and integrated information security operations with traditional military operations for the U.S. Air Force's RED FLAG exercise. Robby has a BS in Computer Science from the U.S. Air Force Academy and an MS in Information Security and Assurance from Western Governor's University. Robby holds CISSP, GIAC Penetration Tester (GPEN), and several other information security certifications.
  • Jared Atkinson - Adversary Detection: Technical Director, SpecterOps
    Jared Atkinson (@jaredcatkinson) is the Defensive Services Technical Director at Specter Ops who specializes in Digital Forensics and Incident Response. Jared spent two years at Veris Group's Adaptive Threat Division (ATD) leading the technical buildout of Veris Group's Hunt capability. Before Veris Group, Jared spent four years leading incident response missions for the U.S. Air Force Hunt Team, detecting and removing Advanced Persistent Threats on Air Force and DoD networks. Passionate about PowerShell and the open source community, Jared is the lead developer of the PowerForensics project, an open source forensics framework for PowerShell, Uproot, a WMI-based IDS, and maintains a DFIR focused blog at www.invoke-ir.com.

Links:

Similar Presentations: