SESSION ID: CSV-T10 Cloud Threat Hunting Sherri Davidoff Matt Durrin CEO, LMG Security @sherridavidoff Security Consultant, LMG Security @EvilMattXD #RSAC #RSAC Who Are We? Sherri Davidoff, CEO, LMG Security & BrightWise – Training: DoD, Google, Comcast, Mastercard, etc. – Black Hat “Data Breaches” course – NEW! “Data Breaches” book Matt Durrin, LMG Security – Cybersecurity Consultant – Education and training – Black Hat Co-Instructor – Evil, sometimes. 2 #RSAC What's In The Cloud? Hosted Networks Data Storage Web Applications Email And more… https://www.besttechie.com/forums/topic/35241-how-to-find-the-best-cloud-service-provider-for-your-needs/ 3 #RSAC Define the Terms What is “Threat Hunting”? How is this different from IDS? How do we hunt in the cloud? What tools and techniques do we use? https://www.sans.org/reading-room/whitepapers/analyst/build-threat-hunting-capability-aws-39300 4 #RSAC Threat Hunting Times Locations Activities Behavior 5 #RSAC MITRE ATT&CK Framework 6 #RSAC Evil Braelynn Strikes! 7 #RSAC #RSAC Microsoft Audit Log Search 9 #RSAC A Recursive Solution 10 #RSAC Review the Data 11 #RSAC We Can Do Better 12 #RSAC #RSAC Splunk Joins The Hunt! 14 #RSAC Who Logged In From Chicago?!?! Not Part Of The Plan! 15 Check Your Score Office 365 Score 16 #RSAC #RSAC Microsoft Security 17 #RSAC Leaving The Door Open https://www.scmagazineuk.com/44-million-azure-ad-microsoft-accountscompromised-password-problems-highlighted/article/1668138 https://www.helpnetsecurity.com/2019/12/09/compromised-passwords-microsoft-accounts/ 18 #RSAC New Host Configuration 19 #RSAC We’re Not Alone… Tricky! https://www.shodan.io/search?query=Remote+Desktop+org%3A%22Microsoft+Azure%22 20