Transcript
it's something you can start from the get go. You take the alerts, you take the incidents generated within your environment and you expand upon them and you dig and you pull those threads and the more that you can do that and the better that you can do that, the better you are at threat hunting. Welcome to Threat Vector, the Palo Alto Network's podcast where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. I'm your host, David Moulton, Director of Thought Leadership. Today I'm thrilled to speak with Ryan Chapman, an experienced threat hunter, malware analyst and digital forensics expert. Ryan has over 20 years experience in the IT realm with extensive hands-on experience in digital forensics and incident response or DFIR. He currently leads our managed threat hunting team at Palo Alto Networks and is also a SANS author and instructor specializing in ransomware defense. His passion for sharing knowledge and engaging with the community is evident through his work at conferences like Cactus Con and his educational contributions through SANS and Pluralsight. Today we're diving into the world of threat hunting, how professionals like Ryan stay on top of trends and we'll delve into some of the recent threats, including Loomis-Steeler and the CUP's vulnerability. Threat hunting is more critical than ever with the rapid evolution in cyber threats. Ryan's insights will provide a deeper understanding of how organizations can enhance their defensive strategies. Here's our conversation. Ryan, it's great to have you here. Before we dive into the nitty gritty on threat hunting, could you tell us a little bit about what drives your passion for this field? I had noticed on LinkedIn that you've been deeply involved in the community through engagements and education, Cactus Con, SANS and some other platforms. Maybe talk to me about how those experiences have shaped your approach to threat hunting and incident response. I've learned most of what I know from others. We stand on the shoulders of giants, truly. And if you go to a security conference and you're in a talk, if you go to a SANS course and you have a four, five, six day engagement, whatever it is, the key takeaways are that you identify and you notate what you don't understand and you take that forward and you build on that. My first engagement with a security conference happened to be Cactus Con, which I ended up leading later in life for three years, no longer anymore. But I went to a workshop where we learned about creating IRC chatbots via Python. And the Python code that we learned was mostly understandable to me at the time. But there were a number of things I didn't quite get. So I took notes on those things and I drove them to the point where I truly understood them and I knew why we were writing those particular lines of code. And it's the same thing with threat hunting. If you see a particular command within a list of 20 commands that you don't understand and you say these 19 commands mean the following, the key thing is to take that one thing you don't quite understand and just push further to truly understand it. And I think that's the key to threat hunting is understanding what command lines mean, what threat actors are trying to do when they run various commands, why they're doing it. It's the who, what, where, why, and how behind what they've done and truly understanding that that makes you a strong threat hunter. Ryan, given the pace at which the threat landscape evolves, how do your team stay abreast of the latest threat trends, tactics, and techniques? Maybe what are some of the resources and strategies that you rely on? So we have the totality of the Unit 42 umbrella at our backs. We have Threat Intelligence, Threat Research, we have Malware, we have the Unit 42 Incident Response Team, which is just absolutely phenomenal. And those teams provide intelligence in our Threat Intelligence platform. We can utilize that. And I always find it funny when people ask me the same question because I say, oh, social media. And they're like, really, social media? I'm like, yeah, really, because some of the just craziest exploits and vulnerabilities come out via those platforms. So not only do we have the internal methodologies and resources that are provided and at our disposal, but we have OSINT, and then we also have the closed source Threat Intelligence feeds, which I can't mention specifically what they are, but we have them at our disposal also. So utilizing all of the above, we're able to stay abreast of the changes within this ever-evolving creature that is what we call security. Ryan, one of the things that one of your colleagues talked to me about was how if you really need to know what's going on or who's doing something, just hop into Discord and look around. Is that something that you also find is an effective place to find intel? Oh, yes. One of my quote-unquote OSINT resources, or I should say a multitude of my OSINT resources is a multitude of Slack servers and Discord servers. So you have for a great place to start with this for folks who are uninitiated, maybe unaware, is your security conferences. So whether it be something large like DEF CON or something smaller like Cactus CON from Arizona in the United States, but just joining those particular Discord and Slack servers, it's like a built-in RSS feed. You know, they often will have particular channels for threat intel or exploits or hardware hacking or software hacking or whatever it is. And you can learn a ton through those resources. When it comes to actual threat hunting, I'm curious how you prioritize what to focus on given you're talking about a vast number of threats and all these different sources. It seems like it could be easy to get distracted. Oh, it can be very easy to get distracted. You might have a particular, you know, CVSS score of 10.0 or 9 point something where you think to yourself, oh, goodness, this is going to be really, really bad. But the way that we try to prioritize these things is based on the actuality of them occurring. You know, so if you have a particular remote code exploitation vulnerability that requires a number of ports to be open on the firewall, it requires certain accounts to be enabled that may be not enabled by default. It requires certain services to be running that are not enabled by default. We will deprioritize those. And when it comes to software vulnerabilities, we look at, well, how many are installed around the world? What is our, you know, Palo Alto Networks Expanse data look like? What is Shodan data look like? What is census data look like? And the ones that just show more, or I should say, like a wider kind of vulnerability base, those are the ones that we kind of focus on a little bit more. Ryan, LumaStealer has been making a lot of headlines recently. Can you start us off with just what is LumaStealer? So back in the early 2010s-ish, we dealt with banking trojans and they were malware specimens that would literally just steal banking credentials. And they would just steal those credentials and they move on with life. Now, the InfoStealer universe these days, they literally steal any and all credentials, things you might have stored in your browser, that you might have cryptocurrencies on your device. And LumaStealer has become very, very popular because it is a stealer as a service. So the developers who create the actual stealer are providing these methodologies by which the threat actors who lease or basically purchase a stealer can get them to drop on devices around the world. And they're using social engineering in order to make that successful. And Ryan, when you're saying I could lease it or a person could lease it, you're saying that if I was so inclined and knew where to go, I could go out there and swipe a credit card or something like that. And I would be the new proud owner of LumaStealer version, whatever, and could go about using that to drive my criminal enterprise. That's the thing. You don't have to know how to develop it. All you have to do is just pony up. For example, the initial foray into the stealer is $250 and it goes up to $500 and then it maxes out at $1,000, which to some people you think, oh, $1,000 American currency, that's a lot of money. That is nothing compared to what they can actually recoup from utilizing that stealer, stealing people's credentials, getting access to their accounts, and then utilizing those for a variety of purposes. Ryan, the customer vulnerability has been another recent concern in the cybersecurity space. And if you could walk our audience through what makes this vulnerability such a critical thing to pay attention to, maybe for particular organizations, and then why are threat actors targeting this for exploitation? Yes. So first and foremost, CUPS affects Linux and Mac OS machines specifically. Windows does not deal with CUPS. CUPS is related to the LPD, the Lion Printer Daemon protocol, and it's utilized for identifying, hey, a new printer has been added to your network. CUPS browser D will automatically identify it and say, oh, look, there's a new printer. You can print to it if you would like to do so. And the vulnerability allows RCE, or what we call remote code execution, because it installs a printer Daemon profile or PD that allows for arbitrary code execution, meaning that a threat actor, if the particular port and particular protocol are enabled, ingress on the firewall, then CUPS will say, oh, look, this is actually a printer profile. Let's go ahead and load that. But in reality, it's not a printer profile. It is remote code that an attacker wants to execute. And that's why we need to be very, very careful about our general cyber hygiene as related to the service and the ports that are open on the firewall. Let's shift gears a little bit. In your opinion, what qualities and skills do you believe are essential for your job as a threat hunter, especially in today's cyber environment, which seems like it is constantly changing, zigging and zagging? So I'd love that question. I've become a new lead on the Unit 42 Managed Threat Hunting team. And we're hiring two roles right now, both of which will report to me. So I'm doing the recruiting. I'm doing the level one interviews or round one, as we call them, etc. The major thing that we look for is critical thinking. We show a number of technical, like very, very low level technical screenshots of, hey, this happened, that happened, these commands were run, these things occurred after the fact. And I'm not necessarily looking for, and this is what I believe that a threat hunting team truly needs, a full knowledge of every single thing you're looking at, but rather how your brain processes in terms of critical thinking. And I think that critical thinking and thinking outside the box are some of the most important things when it comes to threat hunting, because you might have some command that you've seen, you've seen it the umpteenth time and you determine, okay, that reminds me of what I've seen when this particular attack has been executed. And even if it's not that same type of attack, just having someone who's able to relate that to their previous experience, who's able to identify the parameters on the command line, who's able to identify that this is something I've seen before, that is some of the most important things that we look for in a potential candidate. How do you evaluate a new threat hunting tool? And do you have like a criteria that you use when the tool should be integrated into your team's workflow? As far as the tools are concerned, what we really look for is if the tool provides us the telemetry that we need. And the number one problem that I see worldwide with teams, small scale and large scale, is that they don't have the visibility that you might actually require in order to find an answer or to derive an answer for that matter. So any type of tool that will provide telemetry that you can utilize, whether that be network based or endpoint based. So the real thing that we look for are the tools that go above and beyond a process ran, a file was written, but rather when the process ran, here were the parameters, here's the order in which they ran. When you take all those things and you put them together at scale, that's something that can be very beneficial to our general purpose of hunting for things that people, processes, and our systems otherwise might not identify. Ryan, you've got a background in incident response, and I'm hoping that you'll tell me about the influence of that background and how it informs the work you do as a threat hunter. And do you see that as one of those things? I know you were saying that anyone can threat hunt. I expect that that may be true, but some people may be threat hunt better than others. How does your background as a incident responder inform your work as a threat hunter? I think the real key to having a background in incident response is you see the real deal that happens in so many different types of cases. I'm an author of a course on ransomware, and when I submitted my course, it wasn't submitted from the perspective of, I've heard of ransomware. I've researched it online. It was more so, I've worked 40, 50, 100, 200, whatever the heck the number is, cases on ransomware. And this is what we saw over and over and over and over. And when people want to get into threat hunting, one of the things that I often mention is that incident response and as a background running incidents and or being involved in incidents is one of the best things you could possibly have in your toolbox. And it's because when an incident occurs, it's not the hypothetical, it's the reality of what's truly happening. And that type of analysis just prepares you for the real world. And when you start to hunt on those things, it provides just a stronger insight into what you're really looking for. Looking ahead to the future a little bit, how do you think that threat hunting is going to evolve, especially in the next few years, especially with this rise in AI you might have seen and automation and cybersecurity? I love it. You said you might have seen, you might have noticed that. You might have noticed. You might have noticed, yeah. First and foremost, AI absolutely enthralls me, but also scares me beyond belief. So even just taking something as simple as chat GPT, you know, one of the more common discussed in the media and whatnot, LLMs, large language models. You have this, I'm going to look for bad stuff. And one of the things, I'll draw a direct correlation. One of the things that we do in threat hunting is called stacking. Stacking is looking for a particular thing in the Windows world that can be services that are installed, programs that are executed, files that are written to disk, whatever. And you look for the least frequency of occurrence or LFO, as we like to call it. Right? I can go into a system and I can tell it, hey, tell me the number of processes that that ran from this particular directory and that had these particular parameters, but yet were the least frequent. And I can write that query and I can run that query and get my response back and then try to identify the outliers. But artificial intelligence can do that at a scale and with accuracy and with speed that humans just can't. So the idea of utilizing artificial intelligence to say, you know, something as simple as like putting in a query, hey, what are the least common services that ran in this particular client tenant over the past 90 days? And boom, you have a response. Yeah. And that type of telemetry and that type and speed of data analysis is just amazing. It's scary because of how amazing it is. But I truly believe that the future of threat hunting is a melding of the human mind and what threat intelligence can provide you statistically, you know, at a quick glance. You know, it's an interesting parallel to draw and maybe it's the right one. Maybe it's not. But I look at the lifelong relationship or the centuries old relationship between us humans and our favorite companions, dogs. And that's a relationship that allows the strength of the two, right? The strategy, maybe the sight of the human and the speed and the smell, maybe the ability to hunt the dog to come together. And that relationship is really, really healthy. And I wonder if this is not a perfect model or a perfect analogy, but is there a moment where AI and human, the artificial and the actual intelligence come together to create something that is that symbiotic relationship? But I like the idea that we're very adaptable as a human. And, you know, we've invented a very powerful thing. This AI, is it AI is not coming for your job, but AI is coming to be a part of your work. And I think that that's, you know, that's what I'm hearing is that threat hunting could be massively enhanced by having a powerful sidekick. You know, they can go at speed, go at scale, find things very quickly, but it still needs an input from the human to say, go look for this. I love that. I mean, the way you broke that down right now, we have LLMs within Palo Alto that we're able to utilize that will actualize exactly what you were talking about. And we can provide ideas and concepts and the LLM just augments our hunting capabilities. I think that what most people fear is that eventually, you know, the AIs will take over Oh, Ryan, who needs Ryan? But I truly believe that over the next 10, 20 years, especially, that we will have this amazing engagement between those models, what we're looking for, what we're trying to look for and refinement of and tuning of our threat hunting. I don't know what's after that. Don't quote me on after 20 years, but I think that so far, it's a good thing. And I'm very happy to have those available in the Palo Alto universe. Ryan, thanks for the great conversation today. I appreciate you sharing your insights on threat hunting and diving into some of the insights that you have being on the UNO42 team. I definitely appreciate it. Being on a team as structured and as strong as this, it is just something that I really, really enjoy doing. And the more that we can get other folks to, you know, kind of jump into the foray, the better. That's it for today. If you've liked what you've heard, please subscribe wherever you listen and leave us a review on Apple podcast or on Spotify. Those reviews and your feedback really do help us understand what you want to hear about. If you want to reach out to me directly about the show, my email is threatvectoratpaloaltonetworks.com. I want to thank our executive producer, Michael Heller, our content and production teams, which include Kenny Miller, Joe Benacourt, and Virginia Tran. Elliot Peltzman edits the show and mixes the audio. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now. Transcribed by https://otter.ai