使用Windows Defender Atp进行威胁狩猎

What Is It? The very thought of “threat hunting” often suggests the dramatized scenes from movies and TV shows of a group of people perfectly coordinated in an area with the latest technology, dimly lit but for glowing screens, and able to electronically able to see and hear everything while deploying the heroes anywhere globally in minutes. Those of us that work in this industry usually sit back as these scenes play out with a sarcastic smile, coffee in hand, and resist the urge to tear the flaws apart so our partners and friends can believe that what we do is, in fact, “that cool”.

它是什么？ 想到“威胁搜寻”通常会暗示一群人的电影和电视节目中的戏剧化场景，这些场景与最新技术完美融合，光线昏暗但屏幕发光，并且能够以电子方式看到和听到一切同时在几分钟内将英雄部署到全球任何地方。 在这个行业工作的我们这些人通常会坐下来休息，因为这些场景带着讽刺的微笑，手持咖啡玩着，并抵制撕裂缺陷的冲动，因此我们的合作伙伴和朋友可以相信我们所做的实际上是“好酷”。

I digress. Threat Hunting is a very proactive defence technique that seeks out what could happen rather than what has already happened. It’s a highly-specialised discipline that I have found only very few practice, and those that do think unconventionally, are incredibly skilled at what they do, and are nearly impossible to find through the existing employment methods. Place an ad on a job board like Seek for someone to perform Threat Hunting and you are far more likely to get someone that almost exclusively deals with incidents that have already happened. Again, think proactive rather than reactive.

我离题了。 威胁搜寻是一种非常主动的防御技术，可以发现可能发生的情况，而不是已经发生的情况。 这是一门高度专业化的学科，我发现只有很少的实践，而且那些确实具有非常规思维的人，对他们所做的事情都非常熟练，并且几乎不可能通过现有的雇佣方法找到。 在Seek之类的工作板上放一个广告，让某人执行威胁狩猎，您更有可能会吸引一个几乎专门处理已经发生的事件的人。 再说一遍，认为主动而不是被动。

Threat intelligence is gold and the ability to understand what is happening, how it could happen and more importantly, how it could impact you, is critical. A great example provided by the Australian Signals Directorate (ASD) Australian Cyber Security Centre (ACSC) in this regard involved them providing an organisation with intel about a specific threat likely to send spear phishing emails to employees to obtain information about a certain topic. The organisation, in turn, used this information to identify who had access to the information in question to verify mitigation strategies were in place. This included email filtering, logging, and log analysis for these employees. Obviously, there is lot more to the story, but you get the point.

威胁情报是最重要的，而了解事件正在发生，如何发生以及更重要的是如何影响您的能力至关重要。 澳大利亚信号局(ASD)澳大利亚网络安全中心(ACSC)在这方面提供了一个很好的例子，其中涉及向组织提供有关特定威胁的情报，该威胁可能会向员工发送鱼叉式网络钓鱼电子邮件，以获得有关特定主题的信息。 反过来，该组织使用此信息来确定谁可以访问有问题的信息，以验证缓解策略是否到位。 这包括针对这些员工的电子邮件过滤，日志记录和日志分析。 显然，故事还有很多，但您明白了。

So really, we’re trying to seek out the information that helps you act to mitigate the threats before they even occur. Think of it in a way where you try to understand your adversaries nearly to the point you know what they’re going to do before they do. What’s the old expression? An ounce of prevention is worth a pound of cure?

因此，实际上，我们正在尝试寻找有助于您采取措施缓解威胁的信息，甚至在威胁发生之前。 可以这样一种方式来思考，即您试图理解对手，直到他们先知道自己将要做什么。 旧的表达方式是什么？ 一盎司的预防值得一磅的治疗？

How about another example. Let’s say the police issue a non-specific report that they believe break-ins may increase because of a downturn in the economy driving people to commit more crimes. Because of reading or hearing this, you check and service the locks on your doors and windows, install some simple security around your home like motion sensor lights, and keeping valuables hidden out of view and secured.

另一个例子呢。 假设警察发布了一份不具体的报告，他们认为，由于经济不景气，驱使人们实施更多犯罪，因此入侵事件可能会增加。 由于阅读或听到了这些声音，您需要检查和维修门窗上的锁，在房屋周围安装一些简单的安全装置，例如运动传感器灯，并将贵重物品隐藏在看不见的地方并加以保护。

As part of its Microsoft Defender Advanced Threat Protection (ATP) offering, Microsoft provides the “Advanced Hunting” tool. Advanced hunting is query-based and allows you to explore up to 30 days of raw data. While it may be nice to have more data, at least 30 days is current and doesn’t smash your valuable storage resources trying to keep everything. You proactively inspect events in your environment to locate “interesting” indicators and entities. This allows unrestricted hunting for both known and potential threats. Better still, you can leverage these queries to build custom detection rules to check for and respond to events reflective of breach activity and erroneously configured systems.

作为Microsoft Defender高级威胁防护(ATP)产品的一部分，Microsoft提供了“高级狩猎”工具。 高级搜寻基于查询，可让您探索长达30天的原始数据。 虽然拥有更多数据可能会很好，但是当前至少需要30天，并且不会破坏您宝贵的存储资源来尝试保留所有内容。 您可以主动检查环境中的事件，以找到“有趣的”指标和实体。 这样可以不受限制地搜寻已知威胁和潜在威胁。 更好的是，您可以利用这些查询来构建自定义检测规则，以检查并响应反映违规活动和错误配置的系统的事件。

Where Do I Start? I don’t believe this proactive mitigation strategy comes in a shiny box despite what some vendors may tell you, but there are a ton of products you can use to obtain the intelligence you need as part of this strategy, and those do come from vendors who have access to the most skilled professionals, the large threat networks, and the content delivery means to get this data to you…. for a price. This is a case where you really do need to get the right people involved. If you have the skills and knowledge to take the threat and incident information and put it to work correctly, you’re in a minority of organisations. Fortunately, if you have an existing investment in Microsoft and already pay for the right subscriptions, you probably already have access to Advanced Hunting without even knowing it!

我从哪说起呢？ 尽管有些供应商可能会告诉您，我不认为这种主动的缓解策略会亮出一个盒子，但您可以使用大量产品来获取该策略所需的情报，而这些产品确实来自供应商拥有最熟练的专业人员，庞大的威胁网络和内容交付手段的人员，便可以将这些数据提供给您……。 价格。 在这种情况下，您确实需要让合适的人参与进来。 如果您具备掌握威胁和事件信息并使其正确运行的技能和知识，则您属于少数组织。 幸运的是，如果您已经对Microsoft进行了投资，并且已经为正确的订阅付费，那么您可能甚至在不知情的情况下就可以使用Advanced Hunting！

Critically, some questions need to be asked about this intelligence and its value such as:

至关重要的是，需要就此智能及其价值提出一些问题，例如：

· Has the organisation already implemented strategies that may be more effective such as Incident Detection and Response which leverages existing intel such as logs and threat feeds?

·组织是否已经实施了可能更有效的策略，例如利用日志和威胁源等现有信息的事件检测和响应？

· Does the organisation have sufficiently skilled and resourced staff with a capable infrastructure that can consume and act on the threat intelligence?

·组织是否拥有足够熟练和资源丰富的员工，并且具备可以使用威胁情报并采取行动的有能力的基础架构？

· Is the threat intelligence more comprehensive than simply domains, IP addresses, and other Indicators of Compromise (which resembles reactive signatures and have little to no relevance if rotated regularly or changed per target)?

·威胁情报是否比仅域，IP地址和其他危害指标(类似于React性签名，并且如果定期轮换或针对每个目标进行更改几乎没有相关性)更全面？

· Does the threat intelligence have context, ideally tailored to the specific organisation (or at least industry vertical) which reduces false positives and other “noise”? Separating the wheat from the chaff, as it were.

·威胁情报是否具有针对特定组织(或至少垂直于行业)的理想化上下文，可以减少误报和其他“噪音”？ 将小麦与谷壳分开，照原样。

· Is the threat intelligence actionable, assisting the organisation to make informed decisions and take definitive action such as choosing and implementing relevant mitigation strategies? Ideally, this is to identify and prevent incidents based on awareness attacker’s objectives, strategies, tactics, methods, chosen compromise procedures, and even the tools they could or do use.

·威胁情报是否可行，可帮助组织做出明智的决策并采取最终行动，例如选择和实施相关的缓解策略？ 理想情况下，这是根据意识攻击者的目标，策略，策略，方法，选择的折衷程序甚至他们可以使用或使用的工具来识别和预防事件。

Rather than being a mitigation strategy in and of itself, this is a combination of tactical advantage towards a long-term strategy. Proper planning and execution are crucial for success and you may find that you are already engaging in some form of Threat Hunting without realising it. Get the right people involved and ask the right questions…. In some cases, the right people know what questions to ask you and help you ask the right ones to others.

它不是缓解策略本身，而是战术优势与长期策略的结合。 正确的计划和执行对于成功至关重要，您可能会发现自己已经在进行某种形式的威胁搜寻而没有意识到。 让合适的人参与进来并提出合适的问题……。 在某些情况下，合适的人知道要问您什么问题，并帮助您向其他人提出合适的问题。

I’ve often sat with a client during a strategy session with an external service provider only to discover their strategy is more akin to simply using another layer of reactive technology. Equally, I’ve often found customers have an existing investment they’re not using to its full potential (and the majority of the time, it’s been Microsoft Defender ATP. You’ve paid for it; use it.

在与外部服务提供商进行战略会议期间，我经常与客户坐下来，却发现他们的战略更像是简单地使用另一层React技术。 同样，我经常发现客户有一笔尚未充分利用其潜力的现有投资(大多数情况下，这是Microsoft Defender ATP。您为此付费，请使用它。

How do I make It Work? As much as I’d like to say that you simply design a system, then install and configure it, then maintain it, it’s not that easy. The first thing I recommend is bringing in specialised cyber security specialists to help you on your journey with Threat Hunting if you chose this as a mitigation strategy. Ask around, get referrals, and go beyond the fancy websites and flashy brochures.

我该如何运作？ 就像我想说的那样，您只需设计一个系统，然后安装和配置它，然后维护它，就不是那么容易了。 我建议的第一件事是，如果您选择将其作为缓解策略，则请专业的网络安全专家来帮助您进行威胁搜索。 到处询问，获得推荐，并超越花哨的网站和华丽的小册子。

Once you have the right people involved, sort out what you have, what you don’t, and what you need. You will have specific business goals, data and systems specific to those goals, and may be susceptible to unique and clandestine hacking methods. The intel that works for a competitor or a similar industry may not be enough for you, so it’s imperative to understand the threats and threat actors out there that may be interested in what you have. The first step to filling these gaps is to identify them.

一旦让合适的人参与进来，就可以整理出自己拥有的，没有的以及需要的东西。 您将具有特定的业务目标，特定于这些目标的数据和系统，并且可能容易受到独特而秘密的黑客方法的攻击。 为竞争对手或类似行业服务的信息可能不足以满足您的需求，因此必须了解可能对您所拥有的威胁和威胁行为者有所了解。 填补这些空白的第一步是找出它们。

By this point, you should have some sort of plan, and now you can look at products and services, including those developed specifically for you, to leverage Incident Hunting as a mitigation strategy. Perhaps it’s a subscription to a threat feed for your security strategies. Maybe it’s managed security services that specialise in this area. It can be nearly anything that help you accomplish your goals and those are too numerous to list here. Just keep front of mind this is a mainly proactive strategy rather than reactive, which compose most solutions available.

至此，您应该有某种计划，现在您可以查看产品和服务，包括专门为您开发的产品和服务，以利用事件搜索作为缓解策略。 也许这是针对您的安全策略的威胁源的订阅。 也许是专门从事该领域的托管安全服务。 几乎所有可以帮助您实现目标的东西，在这里都无法列出。 只要记住，这是一个主要的主动策略，而不是被动策略，它构成了大多数可用的解决方案。

Using Microsoft Defender ATP Advanced Hunting take a bit of learning but it’s well worth it. You first learn the language (based on the Kutso query language) and it’s not as intimidating as learning programming from scratch. That’s followed by understating the schema (tables and their respective columns) so you know where to look and how to create queries. Thankfully, you can start with pre-defined queries and learn by example. Once you get the knack of it, you can create custom queries and spin these into automating detections and responses.

使用Microsoft Defender ATP高级狩猎需要一些学习，但这是值得的。 您首先要学习该语言(基于Kutso查询语言)，而不像从头学习编程那样令人生畏。 接下来是低估架构(表及其各自的列)，以便您知道在哪里查找以及如何创建查询。 值得庆幸的是，您可以从预定义的查询开始，并通过示例进行学习。 一旦掌握了诀窍，就可以创建自定义查询，并将其旋转为自动执行检测和响应。

The queries tend to be the most intimidating part, so that’s where I’d recommend getting some help to either run them or at least learn how to do them. I’ve found the Auto-suggest feature very helpful as well as the Schema Reference where you can simply mouse-over an item for information then double-click it to drop it into the query. When you get your results, you can easily drill-down into them by clicking on the identifier which takes you into Defender Security Centre where a wealth of information can be found.

查询往往是最令人生畏的部分，因此，我建议在该处获得一些帮助以运行它们，或者至少学习如何做。 我发现“自动建议”功能非常有用，还有“模式参考”，在其中您可以简单地将鼠标悬停在某个项目上以获取信息，然后双击该项目将其放入查询中。 获得结果后，您可以通过单击标识符轻松地对它们进行深入分析，该标识符会将您带入Defender Security Center，在那里可以找到大量信息。

It takes a few tries when you start to get used to how Advanced Hunting Works, but at least from the results you can refine the information by tweaking the search with explicit criteria (the double-equals ‘==’) and exclusions (exclamation equals ‘!=’) and intuitive operations such as “begins with”, “ends with”, and “contains”. Filters are also available and quite helpful in further refining the data. Still, the best way to learn is by doing.

当您开始习惯高级狩猎的工作方式时，需要进行一些尝试，但是至少可以从结果中通过使用显式条件(双等号“ ==”)和排除项(感叹号等于'！=')和直观的操作，例如“开头为”，“结尾为”和“包含”。 过滤器也可用，对进一步完善数据很有帮助。 尽管如此，最好的学习方法还是实践。

Pitfalls? It’s easy to think this mitigation strategy should be rated higher, but the reality is that it’s not an easy strategy to implement and, in many cases, is cost prohibitive… especially for smaller businesses. That said, if you already have an existing Microsoft subscription that gives access to Microsoft Defender ATP and the Advanced Hunting Tool, you have a huge advantage. Please understand your current posture and tools at hand before you spend another cent on a solution you may already own.

陷阱？ 人们很容易认为应该将这种缓解策略的等级提高，但是现实情况是，这并不是一种容易实施的策略，而且在许多情况下，这种策略成本过高……尤其是对于小型企业而言。 就是说，如果您已经拥有可以访问Microsoft Defender ATP和Advanced Hunting Tool的Microsoft订阅，那么您将拥有巨大的优势。 在您再花一分钱购买可能已经拥有的解决方案之前，请先了解当前的姿势和工具。

The ASD / ACSC is correct when they indicate this may have low user resistance but can have high up-front costs and high ongoing costs. With an evolving threat landscape and highly dynamic threat actors, it’s a fight you can begin but may never end.

当ASD / ACSC表示这可能具有较低的用户抵抗力，但可能具有较高的前期成本和较高的持续成本时，它们是正确的。 面对不断变化的威胁格局和高度动态的威胁参与者，这是您可以开始但可能永无止境的战斗。

Ghosts in the Machine? The ghosts in this machine may be in your own machine as a malicious insider. You cannot simply assume that Threat Hunting is external only and the domain of hacking groups or foreign enemies. Keep an eye out for insiders that may be underperforming, about to be dismissed, or planning to resign because these may be the ghosts you are looking for. Also keep track of any tools that could be used against you from the inside and any data that could be exfiltrate such as intellectual property that represents your competitive advantage. Even something like a client contact list can be valuable.

机器里有鬼吗？ 本机中的虚影可能以恶意内部人员的身份存在于您自己的计算机中。 您不能简单地假设“威胁狩猎”仅是外部的，并且是黑客团体或外国敌人的领域。 留意可能表现不佳，即将被解雇或计划辞职的内部人，因为这些人可能是您所寻找的幽灵。 此外，还要跟踪可从内部使用的对您不利的任何工具以及任何可能泄露的数据，例如代表您竞争优势的知识产权。 甚至像客户联系人列表之类的东西也可能很有价值。

We’re not advocating wholescale distrust; we’re all supposed to be on the same side, but any of us that have been around a while know things can and do happen. We’re just promoting awareness in this regard.

我们不是在提倡全面的不信任。 我们都应该站在同一边，但是我们周围已经有一段时间的人都知道事情可以而且确实会发生。 我们只是在提高这方面的认识。

Anything Missing? A deep understanding of what the threats are, where they may come from, and what to do about them when they’re so dynamic isn’t just a skill, but an art. Getting the right people involved and reading between the lines when finding those people is tricky, but they are out there. Take your time and do it right if you choose to adopt this strategy lest you find yourself jumping at shadows and seeing threats where they don’t exist. I just think that if you have the ability to leverage Microsoft Defender ATP and Advanced Hunting, you’re well equipped to implement this strategy.

缺少什么？ 对威胁的根源，威胁的来龙去脉以及在威胁如此动态时如何处理这些威胁的深刻理解不仅是一种技能，而且是一种艺术。 在找到合适的人时，让合适的人参与进来并在界限之间阅读是很棘手的，但是他们在那里。 如果您选择采用此策略，请花点时间做正确的事情，以免发现自己跳到阴影中并看到不存在的威胁。 我只是认为，如果您有能力利用Microsoft Defender ATP和Advanced Hunting，就可以很好地实施此策略。

Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such. Appropriate legal advice should be obtained in actual situations. All images, unless otherwise credited, are licensed through ShutterStock

免责声明：本博客中提出的想法和观点是我自己的，而不是任何相关第三方的想法。 提供的内容仅用于一般信息，教育和娱乐目的，并不构成法律建议或建议； 绝对不能以此为依据。 在实际情况下应寻求适当的法律咨询。 除非另有说明，否则所有图片均通过ShutterStock授权

翻译自: https://medium.com/swlh/threat-hunting-with-windows-defender-atp-f6cfe8a6925e