Threat Hunting -- > An ApproachPosted by Rajeev Shukla on January 7th, 2019 Threat hunting can place you ahead of potential damages caused by cyber attacks, breaches & infiltration. This is an art of actively looking for threats which have either already lurked in the corners of your organization or else might be about to compromise your environment. A consistent question for a lot of organizations which so far have been focused on handling alerts generated by security products and security apparatus in their environment or else generated by SIEM tools installed in their setup, is, "What should I look for when I start active threat hunting" Organizations have their entire monitoring & detection modeled around what is triggered by tools and software installed in their IT infrastructure. Model & process evolved around it, make it very difficult for organization to come up with right set of starting points, for threat hunting! Unlike yesteryear's security monitoring, where actions were consequence of a rule set based trigger .... Threats need to be literally "HUNTED" This article talks about some key "Things" and "Indicators", when an organization is starting the journey of "Threat Hunting" Data is the "Biggest Tool" for Threat Hunters! Data is one undeniable truth and one indisposed tool for threat hunters. Though in today's time, when most organizations have flirted with one or more SIEM or log collection and aggregation tools, a lot of log related data data is available at one place, other data set can also come handy for a Threat Hunting Analyst. Looking for data and organizing the access to data for searches is key to Threat Hunters success. Data Source Identification and Preparation Data sources for a threat hunter can be proxy logs, windows logs, netflow data and SIEM logs, if it is implemented well and is indeed collecting the logs across enterprise consistently. As a Threat Hunting Analyst, one needs to ascertain the validity and completeness of data, from all sources he/she intends to use. Data Access and Searchability When a Threat Hunting Analyst has already identified and decided the data sources for his work, he needs to confirm two key things.
Got Data. Now "What to look for?" Once data availability and access (and searchability) has been established, perennial questions in front of a Threat Hunting Analyst, are ..
There are two answers to all of these questions. Patience and Methodical Approach! Threat Hunting Analyst job needs a lot of patience, will to navigate the maze and keep an eye on every possibility. Large data availability and its obfuscated and unstructured nature can throw a Threat Hunters' efforts to wind in no time. A threat hunter is not a "Search Specialist". He needs to carry specific approach and defined model to his journey of identifying and nailing down threats. Look for "Clear Indicators" A threat hunters first approach (after making sure data and access is available) is to look for clear indicators in the enterprise IT setup and its security related apparatus. There are some key indicators, which are most likely to occur or most likely to be there, irrespective of threat actor and its methods. Look for these "Smart and Clear Indicators" Low and Slow Connection These are very difficult to track connections by any of the existing protection or detection technologies. These connections are made to look like legitimate connections by abiding to all of the network related restriction rules (to avoid DOS/DDOS). Look for specific sleep patterns, in traffic caused by web applications. Anything out of ordinary, could be indicative of a compromised web application, where small byte load has been created (in a post field) with a sleep period insertion. This could lead to placing this application out of service, because application will wait for sleep period inserted into the payload. Suspicious Bytes Pattern Watch for specific byte sizes being sent by specific connections. These will be very small fixed sized bytes being sent out from a specific source to a specific or varied destination. These will usually not carry any suspicious payload. They can be a beacon to an external command and control server or its associates as a flag that implant of a malware or content or backdoor has been successful. Windows Logon Attempts The world of windows can help in locating a suspect, and building a trail, even today. Multiple login attempts with different user ids, all failed in quick succession is an indicative of malicious program or actor trying a defunct password database to gain an access. Unusual Sites Visited with Unusual Pattern A lot of organizations keep a track of sites visited by users and specifically have their own policy and restriction set of what can be visited and what cannot be. A lot of reports are around malicious site visit attempts, et al. But, looking at a simple data, where you sample a large number of sites visited by organization and pick top five which have been visited by less than three endpoints/people. This indicates a possibility of communication with a command and control server. Privilege Escalation One of the strong indicators of compromise is a privilege escalation which cannot be traced back to a legitimate activity. This simple yet powerful indicator can provide you with a lead which can help hunt the potential threat actor and its elements. Look for privilege escalations taking place from endpoints which are unusual and then track the logs of the server/systems where that escalated privilege has been used. Verify that with the admin for genuineness of the activity. If not genuine, dig deeper. Log Clearing and Clean Up Wiping the tracks and traces clean is one of the most common activities post a compromise and post a damage causing action by threat actor. So watching for log clearing and verifying/correlating that back to operational routines or operational activity can give you lead. If you can't match a log clearing with a scheduled job or else with a specific person, possibility of threat action causing it, exists. AV Can be a Clue. Really An anti-virus can be a clue. Though, there is enough smarts in malicious code builders to dynamically recompile the malicious code and make it oblivious to AV, there are still traces left. If you find your AV detected a new malicious code, which has not been detected earlier, and, flagged it. Look for symptoms of execution of similar code on that endpoint. Possibility of a recompiled program running on that node, which has created camouflage for AV is very high. Dropper Code Hints A lot of malicious code installation or backdoor seeding takes place by a small utility called dropper. Dropper programs usually are difficult to detect, but, malicious code developer, despite all their smarts make simple mistake of naming them as dropper. Look for dropper string in the code snippets and programs on endpoint and verify them. If you found one, analyze further. Search the Backdoor Code Terms Build a small repository of common backdoor entry programs which are popularly known. You can get a list from your threat intelligence feed. Search your AV logs and see if these names appear there. If your AV has found them and dealt with them (quarantined them), you should look further and see what all those backdoor codes might have already done. These are the approaches to "Start Threat Hunting". You can get started with above mentioned small list of preparation and small list of 'what to look for'. Threat Hunting is a continuously evolving and changing journey, and, you will know how to go about it, only when you take the plunge. This article outlines the 'base elements to be aware of'to take a confident plunge. Post these observations, your success depends on
Use the right model, approach and more so right tools to do these three, when you get beyond the point of start. A Threat Hunting Analyst is in continuous and arduous search for things which are not obvious, which can't be tracked or located with obvious models. Hunt Threats Proactively. Stay Protected! Find out more,W Write to reach@castellumlabs.com Like it? Share it! |