Threat Hunting Part 1 - The Basics



This will be the first of many posts I will be making with a focus on Threat Hunting and Detection Engineering for SOC Analysts and any other Blue Team or Blue Team-adjacent security professionals. My goal is to assist analysts and their own efforts within their organization to engage in proactive security measures via any and all avenues of Threat Hunting.


So...What is Threat Hunting?


For everyone reading this it is likely that you already have a general idea of what Threat Hunting is, but I think that it is always important for any analyst or security professional to thoroughly understand what we're trying to accomplish when Threat Hunting is discussed and performed.

There are a few different definitions but the core of Threat Hunting is that it is a form of proactive security, meaning that instead of what we typically imagine the average security analyst's job to look like (I.E. surviving as semi-alive barely human alert jockey), Threat Hunting allows us to act off of our own ambitions and imaginations and take a deep-dive into our organization's network with the ultimate goal of ensuring that despite all of our existing security solutions and practices, nothing has slipped by us.

This of course means that in most instances, we are taking on an "assumed breach" mindset, wherein you, the analyst, has decided that your organization is already compromised in some way, but your organization and the SOC has not yet confirmed this. Therefore it is your duty as the Threat Hunter to confirm this for them by taking it upon yourself to proactively explore your organization far and wide looking for the most common, or the most relevant forms of threat actor activity.

This means that you will be taking full advantage of not only your organization's security stack and SIEM, but also all of the widely available resources online and your own knowledge of security to conduct the most precise and the most efficient hunts possible. Unfortunately, or rather fortunately, hunts will almost always result in little to no true positive findings on your organization's network. This isn't a bad thing (although a true positive finding is exhilarating) as a true positive would essentially mean your organization was compromised in some manner, but the lack of any findings whatsoever can be somewhat discouraging to the aspiring hunter. 

Do not be pessimistic however, as although true positives are few and far between (if your organization is in any way competent) that does not mean your efforts are in vain. Not only does Threat Hunting teach you an immeasurable amount about how protocols, computers, networks, OSes, etc. work and interact with one another on a deep level, but they also allow you to understand your organization's environment on an even deeper level. You may not find Fancy Bear/APT 28 skulking around your organization's network, but maybe you'll find a misconfiguration that was missed by the IT and Workspace team that could lead to potential privilege escalation by an attacker. Maybe you'll discover a server with a broken EDR install that was never fixed and that is essentially without any protection. 

Although there will rarely be opportunities to catch an actual attacker in real-time, there will ALWAYS be opportunities to discover new things about your organization's network and ensure that any future attacker will be turned away.


But, Where Do We Start?


As someone who has been an analyst for 5+ years now, this is probably the most common question I'm asked by those new to Threat Hunting or security in general. It was a question I myself struggled with for a time whenever I first became an analyst just due to the fact that Threat Hunting by itself can be genuinely intimidating. With an infinitely vast array of wildly different avenues and approaches, it takes time and experience to fully understand the ways in which the proverbial playing field can be shrunk down and narrowed so that only the most relevant and the most critically important (often times specific to YOUR organization) approaches are taken, saving time, effort, and possibly even your organization from a potential breach. Therefore, it is crucial that you understand the reasoning and motivation behind selecting a specific Threat Hunting approach, and the most efficient ways to carry-out the hunt once you've chosen it. 

There are a variety of different starting points to choose from and some may be more beneficial to you than others depending on what your end goal is and what you are trying to accomplish. For example, if you are attempting to perform a specialized threat hunt that emulates a specific threat actor's TTPs, it will obviously be better to perform in-depth research on that threat actor and determine which TTPs you intend to look for. If your goal is to adapt as many different generic TTPs into queries that can then be displayed on a custom monitoring dashboard or emailed out in weekly reports for analysis, utilizing rule databases like the Sigma project to modify and convert the chosen TTPs into your SIEM's specific query language will of course be better.


#1: Trending Threat Actor TTPs



Examining the most frequently observed and the most relevant trending threat actor TTPs (Tactics, Techniques, and Procedures) within the past 6 months to a year would be where many if not most analysts and aspiring threat hunters would start looking for potential hunting approaches to choose from. This is simply because these TTPs are most likely going to be those that, if you organization is breached, the attackers will be more likely employ at some point during the cyber kill chain

TTPs are always changing in the world of security, as patches are applied, signatures are updated, heuristics are enhanced, EDRs are improved, etc. attackers have to constantly modify (with varying degrees) their TTPs to evade detection by defenders. That being said, certain TTPs will never disappear simply due to the fact that they take advantage of the built-in features of specific Operating Systems, like Windows. For example, Pass-the-Hash is a technique that has been around for decades and it will likely never die because it takes advantage of the way that Windows handles credentials. Windows can't patch a feature in their Operating System that they intended to exist in the first place. This is also LOLBIN (Living Off the Land Binaries) abuse has become so prevalent within the past 5 or so years. Attackers have started to give up on building their own custom malware toolkits due to the improvements of AV & EDR technologies and instead have started to rely more on abusing the legitimately signed Microsoft utilities (I.E. wmic.exe, schtasks.exe, mshta.exe, etc.) installed by default on most Windows OS versions because of the fact that they are less likely to be flagged by security tools.

What this means is that there are two ways of going about this. You could choose to examine all of the new and exciting TTPs that the most sophisticated APT groups and Cybercrime outfits are adopting, and narrow down which of those threat actors are most relevant to your organization and go from there. Or you could pick out which TTPs over a specific time frame seem to be the most consistently employed by threat actors, regardless of the threat actor themselves or their relevance to your organization. 

From there, you can make a decision as to what phase of the cyber kill chain you want to focus your hunting efforts on. For most if not all threat actors, their TTPs are observed at every step of the cyber kill chain, therefore depending on the amount of data that exists on the selected threat actor, it may be more efficient and a better use of your time and focus to chose narrow down the hunt even further by choosing one phase of the cyber kill chain (Ex. Installation or Initial Access) and hunting for those related TTPs specifically. 

Keep in mind that the Lockheed Martin cyber kill chain is just one framework that assists security professionals with understanding and categorizing the steps that attackers take to compromise their victims. The MITRE ATT&CK Framework Enterprise Tactics and Techniques also provides a similar list of steps that correlate to the cyber kill chain and other existing frameworks.


#2: Relevant Threat Actors


The next path that one could take is to firstly understand what industry your organization currently operates in. Some organizations may only really be included in 1 or 2 industries but others could realistically be a part of 5 or even 10 different industries, so it is important to know what exactly your organization does, so that you can better understand what threat actors are more likely to target it. 

Unfortunately, no industry standard naming convention for threat actor group exists. All of the major Cybersecurity companies (CrowdStrike, Mandiant, Palo Alto, etc.) all have their own unique identifiers and nicknames for all of the known actors. For example, if we look at the CrowdStrike Adversaries search, you can see that they categorize and name APT groups by assigning an animal to that specific country with varying forenames, and categorize Cybercrime groups by keeping all of them under the term "Spider" with varying forenames. Microsoft used to name threat actors after chemicals and elements but now categorizes them in a similar way to CrowdStrike, only with weather and natural disasters instead of animals. The MITRE ATT&CK Framework Groups page also attempts to keep track of all of the different names for the various threat actor groups by providing a page that lists all of the known monikers.

Once you have determined exactly what your organization offers, you can then make the determination as to which threat actors are most likely to target your organization. For example, if your organization primarily or exclusively operates in a specific country or in a specific region, it may be necessary to cross off all threat actors who are not currently known to target that specific country or reason. Cybercrime groups and Ransomware gangs are a unique exception because they (for the most part) are not interested in limiting themselves to only targeting specific countries or regions due to their primary motive being financial gain and not espionage. Cybercrime actors and their TTPs should generally always be monitored for regardless of the industry your organization specializes in. 

Once we have narrowed down the ever expanding list of threat actors to a manageable amount, now we can attempt to start examining their recent activity and their known trending TTPs with the aim of absorbing the data and finding useful and efficient methods of exploring your organization's network to either detect the activity outright, or ensure that it can be detected via processes like detection engineering.

Threat Actor Databases:

Malpedia


#3: TTP Focused




The previous 2 choices revolved around specific threat actors and the TTPs specific to them. The next option you have is to completely ignore the threat actor and instead examine the TTPs themselves with the goal of finding ways to search for these TTPs on your organization's network. However, the overall aim here should still be to choose the most pertinent TTPs so that no time and effort is wasted searching for an outdated TTP that is no longer in-use. 

The MITRE ATT&CK Framework is a great starting place for those looking to discover all currently known TTPs and the ways which they can be hunted for. There is also the Sigma Project, and various other repositories that host a catalog of TTPs for analysts and threat hunters to comb through. A specific technique can be chosen, researched, and then searched for on your organization's network. I will get more in-depth with this specific process in my next Threat Hunting post and will show you how you can go from having little to understanding of a specific technique to understanding the intricacies of how it works and how to accurately detect it on your organization's network.

I must advise that for this specific approach, it may turn out to be the least efficient and the least beneficial approach to threat hunting depending on what your goal is. For most hunters, sticking to steps #1, #2, and #4 is a better option just because of the fact that selecting and converting dozens or even hundreds of pseudo-queries or queries from different languages to your SIEM's own language and then modifying them further for your organization's own unique environment can be very tedious and opens the possibility to poor query or search quality.


#4: Critical Assets




For the last approach we have the "Critical Assets" or "Situational Awareness" approach which will focus less on the external threats or threat actors and their TTPs and more on your organization and their critical assets. It goes without saying that most attackers have specific goals in mind when they attempt to compromise their victims. Whether it's espionage or ransoming or data destruction, there will always be specific targets within the victim's environment that must be compromised by the attacker in order for them to succeed in their objective. What this means for you and your organization is that it is absolutely crucial to understand and identify what assets are most important and if they require additional safeguards and protections which can include threat hunting. To put it in simpler terms, a Domain Controller will always be of greater importance to an attacker than a standalone workstation, therefore it follows that your organization should treat that Domain Controller in the same way.

Now this approach will obviously be interwoven with some of the other approaches especially those that focus on those threat actors that are relevant to your organization. For example, if your organization builds and sells proprietary software, after identifying which threat actors are best known for intellectual property theft or corporate espionage, the next step would be to determine that if your organization is the unfortunate victim of an intrusion, what assets will most likely be targeted by the attacker for compromise and exfiltration. More than likely, any server where the software is being built or stored in some capacity. 

If you do not possess a list of your organization's critical assets or so-called "Crown Jewels" the next step would be to obtain this as quickly as possible. You may have to work with management and other teams in order to obtain this list as determining the Crown Jewels in an organization can be somewhat of a complex task as each candidate will need to be analyzed and risk assessments will need to be performed in order to determine which assets are truly the most critical and most deserved of increased monitoring and security. Having too many assets listed as critical or can be a problem for multiple reasons but most importantly it dilutes the meaning of "critical" and can lead to inattentive monitoring on those assets that are truly critical. 


Conclusion:

I hope I was able to provide you with some base-level understanding of threat hunting and the different processes and approaches that one can take when carrying out a hunt on their organization's network. There is so much more to talk about and I plan on making this a series and also posting some helpful examples of hunts and also opportunities for detection engineering and creating alerts, dashboards, reports, etc. 

Thank you for reading!













A capybara with an interest in security.

Comments

Post a Comment

Popular posts from this blog

TryHackMe CTF Walkthrough - "Simple CTF"

Image
Note: This is a reupload of a CTF walkthrough from my original website which no longer exists. Tonight I'll be providing a writeup on the TryHackMe box "Simple CTF" similar to my writeup on Blue. TryHackMe is another great and incredibly educational site dedicated to teaching learners about offensive and defensive cybersecurity. As always, it's typical to start with a basic Nmap scan.  This is one of the typical Nmap scans that I like to run on TryHackMe and HacktheBox machines. It will take longer than most scans due to the enumeration being performed by the vulnerability script. Another I will typically run is - nmap -sC -sV -A x.x.x.x This is an aggressive service scan with default scripts enabled. Here we have quite a bit of output, the bulk of it being a list of CVE's for the specific version of Apache web server running on the target machine. As we can see, Port 21 (FTP), Port 80 (HTTP), and Port 2222 (SSH) are currently open on the target machine. We can al...
Read more

Malware Overview - ZeuS

Image
 Note: This is a reupload of my writeup of the history of the ZeuS malware from my original website. INTRODUCTION:  Image Source:  https://www.bankinfosecurity.com/zeus-banking-trojan-spawn-alive-kicking-a-10471 When discussing the history of malware, you are more than likely going to hear the same few names over and over again. Conficker, Welchia, ILOVEYOU, Stuxnet, Flame, CryptoLocker, Dridex, and even newer malware like WannaCrypt0r, Emotet, and Maze.  What is left behind but stands atop the lesser remembered malware of the last fifteen years in particular is the ZeuS or Zbot Trojan and its successor, the Gameover ZeuS Trojan. This will be a historical summary of the ZeuS and Gameover ZeuS Trojans, beginning from its initial discovery and ending in the current year.  I will be using a variety of sources for my analysis. This is NOT a technical analysis of the malware, simply a historical account. I plan on writing a full technical analysis of the ZeuS and Gam...
Read more

Group Overview - Evil Corp

Image
This will be my first post in a series of posts summarizing various cyber actors, including APTs, Cybercrime outfits, and Hacktivist groups. I will be mainly discussing the history of the group and their known and documented activities throughout their existence. I plan on making additional summaries of each group that will delve further into their TTPs and other technical information to compliment this summary. The first group I will be discussing is the Evil Corp cybercrime outfit. The group is also known to many by the name INDRIK SPIDER, which was coined by the Cybersecurity company CrowdStrike. I decided to write about the Evil Corp group first due to the fact that they are still very relevant in 2020, as just a few days ago, Symantec published a report discussing a widespread attempted ransomware attack against various U.S. companies carried out by the Evil Corp group earlier this month. Evil Corp is an extremely sophisticated threat actor. They are capable of developing their ow...
Read more