Threat Hunting Basics - Part 1

By Kunal Patil, Senior Threat Hunter

Introduction To Threat Hunting  

Gartner's definition: Cyber Threat Hunting is about looking for an intruder before any alerts are generated. Proactive in this context refers to taking action before the intrusion alerts, not after intrusions occur. There are tons of definitions available on the internet but in simple terms, cyber threat hunting is a proactive approach to identifying previously unknown, or ongoing non-remediated threats, within an organization's network.

An incident responder waits until they get notified of an incident to get involved. A threat hunter will proactively search for bad guys before you know there is an alert. Threat hunters are incident responders and forensic investigators actively looking for new threats before traditional intrusion detection methods can find them.

Threat Hunting Vs Threat Detection

Threat Detection

Threat Detection is known for its reactive approach because Security Analyst or the Security engineer will respond to the alarms/alerts generated by the security solutions as per the rules are configured, and whenever the condition is met with the rule definition security solution generate the threat. Next, the incident responder will react to the alarms and investigate them. This process is called as Threat Detection. 

Threat Hunting

Threat Hunting is known for its proactive approach because incident responder waits until they get notified of an incident to get involved but a threat hunter hunts for bad guys before you know there is an incident. Threat hunters are incident responders and forensic investigators actively looking for new threats before traditional intrusion detection methods can find them.

TH vs TD by Gartner

As you can see in the above figure, Threat detection begins with the detection rules & algorithms, and whenever the condition is matched the alerts are generated accordingly. Threat detection begins with a hypothesis (hypothesis is a proposed explanation made on the basis of limited evidence from a security environment) and looks for abnormalities in the environment, if found to be true positives then create a new detection logic and respond to an incident. 

To summarize, Threat detection starts at the end of the Threat hunting Phase which differentiates them from each other.

In the beginning, I am clearing a doubt of many: "Threat Hunting is not a Technology or Platform, its a SKILL"

firstly, we need to understand a few terminologies related to Threat hunting. so we will begin with Pyramid of Pain, IOCs, IOAs, Cyber Kill Chain, APTs, and RED vs BLUE vs PURPLE Team.

Pyramid Of Pain

David J Bianco, a security professional, came up with the concept of the Pyramid of Pain to improve the applicability of IOCs in 2013. Pyramid of pain says about the Attack indicators how to collect from a threat and what can be the sequence of it. What can be the easiest or the most difficult indicators to detect from an attack? so the Pyramid shows the attack indicators are how tough to detect from bottom to top for us to collect the IOC and same like top to bottom how vast info are we collected for an attacker.

Pyramid of Pain

example: IP, hash, and domains can easily get on the threat intel platforms but the behaviors are taught to collect or detect so it's top at the Pyramid. IP, hash, and domains are very easy to change but changing the behavior of the attack becomes difficult. 

let's understand by real-world example, we have all been working at WFH since COVID19 started, but somehow after 18 months if the company calls you to work from the office 5 days a week so it becomes difficult to accept the fact of Working from the office. 

So firstly it was human habit to work from home but changing the workplace to the office suddenly 5 days a week will make pain to accept the change, same as behavior. The same logic applies to the attacker where changing behavior makes it more difficult that's why TTP (tactics, techniques, and procedures) stands at the TOP.

IOC vs IOA

Indicators of Compromise (IOCs), or artifacts on a system or network that signal malicious activity. IOCs are the fingerprints left behind at the crime scene of a cyberattack. They are static inputs and are often identified as file hashes, IP addresses, domain names, or other information in the environment.


Indicators of Attack (IOA) or Indicators of Behavior (IOBs), on the other hand, describe the approach an attack takes. IOAs are witnesses at a crime scene of a cyberattack. They couldn’t necessarily see the adversaries face, but they saw what the adversary did. IOBs are the set of behaviors, independent of tools or artifacts, that describe an attack, and can be very useful when building an attack simulation.

Cyber Kill Chain

Lockheed Martin derived the kill chain framework from a military model. The cyber kill chain is a series of steps that trace stages of a cyberattack from the early reconnaissance stages to the exfiltration of data. The kill chain helps us understand and combat ransomware, security breaches, and advanced persistent attacks (APTs).

Cyber kill chain by Lockheed Martin
  • Reconnaissance: The intruder picks a target, researches it, and looks for vulnerabilities in software or seeks out open ports or other external access points.
  • Weaponization: Intruder develops malware or payload designed to exploit the vulnerability
  • Delivery: The intruder transmits the malware via a phishing email or another medium like websites or USB drives etc
  • Exploitation: The malware begins executing on the target system
  • Installation: The malware installs a backdoor or other ingress accessible to the attacker
  • Command and Control: The intruder gains persistent access to the victim’s systems/network, the attacker may also work to move laterally throughout the network, expanding their access and establishing more points of entry for the future.
  • Exfiltration Or Actions on Objective: The intruder initiates end goal actions, such as data theft, data corruption, or data destruction.
To summarize, Cyber kill chain helps to Detect attackers within each stage of the threat lifecycle with threat intelligence techniques

To apply the Cyber Kill Chain, Lockheed Martin provides the following layers of control implementation:

  • Detect: Determine when and how an attacker is performing recon against your organization or network
  • Deny: Stop the attack from occurring by preventing information disclosure or unauthorized access
  • Disrupt: Change or stop the flow of information or exfiltration of data to the attacker
  • Degrade: Limit the effectiveness or efficiency of an attack
  • Deceive: Interfere with an attack using misdirection or misinformation

Advance Persistent Threat

Typically APT's are nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period of time. Such threat actors' motivations are typically political or economic. These targeted sectors include government, defense, financial services, legal services, industrial, telecoms, consumer goods, and many more. example: Lazarus Group (also known as APT38) from north Korea, Charming Kitten from IRAN, Fancy Bear (APT 28) from Russia etc

The goals of APTs fall into four general categories:
  • Cyber Espionage, including theft of intellectual property or state secrets
  • eCrime for financial gain
  • Hacktivism
  • Destruction

Some examples of advanced persistent threats include:

  • The Stuxnet worm used to attack Iran's nuclear program was detected by cybersecurity researchers in 2010. It is still considered to be one of the most sophisticated pieces of malware ever detected. The malware targeted SCADA (supervisory control and data acquisition) systems and was spread with infected USB devices. The U.S. and Israel have both been linked to the development of Stuxnet, and while neither nation has officially acknowledged its role in developing it, there have been unofficial confirmations that they were responsible for Stuxnet.
  • APT28, the Russian advanced persistent threat group also known as Fancy Bear, Pawn Storm, Sofacy Group and Sednit, was identified by researchers at Trend Micro in 2014. APT28 has been linked to attacks against military and government targets in Eastern Europe, including Ukraine and Georgia, as well as campaigns targeting NATO organizations and U.S. defense contractors.
  • APT29, the Russian advanced persistent threat group also known as Cozy Bear, has been linked to a number of attacks, including a 2015 spear phishing attack on the Pentagon, as well as the 2016 attacks on the Democratic National Committee.
  • APT34, an advanced persistent threat group linked to Iran, was identified in 2017 by researchers at FireEye, but has been active since at least 2014. The threat group has targeted companies in the Middle East with attacks against financial, government, energy, chemical and telecommunications companies.
  • APT37, also known as Reaper, StarCruft and Group 123, is an advanced persistent threat linked to North Korea that is believed to have originated around 2012. APT37 has been connected to spear phishing attacks exploiting an Adobe Flash zero-day vulnerability.

Red Vs Blue Vs Purple Team

All Teams share a common goal to improve the security of an organization. Where they differ, is in their approach and their positioning. The red team is considered the “offence” and the blue team, is the “defence.” 

A comparison of these approaches is visualized in the following diagram:

The red teams’ position allows them to use complex methodologies in their attempt to break into systems, identify vulnerabilities within the security of the infrastructure, launch exploits, and communicate their findings. such as Port Scanning, Vulnerability Assessments, penetration Testing, Social Engineering, etc

Blue teams assess, develop and remediate defensive measures to counter the activities of the red team, and of course, true threat actors. In addition, they need to remain current and well-informed on potential threats and attack methods, to improve defense mechanisms and incident response. such as Security Monitoring, Incident Response, Create, Configure, and Enforcing security policies.

The purple team is not a distinct team, but rather a blend of red team members and blue team members. The purple team is designed as a feedback loop between the red and blue teams, As mentioned, the purple team doesn’t so much represent a separate team, instead, it’s more of a combined methodology amongst blue and red teams.

purple teaming, the first objective is clear, regular communication between red and blue teams, a constant flow of information, and symbiotic effort. Red and blue teams, working together, provide regular and consistent knowledge transfer improving the organization’s ability to thwart real-life attack scenarios. In the end, the red team will improve the organization’s vulnerability management processes, and the blue team learns to get into the attackers’ mindset, thus purple teaming allows for the development of better incident response programs and vulnerability detection processes.

The above blog covers the basic terminologies required to understand Threat hunting, Next blog will be more on Threat hunting models, Loops, Frameworks, methodologies, Hypothesis, etc


Stay Tuned...
I am a security researcher where my expertize includes domains like incident response and investigation, Malware Analysis, Threat Hunting, deception Technology, Brand protection, SIEM configuration, Digital Forensics, Cyber Threat Intelligence, EDR, Network Security, Content Filtering, etc While working I had completed my Masters(2021) in Information security where I published a thesis on “Malware Analysis using machine Learning Ensemble” My goal is to share the knowledge with everyone with technologies, upcoming trends, various platforms and mainly Lock it down, protect it up, and block the hackers.

Comments

Post a Comment

Popular posts from this blog

RTR using Falcon Crowdstrike

By Kunal Patil, Senior Threat Hunter
Image
Real Time Response Real Time Response is a powerful tool that gives security administrations the ability to remotely access systems for administration tasks, remediation actions or forensics collection, etc. without requiring physical access to the system. For more information on the CrowdStrike solution, see the additional resources and links below. In the Falcon UI, navigate to Activity > Detections. Commonly, a new detection will be the event that triggers a need for remediation.Directly from a given detection, the “Connect to Host” button allows you to remotely connect and take action. You can also connect to a host from Hosts > Host Management. Once connected, you will be presented with a list of commands and capabilities available in Real Time Response. With the ability to run commands, executables and scripts, the possibilities are endless. A few examples are listed below.
Read more

Top Commands Mostly Used By System Administrator.

By Kunal Patil, Senior Threat Hunter
Image
Top Commands Mostly Used By System Administrator. 1) IPconfig IPCONFIG Simply entering ipconfig at the command line will return basic addressing information for your system, including the adapter name, IP address, subnet mask, and default gateway. 2) IPconfig /all IPCONFIG/ALL Shows all networking information for the system, including host name, node type, adapter names, MAC addresses, DHCP lease information, etc. 3) Ping PING Ping command to verify that a host can be reached over the network. This command is useful for diagnosing host and network connectivity problems. The device sends a series of ICMP echo (ping) requests to a specified host and receives ICMP echo responses. 4) Ping "Website-name" PING TO WEBSITE   This above command used to find the IP address associated with The Specific Website. eg: 10.24.126.25 is the IP address for Website Intranet.indusind.com 5) Tracert "IP address" TRACE COMMAND Tracert comm
Read more

Damn Vulnerable Web Application - Part 1

By Kunal Patil, Senior Threat Hunter
Image
The Damn Vulnerable Web Application (DVWA) provides a PHP/MySQL web application that is damn vulnerable whose goal of being an intentionally vulnerable system for practice/teaching purposes in regard to Information Security.There are many Methods for Installing DVWA on Platforms Like Windows and Linux, In this blog i will show the easiest Walk-through for Beginners to Learn and Exploit Web Application. So let us Start with Installation and Implementation of DVWA. Step By Step Installation 1) Requirement :  Windows system for Managing VM Virtual Box ( Link ) or VMware ( Link ) should be installed on system Kali-ISO ( Link ) DVWA ISO ( Link ) 2) Switch-ON Kali and DVWA virtual machines Both must be in HOST only Adapter (we can change using VM Network setting).  3) After the Installation of Kali and DVWA in VM, find the IP address of DWVA using the Command ifconfig and Check Connectivity between them using ping command. 4) Run Kali machine and DVWA machine Par
Read more

SECURITY OPERATION CENTRE

By Kunal Patil, Senior Threat Hunter
Image
What is SOC?                    Security operations centers monitor and analyze activity on networks, servers, endpoints, databases, applications, websites, and other systems, looking for anomalous activity that could be indicative of a security incident or compromise. The SOC is responsible for ensuring that potential security incidents are correctly identified, analyzed, defended, investigated, and reported. SOC works with collaboration with People, Process and Technology.  SOC Architecture PEOPLE:                  The best way to think of a SOC is as a centralized team of people who provide threat monitoring, investigation, and response.  Larger SOCs employ a three-level analyst structure for handling security alerts generated by a security system or SIEM.  Level 1 analysts are responsible for real-time monitoring of security alerts, doing triage on them, and deciding whether an alert is serious enough to be escalated to a Level 2 analyst.  Level 1 analysts se
Read more

Cyber Threat Intelligence

By Kunal Patil, Senior Threat Hunter
Image
Gartner Definition:   Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.  To understand this term easily lets split the words and bring out meaning to it :  Cyber :  relating to or characteristic of the culture of computers, information technology, and virtual reality. Threat :  thing likely to cause damage or danger. Intelligence :  the ability to acquire and apply knowledge and skills.                 Cyber Threat intelligence helps Organisation to understands the risk of most common External threats. T hreat intelligence includes in-depth information about specific threats to help an organization protect itself from the types of attacks that could do them the most damage.  One of the proven methods to stay on top of attacks is to detect and
Read more

Collective Intelligence Framework v3 - Part 1

By Kunal Patil, Senior Threat Hunter
Image
Basic About CTI Cyber Threat intelligence(CTI) is a Technology which helps an Organization to collect and Analyze threat data received from multiple resources. Cyber threat intelligence is an automation process where it accumulate data from various external resources (such as FEEDS) and recognize the threats suitable for the Organization. By importing the Data from CTI, the next step is to exporting the CTI data into Existing Security systems. Collective intelligence Framework is an underlying Structure of CTI which helps any organization to gather all Threat Data at one place. In this blog we are discussing how to Install Collective Intelligence Framework v3 (Bearded Avenger) into security structure. Details Information About CIF you will found at : csirtgadgets Basic Requirements for Bearded Avenger CIF v3 : OS: Ubuntu 16 LTS,  x64 RAM: 16GB Cores: 4 (As Sqlite, ElasticSearch, CIF-Router among other apps would be running on same instance) HDD Capacity: 100GB
Read more

Top 20 Subdomains Search Engines

By Kunal Patil, Senior Threat Hunter
Image
Whats is Domain?  An organization shares a common suffix as Domain names which is controlled by that Organization or individual. What is Subdomains? Basically Subdomains are subdivisions of Domain. Why it is required? Subdomains are second website, which have its own unique content and makes hosting manageable and easy to organize.         Every second Organization Consists of various Subdomains as per their Requirements, I listed few Subdomains Search Engines, list is below :  Google Search - Online Search Censys - Online Search Pentest-Tools - Online Search DNS Dumpster - Online Search Netcraft - Online Search CloudPiercer - Online Search Detectify - Online Search VirusTotal - Online Search Pkey - Online Search Crt.sh - Online Search Sublist3r - GitHub repository DNScan - GitHub Repository Knock - GitHub Repository SubBrute - GitHub Repository Nmap - GitHub Repository Gobuster - GitHub Repository Fierce - Bydefault in Kali DNS
Read more

Collective Intelligence Framework v3 - Part 2

By Kunal Patil, Senior Threat Hunter
Image
In Previous blog we learned how to setup CIFv3, in this section we will discuss how to integrate data and filter the Resulted Data by-passing different parameters to it. We might have question that what happens exactly after hitting cif command or how cifv3 fetches feeds from external resources. well in this blog i will cover every details of CIFv3 but before that lets study few terminologies to understands the implementation of this Project. CIFv3 uses few Terminologies like : 1) TLP TLP stands for Traffic Light Protocol originally created by UK government for the Purpose of sharing of sensitive data. There are four colors in TLP (same like traffic lights) : RED - Not for disclosure, restricted to participants only AMBER - Limited disclosure, restricted within own organisation and clients or customers. GREEN -  Limited disclosure, restricted to the community but not via public channels WHITE - Disclosure is not limited 2) Timestamps CIF supports three Times
Read more

Security Architecture for Startup

By Kunal Patil, Senior Threat Hunter
Image
           Security Architecture is the design artifacts that describes how the security controls are positioned and how they relate to the overall systems architecture. These controls serve the Purpose to maintain the system's quality attributes such as confidentiality, integrity and availability. Following is the 10 steps plan required to build Security Architecture For Startup :   Pick Your battle  Establish a security culture  Pick security platform  Upgrade your software  Physical security  Control the internal network  Secure coding  Protect devices against malware  Perform security audits  BYOD Policies Pick Your Battle You can't secure everything, Quantify the monetory damage, likelyhood and mitigation cost of each threat to prioritize time and resource. Below are the list of threats which can taken into consideration as per Goal of the Industry (Budget + Risks). Establish a Security Culture Show Your team that Security is Important Factor
Read more

TrickBot Malware Family - A Deep Dive using Falcon Crowdstrike

By Kunal Patil, Senior Threat Hunter
Image
Use Case  Falcon OverWatch has identified probable TrickBot malware on host NAOUXXXX. A renamed copy of Vhd2disk was executed on the host, likely from a successful phish. This in turn wrote and executed a malicious file, likely TrickBot malware, and established persistence for it with a registry key. Introduction  Emotet Often referred to as a banking trojan or worm. It is a very advanced threat that is updated multiple times a day by the cybercrooks controlling it. Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Additionally, Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. TrickBot TrickBot is most commonly installed by the Emotet Trojan, which is spread through phishing em
Read more