Threat Hunting Basics - Part 3

By Kunal Patil, Senior Threat Hunter

All about Threat Hunting "HYPOTHESIS"

                A threat hunt hypothesis is a proposed explanation made on the basis of limited evidence from a security environment, and this proposed explanation is then used as a starting point for further investigation. Threat hunting is primarily hypothesis driven. This means that quite often each hunt will begin with a series of questions or theories. Generalized questions could include, “If I were to attack this environment, how would I do it? What would I attempt to gain access to? What would be my targets?” These types of questions then lead to hypotheses that can be tested. They may begin looking for odd services, unusual network connections, unusual parent-child processes, abnormal behaviors, maximum numbers of registry or file modifications, or anything that seems unusual for this device or environment. In many cases, the hunt may return no results, but that does not mean that this particular theory was incorrect. These theories should not be seen as rigid because they can be further expanded upon and refined based on evidence gained during the view of collected data.    

Hypothesis Life cycle

As shown in the above diagram, how the flow of hypothesis will bring out the successful hunt. It begins with choosing the tactics and techniques, gathering the data, findings the anomaly, and executing the hunt.

Hypotheses are built on observations, intelligence, and the experience of the analyst. Creating a hypothesis is a very important part of the threat hunting process, so below I will be explaining a few ideas or ways to generate a hypothesis. 

Table of Contents: 
  1. External Intelligence 
  2. Internal Intelligence
  3. Power of Social media
  4. Google knows Everything 
  5. Threat Reports and Blogs
  6. Threat hunting using Mitre Att&ck
  7. Malware Intelligence
  8. Advisory Emulation 
  9. Additional Important Factors

External Intelligence

                The easiest way to start with threat hunting is External Intelligence. External Intelligence includes any IOCs (Indicator of compromise) which is used to detect or identify the threats in the environment. Indicators of compromise (IOCs) serve as forensic evidence of potential intrusions on a host system or network. 

                you can easily get malicious IOCs because there are so many paid and free Threat intelligence platform providers in the market. I will just name a few as Anomali threat stream, cyware CITIX, Mandiant Threat Intelligence, etc are the paid ones and Emerging Threats, Open Phish, Abuse, etc are the free ones. you can read out my blog previously published for more details.

                IOCs like IP, URL, Domains, Network artifacts, and Hashes can be easily found because it's the bottom line of the Pyramid of pain, hence we can begin our hunt using those IOCs and generate a hypothesis based on the scenarios. for example: "Has this domain or IP ever been accessed from my environment?" It will prompt a piece of valuable information regarding the IOCs and Answer you whether any communication was observed with the C2 server at a given point in time.

Here are some IOC's information that a security professional should watch out for in the organization: 
    • Unusual traffic going in and out of the network
    • Unknown files, applications, and processes in the system
    • Suspicious activity in administrator or privileged accounts
    • Anomalous spikes of requests and read volume in company files
    • Network traffic that traverses in unusually used ports
    • Unusual Domain Name Servers (DNS) requests and registry configuration
    • Unauthorized settings changes, including mobile device profile
    • Large amounts of compressed files or data bundles in incorrect or unexplained locations
                The drawback of using External IOCs is that they are static in nature. Attack methods are constantly evolving with the different Tools, Tactics, and techniques. The attack methods are dynamic in nature and we don't have their new attack methods IOCs. Hence, we cannot simply rely on static IOC's but the external IOCs can be an easy starting point for any hunt.

Internal Intelligence

                Internal intelligence and insider threats are the ones which are originated within the target organization. It typically involves a current or former employee or business associate who has access to sensitive information or privileged accounts within the network of an organization, and who misuses this access. Traditional security measures are merely focused on external threats and are not always capable of identifying an internal threats emerging from inside the organization.

There is much to learn from a previous incident in your organization. An attack may leave traces that give clues as to where there are holes in an organization’s defenses. Traces of an attack can give threat hunters an idea of where similar threats may be, as well as how they function.

Based on behaviors and actions observed in a previous attack, ask yourself how these behaviors could impact your current environment. Did you patch the issue properly? If any users are particularly careless with security or caused an incident, have their habits changed?


Trackable insider threat indicators or Internal intelligence includes :

  • Unusual logins
  • Use or repeated attempted use of unauthorized applications
  • An increase in escalated privileges
  • Excessive downloading of data
  • Unusual employee behavior
  • Remotely accessing the network while on vacation, while out sick, or outside of typical working hours
  • Working outside of typical working hours without authorization 
  • A notable enthusiasm for shifts where they’ll have minimum supervision such as overtime, weekend, or unusual work schedules
  • An increase in copying materials, particularly if the materials are proprietary or classified and the copying appears to be unnecessary 
  • Having an unusually keen interest in matters outside of the scope of their duties
  • Visits to websites that may indicate low productivity, disengagement, job discontent, and potential legal liabilities (e.g. hate sites, pornography, excessive unproductive browsing)
  • Uploading huge data to the cloud.

                The above are a few internal Intelligence instances that we can collect and make a story from the same which leads to a new HypothesisThere are multiple solutions available to detect insider threat that gives lots of internal intelligence such as UEBA (User Entity Behavior Analytics), SIEM, and SOAR (Security Orchestration, Automation, and Response), etc. 

Power of Social Media

               Social media channels are a good and at times essential and simple way to remain informed. Whether this comes in the form of a threat report, a single tweet on a specific behavior or an IOC, or some other means, many social media channels have useful information.  
Follow the Hashtags like #infosec, #threathunting, #dfir, #malware,  #cybersecurity, #phishing, #ransomeware, #bugbounty, #databreach etc
Find the channels of well-known security researchers on 
Twitter: @cyb3rops , @samwcyo , @briankrebs , @schneierblog , @gcluley , @thegrugq , @shirastweet , @chrispcritters , @troyhunt , @mikko , @brianhonan , @hydeNS33k , @beaker
Linkedin: Bill Brenner, Maya Schirmann, Steve Morgan, Yotam Gutman, Bob Carver, Robert Herjavec, Chuck Brooks, Bob Carver, Paul Asadoorian, Meisam Eslahi, Laurent Crahay
Youtube: John Hammond, Hackersploit, dist67, BlackPearl, 13Cubed, Security Now, IppSec, Gerald Auger, SANS cyber Defense, Linode, Null Byte, STOK, InsiderPHD, LiveOverflow, BlueTeamVillage         
What makes social media different from other mediums is the immediacy of knowledge. The second a new variant is discovered, you can know about it through the power of social media. It’s a way of keeping up-to-date with the latest in the community, which can be invaluable and timely. 
                Without social media, it would be much more difficult to reach such a wide audience in such a short amount of time. So, keep your eye on the trending news, hacks, breaches, and exploits, which help to develop the detection logic and are useful to create your hypothesis. 
                                                    Google Knows Everything!!!

             Google knows everything, so of course, it knows about threat hunting, data breaches, exploits, vulnerabilities, POCs, malware, Reverse engineering, and the list go on. Google dork queries are ways to search Google with advanced search operators to pinpoint the information you are looking to find when threat hunting. It is considered a passive attack method but can be used to find usernames, passwords, email lists, sensitive information, and even some website vulnerabilities. 
                This is the power of Google dorks: this particular query finds PDFs located on unipune.ac.in with the string “sensitive but unclassified” in them. They are an easy way to sift through the massive supply of data Google has available, and are particularly useful for threat hunters.

For example, if you identified specific unknown commands in your environment, you could use Google dorks to search the entirety of GitHub. By searching GitHub for strings matching the commands, you could potentially find a malicious tool used to attack your system based on those commands. With this data, you can learn more about the threat. 

Google Dorking, also known as Google hacking, is the method capable of returning information difficult to locate through simple search queries by providing a search string that uses advanced search operators. Primarily, ethical hackers use this method to query the search engine and find crucial information. This Google hacking cheat sheet will help you carry out Google Dorking commands and access hidden information. We can filter the Google database by the commands like but not limited to Intext. Allintext, Filetype, Intitle, inurl, Site, ext, etc For example as below, 

Command: allinurl:log4jvulnerabilities

allinurl dork command

To be continued......
I am a security researcher where my expertize includes domains like incident response and investigation, Malware Analysis, Threat Hunting, deception Technology, Brand protection, SIEM configuration, Digital Forensics, Cyber Threat Intelligence, EDR, Network Security, Content Filtering, etc While working I had completed my Masters(2021) in Information security where I published a thesis on “Malware Analysis using machine Learning Ensemble” My goal is to share the knowledge with everyone with technologies, upcoming trends, various platforms and mainly Lock it down, protect it up, and block the hackers.

Comments

Post a Comment

Popular posts from this blog

RTR using Falcon Crowdstrike

By Kunal Patil, Senior Threat Hunter
Image
Real Time Response Real Time Response is a powerful tool that gives security administrations the ability to remotely access systems for administration tasks, remediation actions or forensics collection, etc. without requiring physical access to the system. For more information on the CrowdStrike solution, see the additional resources and links below. In the Falcon UI, navigate to Activity > Detections. Commonly, a new detection will be the event that triggers a need for remediation.Directly from a given detection, the “Connect to Host” button allows you to remotely connect and take action. You can also connect to a host from Hosts > Host Management. Once connected, you will be presented with a list of commands and capabilities available in Real Time Response. With the ability to run commands, executables and scripts, the possibilities are endless. A few examples are listed below.
Read more

Top Commands Mostly Used By System Administrator.

By Kunal Patil, Senior Threat Hunter
Image
Top Commands Mostly Used By System Administrator. 1) IPconfig IPCONFIG Simply entering ipconfig at the command line will return basic addressing information for your system, including the adapter name, IP address, subnet mask, and default gateway. 2) IPconfig /all IPCONFIG/ALL Shows all networking information for the system, including host name, node type, adapter names, MAC addresses, DHCP lease information, etc. 3) Ping PING Ping command to verify that a host can be reached over the network. This command is useful for diagnosing host and network connectivity problems. The device sends a series of ICMP echo (ping) requests to a specified host and receives ICMP echo responses. 4) Ping "Website-name" PING TO WEBSITE   This above command used to find the IP address associated with The Specific Website. eg: 10.24.126.25 is the IP address for Website Intranet.indusind.com 5) Tracert "IP address" TRACE COMMAND Tracert comm...
Read more

SECURITY OPERATION CENTRE

By Kunal Patil, Senior Threat Hunter
Image
What is SOC?                    Security operations centers monitor and analyze activity on networks, servers, endpoints, databases, applications, websites, and other systems, looking for anomalous activity that could be indicative of a security incident or compromise. The SOC is responsible for ensuring that potential security incidents are correctly identified, analyzed, defended, investigated, and reported. SOC works with collaboration with People, Process and Technology.  SOC Architecture PEOPLE:                  The best way to think of a SOC is as a centralized team of people who provide threat monitoring, investigation, and response.  Larger SOCs employ a three-level analyst structure for handling security alerts generated by a security system or SIEM.  Level 1 analysts are responsible for real-time monitoring of security alerts, doing tri...
Read more

Damn Vulnerable Web Application - Part 1

By Kunal Patil, Senior Threat Hunter
Image
The Damn Vulnerable Web Application (DVWA) provides a PHP/MySQL web application that is damn vulnerable whose goal of being an intentionally vulnerable system for practice/teaching purposes in regard to Information Security.There are many Methods for Installing DVWA on Platforms Like Windows and Linux, In this blog i will show the easiest Walk-through for Beginners to Learn and Exploit Web Application. So let us Start with Installation and Implementation of DVWA. Step By Step Installation 1) Requirement :  Windows system for Managing VM Virtual Box ( Link ) or VMware ( Link ) should be installed on system Kali-ISO ( Link ) DVWA ISO ( Link ) 2) Switch-ON Kali and DVWA virtual machines Both must be in HOST only Adapter (we can change using VM Network setting).  3) After the Installation of Kali and DVWA in VM, find the IP address of DWVA using the Command ifconfig and Check Connectivity between them using ping command. 4) Run Kali machine and DVWA ma...
Read more

Cyber Threat Intelligence

By Kunal Patil, Senior Threat Hunter
Image
Gartner Definition:   Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.  To understand this term easily lets split the words and bring out meaning to it :  Cyber :  relating to or characteristic of the culture of computers, information technology, and virtual reality. Threat :  thing likely to cause damage or danger. Intelligence :  the ability to acquire and apply knowledge and skills.                 Cyber Threat intelligence helps Organisation to understands the risk of most common External threats. T hreat intelligence includes in-depth information about specific threats to help an organization protect itself from the types of attacks that could do them the most damage....
Read more

Collective Intelligence Framework v3 - Part 1

By Kunal Patil, Senior Threat Hunter
Image
Basic About CTI Cyber Threat intelligence(CTI) is a Technology which helps an Organization to collect and Analyze threat data received from multiple resources. Cyber threat intelligence is an automation process where it accumulate data from various external resources (such as FEEDS) and recognize the threats suitable for the Organization. By importing the Data from CTI, the next step is to exporting the CTI data into Existing Security systems. Collective intelligence Framework is an underlying Structure of CTI which helps any organization to gather all Threat Data at one place. In this blog we are discussing how to Install Collective Intelligence Framework v3 (Bearded Avenger) into security structure. Details Information About CIF you will found at : csirtgadgets Basic Requirements for Bearded Avenger CIF v3 : OS: Ubuntu 16 LTS,  x64 RAM: 16GB Cores: 4 (As Sqlite, ElasticSearch, CIF-Router among other apps would be running on same instance) HDD Capacity: 100...
Read more

Top 20 Subdomains Search Engines

By Kunal Patil, Senior Threat Hunter
Image
Whats is Domain?  An organization shares a common suffix as Domain names which is controlled by that Organization or individual. What is Subdomains? Basically Subdomains are subdivisions of Domain. Why it is required? Subdomains are second website, which have its own unique content and makes hosting manageable and easy to organize.         Every second Organization Consists of various Subdomains as per their Requirements, I listed few Subdomains Search Engines, list is below :  Google Search - Online Search Censys - Online Search Pentest-Tools - Online Search DNS Dumpster - Online Search Netcraft - Online Search CloudPiercer - Online Search Detectify - Online Search VirusTotal - Online Search Pkey - Online Search Crt.sh - Online Search Sublist3r - GitHub repository DNScan - GitHub Repository Knock - GitHub Repository SubBrute - GitHub Repository Nmap - GitHub Repository Gobuster - GitHub...
Read more

Collective Intelligence Framework v3 - Part 2

By Kunal Patil, Senior Threat Hunter
Image
In Previous blog we learned how to setup CIFv3, in this section we will discuss how to integrate data and filter the Resulted Data by-passing different parameters to it. We might have question that what happens exactly after hitting cif command or how cifv3 fetches feeds from external resources. well in this blog i will cover every details of CIFv3 but before that lets study few terminologies to understands the implementation of this Project. CIFv3 uses few Terminologies like : 1) TLP TLP stands for Traffic Light Protocol originally created by UK government for the Purpose of sharing of sensitive data. There are four colors in TLP (same like traffic lights) : RED - Not for disclosure, restricted to participants only AMBER - Limited disclosure, restricted within own organisation and clients or customers. GREEN -  Limited disclosure, restricted to the community but not via public channels WHITE - Disclosure is not limited 2) Timestamps CIF supports three T...
Read more

Security Architecture for Startup

By Kunal Patil, Senior Threat Hunter
Image
           Security Architecture is the design artifacts that describes how the security controls are positioned and how they relate to the overall systems architecture. These controls serve the Purpose to maintain the system's quality attributes such as confidentiality, integrity and availability. Following is the 10 steps plan required to build Security Architecture For Startup :   Pick Your battle  Establish a security culture  Pick security platform  Upgrade your software  Physical security  Control the internal network  Secure coding  Protect devices against malware  Perform security audits  BYOD Policies Pick Your Battle You can't secure everything, Quantify the monetory damage, likelyhood and mitigation cost of each threat to prioritize time and resource. Below are the list of threats which can taken into consideration as per Goal of the Industry (Budget + Risks). Es...
Read more

TrickBot Malware Family - A Deep Dive using Falcon Crowdstrike

By Kunal Patil, Senior Threat Hunter
Image
Use Case  Falcon OverWatch has identified probable TrickBot malware on host NAOUXXXX. A renamed copy of Vhd2disk was executed on the host, likely from a successful phish. This in turn wrote and executed a malicious file, likely TrickBot malware, and established persistence for it with a registry key. Introduction  Emotet Often referred to as a banking trojan or worm. It is a very advanced threat that is updated multiple times a day by the cybercrooks controlling it. Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Additionally, Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. TrickBot TrickBot is most commonly installed by the Emotet Trojan, which is spread throu...
Read more