Threat Hunting Basics - Part 4

By Kunal Patil, Senior Threat Hunter

 continued.....

Threat Reports and Blogs

Threat Reports and Blogs give you insights into the new Tactics, Techniques, and Procedures used by the attacker. This information gives you an understanding of how other companies handle exploits, what types of malware the industry is seeing, what new techniques are being used to defend and attack, what are the new emerging threats etc.

Find the Reports and Blogs of well-known security researchers Teams like NocturnusSecureListSpider LabsCiscoRed CanaryCrowdstrike and The DFIR report (my favorite) so on. Try to look for how this can impact your industry or organization. Make it a goal to take away at least one security recommendation you can apply to your organization or job from each threat report you read. 

For example, you are reading the latest report from the Red canary and observed the most common techniques used by an attacker are command and scripting interpreter T1059 where Powershell plays a very important role in the windows environment. Usually, PowerShell scripts are obfuscated by an attacker to evade the defense mechanism and bypass the security solutions. 
Powershell as a Hypothesis

The goal is to evading the detection, spawning additional processes, downloading and executing remote code & binaries,  gathering information, change system configuration, etc. There are different methods that can be deployed to prevent such attacks setting up PowerShell execution policy, PowerShell logging, etc. The strings to observe like Invoke-Expression (or variants like iex and .invoke), the DownloadString or DownloadFile methods, or unusual switches like -nop or -noni. Keep an eye on Encoding command switch commands like -e, -ec, -encodecommand, -encoded, -enc, -en, -encod, -enco . Understanding and correlating all the parameters we can build up the logic which is useful to create a new threat hunt hypothesis. 

In addition to building your own hypotheses, many well-written threat reports will list their own security recommendations. 

Threat Hunting Using MITRE ATT&CK 

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. Think of it as an encyclopedic reference that describes TTPs adversaries use, provides suggestions for detection and common mitigations for specific techniques, and profiles APT groups’ known practices, characteristics, and specific attack attributions. ATT&CK also provides an extensive list of software used in attacks (both malware and commercially available and open-source code that can be used legitimately or maliciously). All information captured in ATT&CK comes from publicly available data and reports as well as from the community—threat researchers and security teams in the trenches experiencing or analyzing attacks daily. 

MITRE ATT&CK also provides a listing of "N" number APTs and the sectors they target. By looking at which APTs commonly attack which industries, you can get a better sense or idea for the kinds of threats that are most prevalent in your environment.

Adversary tactics as per MITRE ATT&CK are categorized as below:

  1. Reconnaissance: gathering information to plan future adversary operations, i.e., information about the target organization
  2. Resource Development: establishing resources to support operations, i.e., setting up command and control infrastructure
  3. Initial Access: trying to get into your network, i.e., spear phishing
  4. Execution: trying the run malicious code, i.e., running a remote access tool
  5. Persistence: trying to maintain their foothold, i.e., changing configurations
  6. Privilege Escalation: trying to gain higher-level permissions, i.e., leveraging a vulnerability to elevate access
  7. Defense Evasion: trying to avoid being detected, i.e., using trusted processes to hide malware
  8. Credential Access: stealing accounts names and passwords, i.e., keylogging
  9. Discovery: trying to figure out your environment, i.e., exploring what they can control
  10. Lateral Movement: moving through your environment, i.e., using legitimate credentials to pivot through multiple systems
  11. Collection: gathering data of interest to the adversary goal, i.e., accessing data in cloud storage
  12. Command and Control: communicating with compromised systems to control them, i.e., mimicking normal web traffic to communicate with a victim network
  13. Exfiltration: stealing data, i.e., transfer data to cloud account
  14. Impact: manipulate, interrupt, or destroy systems and data, i.e., encrypting data with ransomware

Within each tactic of the MITRE ATT&CK matrix, there are adversary techniques, which describe the actual activity carried out by the adversary. Some techniques have sub-techniques that explain how an adversary carries out a specific technique in greater detail.

For example, a security team in the healthcare space may identify the group DeepPanda as a relevant threat to their organization. The security team can use this information to create an adversary emulation plan and look for threats in their existing system from this group. MITRE ATT&CK has identified many common techniques used by DeepPanda, including the use of PowerShell scripts to download and execute programs in memory without writing to disk. Threat hunters can use this knowledge to create a hypothesis that there may be PowerShell scripts running on their system that are malicious. From there, they can begin the hunt. 

Malware Intelligence

Malware analysis is the process of understanding the behavior and purpose of a suspicious file or URL. The output of the analysis aids in the detection and mitigation of the potential threat. Technical indicators are identified such as file names, hashes, and strings such as IP addresses, domains, and file header data can be used to determine whether that file is malicious. In addition, tools like disassemblers and network analyzers can be used to observe the malware without actually running it in order to collect information on how the malware works. Dynamic malware analysis executes suspected malicious code in a safe environment called a sandbox. This closed system enables security professionals to watch the malware in action without the risk of letting it infect their system or escape into the enterprise network. The dynamic analysis provides threat hunters and incident responders with deeper visibility, allowing them to uncover the true nature of a threat. As a secondary benefit, automated sandboxing eliminates the time it would take to reverse engineer a file to discover the malicious code. 

By combining basic and dynamic analysis techniques, the hybrid analysis provides the security team the best of both approaches –primarily because it can detect malicious code that is trying to hide, and then can extract many more indicators of compromise (IOCs & IOAs) by statically and previously unseen code. 

If you are able to detect and get a sample of a malware, you can build a hypothesis around its activity. In a lab environment, run malware that has successfully infiltrated your system in the past, or a piece of malware you find interesting. Observe its behavior. Formulate questions based on this behavior.

The dynamic analysis would detect that, and analysts would be alerted to circle back and perform basic static analysis on that memory dump. As a result, more IOCs would be generated and zero-day exploits would be exposed.

Malware analysis can expose behavior and artifacts that threat hunters can use to find a similar activity, such as access to a particular network connection, port, or domain. By searching firewall and proxy logs or SIEM data, teams can use this data to find similar threats. 

In addition, tools like mimikatz are commonly used by attackers. By running tools like mimikatz in a lab environment, you can identify behaviors that take place in your environment that signal a common attack. See how the system reacts to mimikatz, then use this information to identify its use in your actual environment. 

Malware researchers perform malware analysis to gain an understanding of the latest techniques, exploits, and tools used by adversaries. Using the Malware Analysis uncovers more IOC's which helps to Create a Cyber Threat Hunt Hypothesis.

Advisory Emulation

Adversary emulation is a type of red team engagement that mimics a known threat to an organization by blending in threat intelligence to define what actions and behaviors the attacker use. Adversary Emulation is a form of cybersecurity assessment. During this assessment, assessors replicate a specific threat scenario. Adversary emulation helps organizations focus their security testing to prioritize threats that their defenders may face each day. Successful adversary emulation is a collaborative effort between multiple cybersecurity domains of expertise, particularly red team and cyber threat intelligence (CTI) professionals. CTI professionals work with the security operations center (SOC) and senior leadership to determine what types of threats might target the organization, while red teams work to test and probe defenses. Red teams have the tradecraft and skillset to perform malicious actions to subvert defenses, but that expertise is far more valuable to organizations trying to understand the implications of red team findings on their security posture when it is tied to real-world threat data. 

Develop an adversary emulation plan to identify each step an attacker will take. MITRE ATT&CK even provides a listing of TTPs, so you can explore the techniques, tactics, and procedures attackers commonly use. By mapping out each phase of an attack, defenders can more clearly understand the attack process and potential red flags when looking for threats. 

There is a five-step process to create an adversary emulation plan, execute the operation, and drive defensive improvements. 
  1. Gather threat intel 
  2. Extract techniques 
  3. Analyze & organize 
  4. Develop tools and procedures 
  5. Emulate the adversary 
In the complete process, you could determine the new detection logic based on :
  1. How did the threat group use this technique? 
  2. What are Objective of the APT's 
  3. What tools can we use to replicate these TTPs?
  4. Reveals the Artifacts and Metadata of an attack.
Once this entire process takes place, the red, blue, and purple teams can work with the CTI team to determine the TTP of an actor along with their IOCs & IOAs, which helps to create a new Hypothesis that defends against real-world behaviors.  

Additional Important Factors

  1. Stop making any assumptions about your environment because it will limit your scope when forming a hypothesis and will create blindspots in your defenses.
  2. For example, don’t assume that all service processes will run by services.exe. Similarly, do not assume that all processes which are unsigned and unknown (hash) are inherently malicious.
  3. Find the Right Scope: Define your hypothesis in a specific way that designates a clear-cut scope. Too broad, and the hypothesis may become too strenuous to prove. Too narrow, and it may not be very useful.
Keep in mind that the next step after creating the hypothesis is executing it, followed by testing it to completion. Do not create a hypothesis you cannot execute or resolve.

In the Next blog, we will be discussing Threat hunting methodology, Phases, and Steps involved in Threat Hunting. So stay Tuned...
I am a security researcher where my expertize includes domains like incident response and investigation, Malware Analysis, Threat Hunting, deception Technology, Brand protection, SIEM configuration, Digital Forensics, Cyber Threat Intelligence, EDR, Network Security, Content Filtering, etc While working I had completed my Masters(2021) in Information security where I published a thesis on “Malware Analysis using machine Learning Ensemble” My goal is to share the knowledge with everyone with technologies, upcoming trends, various platforms and mainly Lock it down, protect it up, and block the hackers.

Comments

Post a Comment

Popular posts from this blog

RTR using Falcon Crowdstrike

By Kunal Patil, Senior Threat Hunter
Image
Real Time Response Real Time Response is a powerful tool that gives security administrations the ability to remotely access systems for administration tasks, remediation actions or forensics collection, etc. without requiring physical access to the system. For more information on the CrowdStrike solution, see the additional resources and links below. In the Falcon UI, navigate to Activity > Detections. Commonly, a new detection will be the event that triggers a need for remediation.Directly from a given detection, the “Connect to Host” button allows you to remotely connect and take action. You can also connect to a host from Hosts > Host Management. Once connected, you will be presented with a list of commands and capabilities available in Real Time Response. With the ability to run commands, executables and scripts, the possibilities are endless. A few examples are listed below.
Read more

Top Commands Mostly Used By System Administrator.

By Kunal Patil, Senior Threat Hunter
Image
Top Commands Mostly Used By System Administrator. 1) IPconfig IPCONFIG Simply entering ipconfig at the command line will return basic addressing information for your system, including the adapter name, IP address, subnet mask, and default gateway. 2) IPconfig /all IPCONFIG/ALL Shows all networking information for the system, including host name, node type, adapter names, MAC addresses, DHCP lease information, etc. 3) Ping PING Ping command to verify that a host can be reached over the network. This command is useful for diagnosing host and network connectivity problems. The device sends a series of ICMP echo (ping) requests to a specified host and receives ICMP echo responses. 4) Ping "Website-name" PING TO WEBSITE   This above command used to find the IP address associated with The Specific Website. eg: 10.24.126.25 is the IP address for Website Intranet.indusind.com 5) Tracert "IP address" TRACE COMMAND Tracert comm
Read more

Damn Vulnerable Web Application - Part 1

By Kunal Patil, Senior Threat Hunter
Image
The Damn Vulnerable Web Application (DVWA) provides a PHP/MySQL web application that is damn vulnerable whose goal of being an intentionally vulnerable system for practice/teaching purposes in regard to Information Security.There are many Methods for Installing DVWA on Platforms Like Windows and Linux, In this blog i will show the easiest Walk-through for Beginners to Learn and Exploit Web Application. So let us Start with Installation and Implementation of DVWA. Step By Step Installation 1) Requirement :  Windows system for Managing VM Virtual Box ( Link ) or VMware ( Link ) should be installed on system Kali-ISO ( Link ) DVWA ISO ( Link ) 2) Switch-ON Kali and DVWA virtual machines Both must be in HOST only Adapter (we can change using VM Network setting).  3) After the Installation of Kali and DVWA in VM, find the IP address of DWVA using the Command ifconfig and Check Connectivity between them using ping command. 4) Run Kali machine and DVWA machine Par
Read more

SECURITY OPERATION CENTRE

By Kunal Patil, Senior Threat Hunter
Image
What is SOC?                    Security operations centers monitor and analyze activity on networks, servers, endpoints, databases, applications, websites, and other systems, looking for anomalous activity that could be indicative of a security incident or compromise. The SOC is responsible for ensuring that potential security incidents are correctly identified, analyzed, defended, investigated, and reported. SOC works with collaboration with People, Process and Technology.  SOC Architecture PEOPLE:                  The best way to think of a SOC is as a centralized team of people who provide threat monitoring, investigation, and response.  Larger SOCs employ a three-level analyst structure for handling security alerts generated by a security system or SIEM.  Level 1 analysts are responsible for real-time monitoring of security alerts, doing triage on them, and deciding whether an alert is serious enough to be escalated to a Level 2 analyst.  Level 1 analysts se
Read more

Cyber Threat Intelligence

By Kunal Patil, Senior Threat Hunter
Image
Gartner Definition:   Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.  To understand this term easily lets split the words and bring out meaning to it :  Cyber :  relating to or characteristic of the culture of computers, information technology, and virtual reality. Threat :  thing likely to cause damage or danger. Intelligence :  the ability to acquire and apply knowledge and skills.                 Cyber Threat intelligence helps Organisation to understands the risk of most common External threats. T hreat intelligence includes in-depth information about specific threats to help an organization protect itself from the types of attacks that could do them the most damage.  One of the proven methods to stay on top of attacks is to detect and
Read more

Collective Intelligence Framework v3 - Part 1

By Kunal Patil, Senior Threat Hunter
Image
Basic About CTI Cyber Threat intelligence(CTI) is a Technology which helps an Organization to collect and Analyze threat data received from multiple resources. Cyber threat intelligence is an automation process where it accumulate data from various external resources (such as FEEDS) and recognize the threats suitable for the Organization. By importing the Data from CTI, the next step is to exporting the CTI data into Existing Security systems. Collective intelligence Framework is an underlying Structure of CTI which helps any organization to gather all Threat Data at one place. In this blog we are discussing how to Install Collective Intelligence Framework v3 (Bearded Avenger) into security structure. Details Information About CIF you will found at : csirtgadgets Basic Requirements for Bearded Avenger CIF v3 : OS: Ubuntu 16 LTS,  x64 RAM: 16GB Cores: 4 (As Sqlite, ElasticSearch, CIF-Router among other apps would be running on same instance) HDD Capacity: 100GB
Read more

Top 20 Subdomains Search Engines

By Kunal Patil, Senior Threat Hunter
Image
Whats is Domain?  An organization shares a common suffix as Domain names which is controlled by that Organization or individual. What is Subdomains? Basically Subdomains are subdivisions of Domain. Why it is required? Subdomains are second website, which have its own unique content and makes hosting manageable and easy to organize.         Every second Organization Consists of various Subdomains as per their Requirements, I listed few Subdomains Search Engines, list is below :  Google Search - Online Search Censys - Online Search Pentest-Tools - Online Search DNS Dumpster - Online Search Netcraft - Online Search CloudPiercer - Online Search Detectify - Online Search VirusTotal - Online Search Pkey - Online Search Crt.sh - Online Search Sublist3r - GitHub repository DNScan - GitHub Repository Knock - GitHub Repository SubBrute - GitHub Repository Nmap - GitHub Repository Gobuster - GitHub Repository Fierce - Bydefault in Kali DNS
Read more

Collective Intelligence Framework v3 - Part 2

By Kunal Patil, Senior Threat Hunter
Image
In Previous blog we learned how to setup CIFv3, in this section we will discuss how to integrate data and filter the Resulted Data by-passing different parameters to it. We might have question that what happens exactly after hitting cif command or how cifv3 fetches feeds from external resources. well in this blog i will cover every details of CIFv3 but before that lets study few terminologies to understands the implementation of this Project. CIFv3 uses few Terminologies like : 1) TLP TLP stands for Traffic Light Protocol originally created by UK government for the Purpose of sharing of sensitive data. There are four colors in TLP (same like traffic lights) : RED - Not for disclosure, restricted to participants only AMBER - Limited disclosure, restricted within own organisation and clients or customers. GREEN -  Limited disclosure, restricted to the community but not via public channels WHITE - Disclosure is not limited 2) Timestamps CIF supports three Times
Read more

Security Architecture for Startup

By Kunal Patil, Senior Threat Hunter
Image
           Security Architecture is the design artifacts that describes how the security controls are positioned and how they relate to the overall systems architecture. These controls serve the Purpose to maintain the system's quality attributes such as confidentiality, integrity and availability. Following is the 10 steps plan required to build Security Architecture For Startup :   Pick Your battle  Establish a security culture  Pick security platform  Upgrade your software  Physical security  Control the internal network  Secure coding  Protect devices against malware  Perform security audits  BYOD Policies Pick Your Battle You can't secure everything, Quantify the monetory damage, likelyhood and mitigation cost of each threat to prioritize time and resource. Below are the list of threats which can taken into consideration as per Goal of the Industry (Budget + Risks). Establish a Security Culture Show Your team that Security is Important Factor
Read more

TrickBot Malware Family - A Deep Dive using Falcon Crowdstrike

By Kunal Patil, Senior Threat Hunter
Image
Use Case  Falcon OverWatch has identified probable TrickBot malware on host NAOUXXXX. A renamed copy of Vhd2disk was executed on the host, likely from a successful phish. This in turn wrote and executed a malicious file, likely TrickBot malware, and established persistence for it with a registry key. Introduction  Emotet Often referred to as a banking trojan or worm. It is a very advanced threat that is updated multiple times a day by the cybercrooks controlling it. Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Additionally, Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. TrickBot TrickBot is most commonly installed by the Emotet Trojan, which is spread through phishing em
Read more