Threat Hunting Basics - Part 5

By Kunal Patil, Senior Threat Hunter

 Threat Hunting Methodology 




A threat hunter is a security analyst who uses manual or machine-assisted techniques to detect, isolate, and neutralize APTs that are not detected by automated security tools. Threat hunters assume that adversaries are already in the system, and they initiate an investigation to find unusual behavior that may indicate the presence of malicious activity. Four Methods involved in the hunting methodology are as follows: 

Intel Based or Unstructured Hunting 

The Intel-based hunting approach involves the reactive hunt technique associated with new threats. These IOCs become a trigger point for the threat hunter to uncover the malicious activity going on. 

You can check out the previous blog which shows how Threat intelligence can be useful for the threat hunting approach.

Behavior-based or Structured Hunting

The most proactive threat-hunting technique is an investigation using indicators of attack or Indicators of behavior. This technique commonly aligns with threat frameworks such as MITRE ATT&CK.

Here are the actions that are most often involved in the process:

  1. Use IOAs and TTPs to identify threat actors. 
  2. The hunter assesses the domain, environment, and attack behaviors to create a hypothesis that aligns with MITRE. 
  3. After identifying a behavior, the threat hunter attempts to locate patterns by monitoring activities. The goal is locating, identifying, and then isolating the threat.

Hypothesis Based Hunting

This threat hunting technique involves testing three types of hypotheses:

  • Analytics-driven: makes use of machine learning (ML) and user and entity behavior analytics (UEBA) to develop aggregated risk scores and formulate hypotheses
  • Intelligence-driven: includes malware analysis, vulnerability scans, and intelligence reports and feeds
  • Situational-awareness driven: enterprise risk assessments and crown jewel analysis (the identification of the digital assets that are critical to the company) Attackers commonly target specific high-value or high-risk assets or privileged users such as IT administrators, domain controllers, development managers, and C-level Executives. Threat hunting helps identify these high-priority targets and conduct focused searches for relevant threats.
Hypotheses can also be targeted not at predicting the future steps of the attackers but at understanding patterns, dependencies, and so on. In other words, seeing the whole picture.

Custom or Hybrid Hunting 

The hybrid threat hunting technique combines all of the above methods, allowing security analysts to customize the hunt. For example, the hunt can be customized using data about geopolitical issues. You can also use a hypothesis as the trigger, and leverage IoAs and IoCs. 

Threat Hunting Steps

A cyber threat hunt is composed of steps or processes designed for an efficient, successful hunt. These steps include:

Step 1: Hypothesis
Threat hunts begin with a hypothesis or a statement about the hunter’s ideas of what threats might be in the environment and how to go about finding them. A hypothesis can include a suspected attacker's tactics, techniques, and procedures (TTPs). Threat hunters use threat intelligence, environmental knowledge, and their own experience and creativity to build a logical path to detection.

Step 2: Collect and Process Intelligence and Data
Hunting for threats requires quality intelligence and data. A plan for collecting, centralizing, and processing data is required. Security Information and Event Management (SIEM) software can provide insight and a track record of activities in an enterprise’s IT environment.

Step 3: Trigger
A hypothesis can act as a trigger when advanced detection tools point threat hunters to initiate an investigation of a particular system or specific area of a network.

Step 4: Investigation
Investigative technology can hunt or search deep into potentially malicious anomalies in a system or network, ultimately determined to be benign or confirmed as malicious.

Step 5: Response/Resolution
Data gathered from confirmed malicious activity can be entered into automated security technology to respond to resolve, and mitigate threats. Actions can include removing malware files, restoring altered or deleted files to their original state, updating firewall /IPS rules, deploying security patches, and changing system configurations – all the while better understanding what occurred and how to improve your security against similar future attacks.

Phases of Threat Hunting

One of the core realities of threat hunting is that we need access to data to verify integrity. I cannot validate whether a system is still in a trusted state unless I have access to data that identifies that system’s current operational state. If I’m hunting on the network, visibility is a non-issue.

With host-based threat hunting, data access can be hit or miss. It can be extremely difficult to identify if you are collecting logs from all of your devices. In fact, you can be pretty certain you are not, given the number of BYOD, IoT, and forgotten hardware devices (like printers) that end up on the typical network. Clearly, if I’m not getting logs from a device, I have no way of evaluating that device’s integrity. 

Further, modern malware tries really hard to cover its tracks. So even if I am collecting log entries from a host, the malware that now owns that system may be altering logs in an effort to go undetected.

So think of network-based threat hunting as the great equalizer. While an attacker may be able to hide the processes they are running on a system, they cannot hide their packets on the wire. The best they can hope for is to get lost in the rest of the traffic on the network.

This does not mean host logs have no value. When we threat hunt the network, we are trying to determine if each session is trustworthy or a potential threat. Sometimes the network does not have all the answers. For example, I may see that one of my internal systems is holding open a TLS-protected session with an external host 24 hours a day. For me personally, I would be 75% certain that this is due to a compromise or an internal employee breaching policy. With this evidence in hand, I would now turn to host logs to identify what process is responsible for that session, and why it is running on the system. At this point, however, I’ve switched into more of a forensic analysis mode than threat hunting.

Hunting for Network threats

Network threat hunting actively checks every network connection of every IP on the network. By using outgoing network traffic to identify anomalous, possibly malicious connections based on connection frequency, connection duration, cumulative connection duration, and connections to multiple subdomains over DNS, the network defender can identify C2 channels. This helps prioritize connections for further investigation and incident response.

Few examples to start with the network hunt as below but not limited to: 
  1. Web requests with an unusual HTTP protocol version.
  2. User agents that are not commonly used in your organization. Do not blindly trust user agent information, however, since this can easily be crafted.
  3. Excessive size or a repeating pattern in the size of HTTP requests.
  4. Persistent connections (beacons) to HTTP servers on the internet, even outside regular office hours.
  5. Repeated requests for the same web resource, possibly on different domains, with a similar parameter format.
  6. Requests to a social network site outside regular office hours. Attackers can encode their commands -textually on a page on a social network and present them like legitimate messages.
  7. Alerts on DNS queries for domains that have only recently been registered.
  8. DNS responses that have a very low time to live (TTL).
  9. Repeated requests for domains belonging to a dynamic DNS service or requests for URL shortener domains.
  10. Statistics for DNS queries on the full qualified domain name (FQDN), focusing on the second-level domain. Be aware that this can also generate lots of false positives due to content delivery networks (CDNs).
  11. Netflow statistics for workstations that establish a high number of connections or flows. and Firewall log entries indicating outbound IRC or P2P traffic.
  12. Communications to potential suspicious ports
  13. Hunt for ICMP packets between 2 IP address that is consecutive for a long duration
  14. Outbound connection to a rare country IP

Hunting for Host/Endpoint threats

Examine endpoints for malware involvement in the registry, file system, and elsewhere. Host-based threat-hunting can be achieved by observing the suspicious or abnormal behavior/activity of the processes, binaries, registries, malicious scripts, loaded drivers, removable media, system configuration, authentication events, fileless attacks, local firewall rules, etc.

Few examples to start with the Host-based hunt as below but not limited to: 
  1. Potential Maldoc Execution Chain
  2. PowerShell Encoded Command Execution
  3. Unusual Process Execution Path - Recycle Bin
  4. LSASS Memory Dumping using WerFault.exe
  5. User Activity from Clearing Event Logs
  6. User Activity from Stopping Windows Defensive Services
  7. Suspicious scheduled tasks created
  8. suspicious service installed
  9. Reg.exe called from Command Shell
  10. Process injection from the unusual process
  11. Msiexec process communicating with a malicious domain
  12. Regsvr32 scriptlet execution by communicating with malicious domain and executed using scrobj.dll
  13. ASEP registry modification by the unsigned binary
  14. Unusual Parent-child relationship in the process.

I hope you found the above blog informative, The next blog will be more on skills needed to be a good Threat hunter.

Stay Tuned....
I am a security researcher where my expertize includes domains like incident response and investigation, Malware Analysis, Threat Hunting, deception Technology, Brand protection, SIEM configuration, Digital Forensics, Cyber Threat Intelligence, EDR, Network Security, Content Filtering, etc While working I had completed my Masters(2021) in Information security where I published a thesis on “Malware Analysis using machine Learning Ensemble” My goal is to share the knowledge with everyone with technologies, upcoming trends, various platforms and mainly Lock it down, protect it up, and block the hackers.

Comments

Post a Comment

Popular posts from this blog

RTR using Falcon Crowdstrike

By Kunal Patil, Senior Threat Hunter
Image
Real Time Response Real Time Response is a powerful tool that gives security administrations the ability to remotely access systems for administration tasks, remediation actions or forensics collection, etc. without requiring physical access to the system. For more information on the CrowdStrike solution, see the additional resources and links below. In the Falcon UI, navigate to Activity > Detections. Commonly, a new detection will be the event that triggers a need for remediation.Directly from a given detection, the “Connect to Host” button allows you to remotely connect and take action. You can also connect to a host from Hosts > Host Management. Once connected, you will be presented with a list of commands and capabilities available in Real Time Response. With the ability to run commands, executables and scripts, the possibilities are endless. A few examples are listed below.
Read more

Top Commands Mostly Used By System Administrator.

By Kunal Patil, Senior Threat Hunter
Image
Top Commands Mostly Used By System Administrator. 1) IPconfig IPCONFIG Simply entering ipconfig at the command line will return basic addressing information for your system, including the adapter name, IP address, subnet mask, and default gateway. 2) IPconfig /all IPCONFIG/ALL Shows all networking information for the system, including host name, node type, adapter names, MAC addresses, DHCP lease information, etc. 3) Ping PING Ping command to verify that a host can be reached over the network. This command is useful for diagnosing host and network connectivity problems. The device sends a series of ICMP echo (ping) requests to a specified host and receives ICMP echo responses. 4) Ping "Website-name" PING TO WEBSITE   This above command used to find the IP address associated with The Specific Website. eg: 10.24.126.25 is the IP address for Website Intranet.indusind.com 5) Tracert "IP address" TRACE COMMAND Tracert comm
Read more

Damn Vulnerable Web Application - Part 1

By Kunal Patil, Senior Threat Hunter
Image
The Damn Vulnerable Web Application (DVWA) provides a PHP/MySQL web application that is damn vulnerable whose goal of being an intentionally vulnerable system for practice/teaching purposes in regard to Information Security.There are many Methods for Installing DVWA on Platforms Like Windows and Linux, In this blog i will show the easiest Walk-through for Beginners to Learn and Exploit Web Application. So let us Start with Installation and Implementation of DVWA. Step By Step Installation 1) Requirement :  Windows system for Managing VM Virtual Box ( Link ) or VMware ( Link ) should be installed on system Kali-ISO ( Link ) DVWA ISO ( Link ) 2) Switch-ON Kali and DVWA virtual machines Both must be in HOST only Adapter (we can change using VM Network setting).  3) After the Installation of Kali and DVWA in VM, find the IP address of DWVA using the Command ifconfig and Check Connectivity between them using ping command. 4) Run Kali machine and DVWA machine Par
Read more

SECURITY OPERATION CENTRE

By Kunal Patil, Senior Threat Hunter
Image
What is SOC?                    Security operations centers monitor and analyze activity on networks, servers, endpoints, databases, applications, websites, and other systems, looking for anomalous activity that could be indicative of a security incident or compromise. The SOC is responsible for ensuring that potential security incidents are correctly identified, analyzed, defended, investigated, and reported. SOC works with collaboration with People, Process and Technology.  SOC Architecture PEOPLE:                  The best way to think of a SOC is as a centralized team of people who provide threat monitoring, investigation, and response.  Larger SOCs employ a three-level analyst structure for handling security alerts generated by a security system or SIEM.  Level 1 analysts are responsible for real-time monitoring of security alerts, doing triage on them, and deciding whether an alert is serious enough to be escalated to a Level 2 analyst.  Level 1 analysts se
Read more

Cyber Threat Intelligence

By Kunal Patil, Senior Threat Hunter
Image
Gartner Definition:   Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.  To understand this term easily lets split the words and bring out meaning to it :  Cyber :  relating to or characteristic of the culture of computers, information technology, and virtual reality. Threat :  thing likely to cause damage or danger. Intelligence :  the ability to acquire and apply knowledge and skills.                 Cyber Threat intelligence helps Organisation to understands the risk of most common External threats. T hreat intelligence includes in-depth information about specific threats to help an organization protect itself from the types of attacks that could do them the most damage.  One of the proven methods to stay on top of attacks is to detect and
Read more

Collective Intelligence Framework v3 - Part 1

By Kunal Patil, Senior Threat Hunter
Image
Basic About CTI Cyber Threat intelligence(CTI) is a Technology which helps an Organization to collect and Analyze threat data received from multiple resources. Cyber threat intelligence is an automation process where it accumulate data from various external resources (such as FEEDS) and recognize the threats suitable for the Organization. By importing the Data from CTI, the next step is to exporting the CTI data into Existing Security systems. Collective intelligence Framework is an underlying Structure of CTI which helps any organization to gather all Threat Data at one place. In this blog we are discussing how to Install Collective Intelligence Framework v3 (Bearded Avenger) into security structure. Details Information About CIF you will found at : csirtgadgets Basic Requirements for Bearded Avenger CIF v3 : OS: Ubuntu 16 LTS,  x64 RAM: 16GB Cores: 4 (As Sqlite, ElasticSearch, CIF-Router among other apps would be running on same instance) HDD Capacity: 100GB
Read more

Top 20 Subdomains Search Engines

By Kunal Patil, Senior Threat Hunter
Image
Whats is Domain?  An organization shares a common suffix as Domain names which is controlled by that Organization or individual. What is Subdomains? Basically Subdomains are subdivisions of Domain. Why it is required? Subdomains are second website, which have its own unique content and makes hosting manageable and easy to organize.         Every second Organization Consists of various Subdomains as per their Requirements, I listed few Subdomains Search Engines, list is below :  Google Search - Online Search Censys - Online Search Pentest-Tools - Online Search DNS Dumpster - Online Search Netcraft - Online Search CloudPiercer - Online Search Detectify - Online Search VirusTotal - Online Search Pkey - Online Search Crt.sh - Online Search Sublist3r - GitHub repository DNScan - GitHub Repository Knock - GitHub Repository SubBrute - GitHub Repository Nmap - GitHub Repository Gobuster - GitHub Repository Fierce - Bydefault in Kali DNS
Read more

Collective Intelligence Framework v3 - Part 2

By Kunal Patil, Senior Threat Hunter
Image
In Previous blog we learned how to setup CIFv3, in this section we will discuss how to integrate data and filter the Resulted Data by-passing different parameters to it. We might have question that what happens exactly after hitting cif command or how cifv3 fetches feeds from external resources. well in this blog i will cover every details of CIFv3 but before that lets study few terminologies to understands the implementation of this Project. CIFv3 uses few Terminologies like : 1) TLP TLP stands for Traffic Light Protocol originally created by UK government for the Purpose of sharing of sensitive data. There are four colors in TLP (same like traffic lights) : RED - Not for disclosure, restricted to participants only AMBER - Limited disclosure, restricted within own organisation and clients or customers. GREEN -  Limited disclosure, restricted to the community but not via public channels WHITE - Disclosure is not limited 2) Timestamps CIF supports three Times
Read more

Security Architecture for Startup

By Kunal Patil, Senior Threat Hunter
Image
           Security Architecture is the design artifacts that describes how the security controls are positioned and how they relate to the overall systems architecture. These controls serve the Purpose to maintain the system's quality attributes such as confidentiality, integrity and availability. Following is the 10 steps plan required to build Security Architecture For Startup :   Pick Your battle  Establish a security culture  Pick security platform  Upgrade your software  Physical security  Control the internal network  Secure coding  Protect devices against malware  Perform security audits  BYOD Policies Pick Your Battle You can't secure everything, Quantify the monetory damage, likelyhood and mitigation cost of each threat to prioritize time and resource. Below are the list of threats which can taken into consideration as per Goal of the Industry (Budget + Risks). Establish a Security Culture Show Your team that Security is Important Factor
Read more

TrickBot Malware Family - A Deep Dive using Falcon Crowdstrike

By Kunal Patil, Senior Threat Hunter
Image
Use Case  Falcon OverWatch has identified probable TrickBot malware on host NAOUXXXX. A renamed copy of Vhd2disk was executed on the host, likely from a successful phish. This in turn wrote and executed a malicious file, likely TrickBot malware, and established persistence for it with a registry key. Introduction  Emotet Often referred to as a banking trojan or worm. It is a very advanced threat that is updated multiple times a day by the cybercrooks controlling it. Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Additionally, Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. TrickBot TrickBot is most commonly installed by the Emotet Trojan, which is spread through phishing em
Read more