Skip to main content

Threat Hunting

Abstract

   The paper reviews a threat hunters methodology and aims to help organizations protect themselves against advanced persistent threats(APT). The paper starts off by explaining the first hacking case and explains how attacks have advanced over the years. The rest of the paper talks about the threat hunters methodology and how it can be used to combat APT groups.

Introduction


   Hackers have been infiltrating and pilligings networks for decades now. In 1903 the hacker Nevil Maskelyne was caught sending disrespectful messages in morse code through the auditorium's projector. Hackers have always been around but responding to and protecting ourselves from these malicious actors is relatively new. Threat hunting focuses on finding these malicious actors commonly referred to as advanced persistent threats(APT).

   Hackers have advanced tremendously over the years. The days are over where you only have to worry about teenagers in their mom's basement. In today's world we have nation states, sophisticated criminal organizations, and large financially motivated groups of individuals coming after your organization. Advanced persistent threats(APT) are the new modern day hackers. They are sophisticated, well funded, organized, and motivated.

   The rise of APTs gave birth to the term threat hunting. Threat hunting is defined as “the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions”. The job of a threat hunter is to find sneaky APT that have infiltrated your network. Since hackers have upped their sophistication and organization threat hunters will have to as well. Threat hunters need a methodology to hunting down these APT groups. Luckily there are whole frameworks with millions of dollars of research put into them to help solve this very problem.


Discussion

Methodology


   The Sqrrl Security Analytics Company created a simple framework for threat hunting. This framework should be ran in a loop meaning once you reach the last step in the framework you go back to the beginning. The framework states that the threat hunting loop consists of creating a hypothesis, investigating via tools, discover new techniques, and Inform and enrich analytics.

Hypothesis
  • Analyze Threat Intelligence
  • Evaluate Threats
  • Evaluate Vulnerabilities
  • Create Hypothesis
Investigating via Tools
  • Log Analysis
  • Network Analysis
  • Host Analysis
Discover new Tools, Tactics, and Techniques(TTP)
  • Cyber KillChain
  • Diamond Model
Inform and enrich analytics
  • Generate Threat Intelligence
  • Enhance Security Program
  • Automate detection

Creating a Hypothesis

   A scientific hypothesis is the initial building block in the scientific method. Many describe it as an "educated guess," based on prior knowledge and observation. There are two key components to creating a hypothesis for threat hunting. The first component like the definition states is an observation. An example of an observation might be that the hunter sees something fishy in the logs that looks suspicious. Another observation might be that the hunter heard about a particular APT group that is currently active. The second component is that the hypothesis must be testable. For example you must be able to narrow down on a piece of data that could be burriod in gigabytes of logs.

Investigating via Tools


   Once the hunter has formed a hypothesis he can begin to test via tools and techniques. These tools and techniques can be broken down into three main categories:

  1. Log Analysis
  2. Network Analysis
  3. Host Analysis

Log Analysis


   Log analysis can be done at both the network and host level. For example at the network layer you might have an IDS or IPS that will store logs.  At the host layer you will generally have a plethora of event logs to search through, at least on a windows machine.

   The logs at the network and host layer need to be sent to a central location for storage and analyzation. Having these logs in a central database will make quirering easier and it will make it more difficult for hackers to cover their tracks by deleting logs of a compromised machine.

Network Analysis


   Encryption, storage, and processing limitations can impact network analysis greatly. Threat Hunters should focus their analysis on examining four key network characteristics:

  1. Number of outbound network connections
  2. Duration of connections
  3. Amount of data exchanged
  4. Frequency of connections

Hunters can take advantage of network flow analysis, protocol analysis, and statistical analysis. So by using these four characteristics hunters can try to find anomalies in host on the network based on the way the host communicates.

Host Analysis


   On windows everything you do will most likely have some sort of event log associated with it. Hunters should pay attention to these host based logs. Hunters should also pay close attention to:

  • Running Processes
  • Running Services
  • Auto Start Locations
  • Antivirus alerts
  • Host based IDS/IPS logs
  • Privileged Users
  • Privileged Groups

Like in the network analysis phase we are looking for anomalies in host.

Tools, Tactics, Procedures(TTP)


   Searching for malware hashes, IPs, and other artifacts will not be enough to stop your average APT group. You will need to discover new tools, tactics, and techniques that these advisories are using.

Cyber KillChain


   The cyber kill-chain was developed by Lockheed Martin and it is a way for hunters to help prevent attacks. It allows the defenders to discover tools tactics and techniques used by APT groups.

Instead of focusing on finding artifacts the hunter should instead spend his time focusing on certain techniques that the APT group uses such as pass the hash. The hunter can focus on a particular part in an attackers methodology. The hunter can focus on these phases:
  • Recon
  • Weaponize
  • Delivery
  • Exploit
  • Installation
  • Command & control
  • Objective

   There are weakness and bottlenecks in each phase of the methodology. For example in the command and control phase an attacker must beacon home somehow. This can involve a piece of malware sending http request to the command and control server. A hunter can take advantage of this bottle neck and specifically look for this type of behavior. Learning how these APT groups operate can help defenders discover zero day malware and other techniques.

Inform and enrich analytics

   Once you have mapped out an APTs tools, tactics, and techniques you can use these findings to find other compromised host. You can also automate the task of discovering these indicators of compromise which will make your job easier and it will allow you to quickly detect a certain methodology.  



Conclusion


   In today's world we can't just rely on the traditional blue team practices.  Antiviruses, firewalls, and intrusion detection systems are not enough to beat someone who is organized, intelligent, and persistent. Organizations should assume that they are already breached and that hackers have infiltrated their network. Advanced persistent threats are out their in the form of nation states, criminal organization, and other highly motivated groups. Hunters need to have a methodology to detect these unknown attacks and groups. We have never been so connected and this makes everyone is a potential target.

Comments

Popular posts from this blog

Hacking Books

Best Hacking Books List Slack Group Before we get started I have started a new slack group dedicated to hacking. We welcome everyone from beginner to advanced to join. I will be on everyday answer questions, doing CTFs, and talking about cool hacks. If you enjoy hacking and are looking for like minded people join below: NEW Hacking Group Slack Channel If you want to get really good at something its best to have some sort of mentor. Reading the words that smart people have written down can be just has good as talking to them one on one. I have create a list of some of the best hacking books I know of which can be bought on amazon by following the provided links. If you were to read all of the listed books you would with out a doubt become a PRO. Beginner The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy Basic Security Testing with Kali Linux 2 Hash Crack: Password Cracking Manual (v2.0) Nmap Network Scanning: The Official ...

Hacking IOT: Google Chromcast

Hacking Google Chromcast Slack Group Before we get started I have started a new slack group dedicated to hacking. We welcome everyone from beginner to advanced to join. I will be on everyday answer questions, doing CTFs, and talking about cool hacks. If you enjoy hacking and are looking for like minded people join below: NEW Hacking Group Slack Channel Introduction Its January 2nd, 2019 and like I always do I was checking my news feed and noticed an article about how some malicious hacker attacking chromcast which resulted in their TV being forced to render unwanted content ( News Article ). Message hacker left on TVs This peaked my interest so I set out discover how the hacker accomplished this. Technical Details  Recon According to the internet the definition of chromcast is a streaming media adapter from Google that allows users to play online content such as videos and music on a digital television .   At the time of writing this po...

Mass Hacking Android Phones

Hacking Android Phones Slack Group Before we get started I have started a new slack group dedicated to hacking. We welcome everyone from beginner to advanced to join. I will be on everyday answer questions, doing CTFs, and talking about cool hacks. If you enjoy hacking and are looking for like minded people join below: NEW Hacking Group Slack Channel Notice ALL TESTS WERE PERFORMED ON MY OWN DEVICES I HAVE NOT AND WILL NOT USE THIS KNOWLEDGE TO HACK OTHER PEOPLES DEVICES Introduction Its January 13th, 2019 and for some reason im thinking about mass hacking phones, so naturally I turn to the internet to see what I can discover. I noticed one particular article that talked about how a worm is exploiting Android Debug Bridge  to hack thousands of Android phones( Android Hacking Article ). Iv never heard of the  Android Debug Bridge but apparently certain phone manufactures like to enable it and expose peoples devices to the world.  Technical Detai...