From Prey to Predator – A Crash Course in Cyber Threat Hunting
Threat Hunting Techniques, Tips, Strategies, and Tools.
Cyber Threat Hunting is a CTO (i.e., Counter-Threat Operations) methodology that focuses on proactive threat-seeking and/or remediation. As a technical resource, threat-hunting is very useful in identifying the tell-tale signs of an impending cyber-attack or even rooting out malware that employs advanced evasion techniques. In this article, we’re going to delve into the basics of threat-hunting such as techniques, tips, tricks, strategies, fine-tuning, and more. Enjoy and don’t forget to smash that ‘Subscribe’ button for more Heimdal® goodies.
Cyber Threat Hunting – Background, Importance, and Approaches
Even the most inexperienced computer user knows about the dangers that lurk on the Internet – one slip of the click can turn your machine into a (very) expensive paperweight. That same user knows (or should, at any rate) that the only way to stay safe while doing some online surfing is to buy or try out a cybersecurity product (e.g. antivirus, antimalware, email security suits, password vaults, etc.).
Nothing new under the sun so far; still, one can’t shake the feeling that something may be missing from this picture, the mislaid puzzle piece being evolution, malware evolution, to be more exact. Modern malware is more virulent, aggressive, easier to deploy, better at playing hide-and-seek (i.e., defense evasion), and takes less time to develop.
Moreover, thanks to the RaaS (i.e., Ransomware-as-a-Service) ‘business’ model, malware became infinitely cheaper – in theory, anyone interested in this sort of ‘business’ venture can get a ransomware kit for the price of a large coffee. And because misery loves company, modern malware has done wonders in removing the infamous know-how barrier (i.e., some RaaS kits are plug-and-play, meaning that the operator doesn’t even need to know basic hacking stuff such as coding). To make a long story short, as the meme goes, modern problems require modern solutions and this is where cyber threat hunting comes into play.
If we think about it, the whole prey-turned-hunter makes perfect sense – why wait for something to happen when you can go out there and face it head-on? This right here is the credo of cyber threat hunting; having the capacity, the resources, and the resolve to identify threats by getting into that ‘predatorial’ mindset. Now, before getting into any specifics, we should clear up a couple of things.
First of all, threat hunting is not governed by randomness; sure, it’s seek-and-destroy all the way, but one must first learn what to seek before calling in the cavalry. How do we deal with randomness? By using and leveraging intelligence. We’ll get to that later. So now we have intelligence (data). What’s next? Finding a way to interpret it, of course. Divining data is a complex process – as a threat hunting specialist, you need to know what to look for, where to look, how to look, figure out scenarios (and outcomes), and, of course, take action.
Now that we’ve got that settled, let’s talk about threat hunting methodologies.
According to the big book of threat-hunting, there are three major approaches: analytics-driven, situational-awareness-driven, and intelligence-driven.
Any kind of threat-hunting methodology can be boiled down to three core components: hypothesis, conclusion, and action. This may be a one-way road, but the nuance lies in how you get from point A to point B. This brings us to the first approach – analytics-driven threat-hunting. This method focuses on creating a hypothesis based on aggregated risk scores that are generated by tools that leverage UEBA (User and Entity Behavior Analytics) or Machine-Learning.
The logic behind A-D threat-hunting is pretty straightforward – a high (computed) risk score might indicate that either malware has bypassed your defenses, lodging itself in your network, or that an attack can occur at any given time. It’s not uncommon to predict attacks based on UEBA/ML-computed data, but this usually tends to happen when a threat actor chooses to cut corners (i.e., exploits an actively monitored vulnerability, makes little effort to conceal the malicious package, employs high-profile TTPs such as brute-forcing, etc.).
So, how does all of this work (or apply to) in a real-life scenario? Let’s consider the following example. Imagine being a security specialist in charge of investigating an entity; it can be a user, a device, or even a piece of equipment. This entity outputs some anomalous signals. For instance, a user logging into a machine at a specific time each day and outside working hours. Your instinct is to pull out the logs to see what the user’s been up to. As we know, logs can be retrieved from various sources – AD, VPN, databases, Windows Event Viewer, proxy, etc.
Each event or anomaly discovered while analyzing these logs will receive a rating based on the associated risk (e.g., attempting to delete or tamper with a system file carries a higher risk score compared to someone misspelling his password). So, each event is rated according to severity. To compute the entity’s global risk score, you need only sum up the ratings associated with each anomaly and normalize the output by cross-referencing it to your baseline. That’s the risk score associated with that entity. Obviously, you should prioritize entities with higher risk scores over those that carry significantly lower ratings.
Situational-Awareness Driven Threat-Hunting
This type of threat hunting approach focuses on very specific, company-owned resources (e.g. a machine, individual, piece of equipment, etc.) or even on organizational trends. The purpose of this exercise is to ascertain the risk level associated with the scrutinized resource and to formulate a mitigation plan. Most situational-awareness threat-hunting cases stem from the so-called Crown Jewel analysis. Without going into too much detail, CJA can aid a security specialist to quickly identify which system (i.e., on- and off-premises) can be crippled in case of service denial.
Here’s a quick example: let’s say that you have to perform a CJA on three assets – a payroll document, another document that contains the names of the candidates running for the employee of the year award, and a third document that details this year’s tech acquisitions made by the IT department. So, by applying the CJA logic, we can safely (and unequivocally) conclude that if something were to happen to the payroll document, say malicious exfiltration, the impact on the company’s systems would be more severe as compared to the unlikely scenario of someone pilfering the employee of the year award document.
There’s more than one way to skin a malicious actor and having the right intel can certainly make a difference. What is intelligence? Well, it’s not another fancy word for data…it’s THE data; relevant streams of info that can help you get into the attacker’s mindset. One might argue that there’s no difference between analytics-driven and intelligence-driven TH; that would be a fallacy. Analytics-driven TH focuses on the data generated by company-owned resources, whereas intelligence-driven threat-hunting leverages both internal and external information (e.g. open source intelligence and closed-source intelligence).
Threat Hunting Tools
Cyber threat hunting is cool and effective, but it looks good on paper if you don’t have the proper tools available. So, before going over baselining & techniques, here’s a list of threat hunting tools that will definitely help you even the playing field.
1. Maltego CE
Maltego is a data-mining tool that allows your security specialists to establish relationships between events, by cross-referencing internal data to open-source intel. You can also generate visually rich graphics for link analysis and further customize the apps according to your needs.
2. Cuckoo Sandbox
This sandboxing environment comes with a nifty disposable unit that allows you to get rid of unwanted (and malicious) packages after analysis. Its features include network traffic analysis (encrypted and unencrypted), advanced memory analysis, API call tracing, and malware analysis multi-format support (e.g., pdf, emails, Office docs, executables, batch files, etc.).
YARA is the analyst’s go-to choice for malware classification. This tool allows you to quickly identify or create new malware categories based on text or binary patterns. YARA is compatible with multiple operating systems and supports advanced CLI or Python scripting.
Bots are and always will be a nuisance; and what better way to fight against automated web scripting than with a tool that does the same thing? BotScout is an API-based tool that helps you track down bots by email address, name, or IP address and terminate the connection.
YETI is a Django-based Trusted Automated eXchange of Indicator Information tool that allows users to quickly exchange threat-related information across multiple platforms.
6. Phishing Catcher
As its name suggests, this tool permits users to track down phishing domains (and attempts) in real time by harvesting data directly from the CTL (Certificate Transparency Log).
DNSTWIST certainly adds an extra twist to the threat hunting endeavor; using fuzzing, this tool is capable of identifying and mapping out suspicious domains, phishing websites, and rogue MX hosts. If that wasn’t enough, DNSTWIST is also capable of geo-locating suspicious domains and to actively preventing email address harvesting.
AttackerKB can be justly considered a search engine for vulnerabilities and exploits. A very powerful asset in the hands of an ethical hacker, but let us not forget that this resource can also be used by threat actors.
Worried about malware escaping your sandboxing environment? Not to worry; InviZzzible will add extra padding to your sandbox and also help you detect evasive malware.
Autopsy is the Swiss Army knife of host-based analysis. It’s a very robust toolbox comprised of multiple features such as auto ingestion, EML email parsing, advanced data source management, and more. Check out Autopsy’s GitHub page for additional information.
- Granular telemetry across endpoints and networks.
- Equipped with built-in hunting and action capabilities.
- Pre-computed risk scores, indicators & detailed attack analysis.
- A single pane of glass for intelligence, hunting, and response.
Now that we have everything we need to build a proper threat-hunting setup, we should discuss techniques. So, without further ado, here are some of the most common (and effective) threat-hunting techniques.
1. Knowing your IOAs and IOCs
The very first thing they teach you in threat hunting school is how to leverage IOAs and IOCs. To a seasoned malware hunter/analyst these things may be a tad nitty-gritty, but mastering (and honing) the basics is just as important as playing around with AI or ML. So, let’s do a little recap.
IOC – stands for Indicator of Compromise; evidence set points toward network and/or endpoint compromise. Can be used in digital forensics analysis. IOC examples include unusual DNS requests, abnormal network traffic patterns, DDoS attacks, abnormal logins, unusual database reading activity, file tampering, callbacks to the same file, and user performing operations outside of RBAC role.
IOA – stands for Indicator of Attack; carries intent and motivation. IOA is an evident set pointing towards an active network/endpoint attack; crucial to coaching next-generation threat-mitigation engines and solutions (e.g., IDS, IPS, next-gen firewalls, etc.). Examples include covert communication between internet-facing public servers and individual hosts, communication over non-standard ports, spike in SMTP traffic, post-infection inter-host chatter, connection attempts from different geographic regions, and suboptimal malware removal rate.
2. TTP drilling
Threat hunting doesn’t really output the expected results when working outside of a framework. So, in order to max out your results, you should spend some time familiarizing yourself with (un)common MOs. The best way to go about this is to hop on MITRE’s official page and start researching TTPs (i.e., Tactics, Techniques, and Procedures). Not going to lie to you; this will probably be your driest read ever, but this intel is definitely going to help you up your threat hunting game.
There are several ways to use MITRE; personally, I prefer downloading a clean ATT&CK template and filling it out with the details of my investigation, starting from recon and all the way up to exfil and impact. Take a look at NIST’s framework while filling out the MITRE ‘paperwork’; NIST and MITRE are two sides of the same coin. While MITRE offers you insight into the attack, NIST provides defensive actions or strategies, regardless of the kill-chain index or trajectory.
Threat Hunting is here to stay; the science is sound and considering the threatscape as a whole, this approach is not only natural but warranted. The shift towards big game hunting means that the threat actors must be clever and, unfortunately, this creativity bout on their part means that single-purpose products (e.g. AV, anti-malware, email security) will no longer be able to keep pace. As a result, cybersecurity will gravitate towards unification, both in terms of services and solutions.
Heimdal®’s rises up to the challenge in the form of a unified platform that takes threat-hunting to the very next level, by combining SOAR, SIEM, and XDR. The Heimdal® Threat-hunting and Action Center is a revolutionary platform that is fully integrated with the Heimdal® solution suite. Designed to provide security teams with an advanced threat-centric view of their IT landscape, the solution employs granular telemetry to enable swift decision-making, using built-in hunting, remediation and actioning capabilities – all managed from the Heimdal Unified Security Platform.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.