Nettitude has a proactive approach to threat hunting, that combines experiences amassed through our Red-teaming, Security Operations Centre, Incident Response team and our research team.
Threat Hunting is a technique that proactively seeks out both dormant and active threats within an organisation. This could include the identification of systems and networks that have either been targeted or compromised historically, as well as systems that are being actively leveraged today. During a threat hunting activity, systems are assessed directly and both network traffic, and system logs are reviewed to determine both event and traffic norms.
For organisations to conduct threat hunting exercises, it is important that they have experience of understanding threat groups, threat actors and most importantly their Techniques, their tactics and their procedures (TTPs). Although there will be new and evolving threats that permeate in to organisations infrastructures, many of these approaches will leverage common techniques to achieve persistence, move laterally or exfiltrate data from the target environment. The key to threat hunting is having access to significant amounts of data. Having the ability to gather data from workstations, servers, network traffic, gateways and SIEM appliances greatly increases the effectiveness of a threat hunting exercise.
Threat Hunting As A Process
Threat hunting is most effective when it is an ongoing process. In larger organisations, with many interconnected users and systems the threat will be both pervasive and persistent. Although point in time hunting exercises can have significant value, they tend to work more effectively with the focus is on a targeted set of systems, and areas associated with a specific objective in mind. When threat hunting is run as an ongoing process, the lifecycle passes through the following stages.
A threat hunting exercise is initiated by targeting key systems and personnel. During this process, tooling is installed on to the target systems to measure the device against a series of known Indicators of Compromise In parallel to this, Network PCAP files are gathered and analysed to determine what traffic is passing into and out of the organization. Where organization have extensive log capture and SIEM technology, the threat hunters will interface directly with this to correlate finding captured in the host and network review.
Once a threat has been identified, Nettitude moves in to a phase of assessment that is focused on establishing how the threat emanated, where it came from, and when it was activated. Nettitude will also endeavour to attribute back through the attack chain, to learn more about the threat actor or group that instigated the attack. This may involve understanding the group’s modus operandi, there TTPs, and their level of sophistication in imitating further attacks.
Through determining how the attacker operates, what their modus operandi is, what their TTPs are and their level of sophistication it is possible to build up a series of defensive and responsive controls. During the learning phase, Nettitude works closely with the organisations blue team, to help evolve both their tooling and their process so that they can detect similar types of threats in the future.
The final part of the process is to take the information gained and previous phases and then update the IOC knowledge base with actionable intelligence. This then feeds in to a cycle where further hunting is performed, assessing different users, different hosts and additional network segments. In each iteration of the cycle the sophistication of the threat hunting evolves and the assurance process becomes deeper.
Threat Hunting As A Point In Time Activity
It is possible to conduct threat hunting activities as one of engagements that target subsets of an organisations environments. Nettitude recommends that a threat lead approach is adopted to determine the focus for the threat hunting activity.
- Focus on the groups that have access to the most important assets. For example, in Financial Services, this might be the team that administers or interacts Critical Economic Functions.
- Focus on the system administrators, the developers and the teams that have high level privileged access to key resources.
- Focus on the wider Information Technology support team.
- Focus on the leadership team.
- Focus on the finance team.
- Focus on the teams that are known to frequently receive e-mails (with links or attachments) from known external resources. Good examples might include Legal, or HR teams.
To conduct threat hunting as a point in time activity, Nettitude recommends a layered approach, that starts at the heart, and then adds iterations, with a continually widening scope.
Example Of A Threat Hunting Activity.
During a threat hunting activity, Nettitude identified a compromised machine which was communicating with an internet-based command and control infrastructure.
Multiple Actors identified
- Commands from bogel exclusively relate to deployment of new botnet code.
- Commands from RamZkiE are exclusively related to invoking UDP or TCP flooding attacks.
Deep diver review of the malware, with extraction of TTPs:
Created in PHP 5.3.24
Host IP: 126.96.36.199
Hosted at: main-hosting.com/
(HTTP header: X-Powered-By:·PHP/5.3.24)
IANG KEROX TEAM