Threat Hunting 101 Flashcards
Prerequisites for Threat Hunting?
- SANS “Top 20” CIS Critical Security Controls is a good place to start
- Minimum requirements:
■ inventory of systems, networks, software
■ Baseline before an incident: know what’s “normal” network
■ An incident response plan in place BEFORE an incident
■ A list of known privileged accounts
■ Know where your sensitive data is located
Threat Hunting Frameworks?
MITRE ATTACK
Lockheed Martin’s Cyber Kill Chain
Fireeye’s Attack Lifecycle
Gartner’s Cyber Attack Model
Should I move from left to right when using the ATT&CK Framework while executing my exercise?
there is no specific order
Use the ATT&CK to support your hypothesis.
iIf you don’t have a hypothesis, start your threat-hunting where high-risk and first impact areas are, then work from a top-down.
Threat hunting should be focused, how?
■ Logs that matter
■ Common patterns used by attackers
■ Get a tangible result
■ Improving technique with each iteration of the hunt
What Do You Need to Start Threat Hunting?
- automated blocking and monitoring tools such as firewalls,
- antivirus, endpoint management
- network packet capture
- SIEM
- Threat intelligence
Some Threat Hunting Tools?
- Sqrrl - APT detection platform. Combines Link Analysis and UBA
- Sysmon
- FireEye-Redline
- Volatility
- Malware-Traffic- Analysis.net
- Windows Event Forwarding
- Bricata
- Cortex XDR
What is an effective cyber threat hunting process?
non-signature-based detection
anomaly- and behavior-based analytics
external threat intelligence sources
Why an analyst would start to correlate data and determine if there is cause for further investigation?
examining various sources of data, such as authentication logs or traffic flow
What are the 5 HMM levels?
HM1: Rely on IDS, Collects info from systems, Use Threat Intel feeds, Hunt is manually
-
HM2: Incorporate hunt techniques from external sources, Collect data from systems, Active approach
-
HM3: Analyze different data,, , Machine learning, Publish hunting procedures, Identify patterns in alerts
-
HM4: HM3 capabilities + Automate tactical-level analysis, Scripts and Programs based on intelligence, Analysts can focus on creating new hunt methods
The hunting cycle is a four-stage loop ?
Hypothesize
Investigate
Uncover
Inform and Enrich
Examples of a pattern or the attacker’s TTP?
specific registry key modifications
The steps of the Hunt-Uncover stage?
Investigate specific IOCs
Link various IOCs
TTPs discovered are shared
The steps in the Inform and Enrich stage?
- Use knowledge from Uncover stage to reduce risk and simplify future hunts
- Document hunting cycle result
- Automate hunting repeatable tasks
- Create signatures and rules for threat detection systems using new findings.
What three aspects are vulnerabilities evaluated under?
In CVSS
- Base group: characteristics of a vulnerability that are constant over time
* - Temporal Group: assesses the vulnerability as it changes over time
* - Environmental Group: characteristics of a vulnerability, taking into account the organizational environment.
How scoring works for the Base Group - CVSS?
0 - 10
0 the least severe
The base group Exploitability matrix?
- Attack Vector - Scope
- Attack Complexity - Confidentiality
- Privilege Required - Integrity
- User Interaction - Availability
The temporal group Exploitability matrix?
- Exploit Code Maturity (E)
- Remediation Level (RL)
- Report Confidence (RC)
What is the importance of CVSS?
Reports - vulnerability severity - urgency - priority of response. Note: Does not calculate the chances of being attacked, but the chances of being compromised when attacked and potential damage.
How CVSS is used in Threat Hunting?
- prioritize remediation efforts.
- identify how vulnerabilities are used
Maintenance and Guidance of CVSS?
FIRTS (Forum for Incident Respoonse and Security Teams)
What are the conditions for a Hot Thread to be recorded in the database?
- Newly disclosed vulnerability with a CVSS base score of high (7.0 or greater).
* - Intelligence indicating attacks targeted at specific customers (from Talos, open source intel-sharing forums, ISACs and law enforcement)
* - Native intelligence: Growing evidence of a campaign developing on customers’ sites, a surge in reliable and high fidelity security alerts, or due to an opaque priority request to place vigilance in monitoring specific network zones for a specified time period
Threat Awareness Resources?
- OWASP
- Spamhaus Project
- Alexa and the GoatRider tool(Website traffic analysis)
- Farsight Security’s DNSDB
Threat Intelligence Sources?
- Malware detection and analysis sites
- Web content verification sites
- Network utilities
- Scripting Decoding Utilities
- Blogs and Feeds
What three aspects of an attack should a hunter look into?
- Infection Vector
- Persistence
- Lateral Movement
Open source Threat Hunting tools for smaller organizations or doing it on your own?
Host, Network, and Log Data:
GRR, SysMon, Bro, WinBeat
Storage and Analytics:
ELK Stack: Elastic, Logstach, Kibana
Infrastructure:
Puppet, Chef, Docker
Threat Hunting Skills?
Offensive Skills
Network Analysis - Host Analysis
Malware Analysis - Memory Analysis
Most importantly
- Investigative mind
- Attacker mindset
- Patience to work long hours to complete a TH exercise
- Continuously search for new threats and
- Open to use new tools or create them.
Attack Scenario - Infection Vector
External
Delivery Method: Phishing - External Download
Exploit Method: Office Macro - PDF Vulnerability
Internal
Delivery Method: USB - Network Share
Exploit Method: Native Executable - HTA
Elements of hypotheses for the areas to look into?
i.e Infection vector, Persistence, and Lateral Movement.
- What data I need?
- How do I get it?
- How do I hunt through that data?
- What data I need?
- How do I get it?
- How do I hunt through that data?
External Vectors / Perimeter Logs
- Bro logs
- Email and Proxy logs
Internal Vectors
- Process Data
- Registry
- Windows Events
Delivery Vector - Phishing - Office Macro Exploit used
What data do I need?
- Process execution data
- Enhanced Powershell logging
- Email logs
- Process execution data
- Enhanced Powershell logging
- Email logs
Where do I get the data from?
- Sysmon/OSquery
- Windows Event logs
- Email Servers
- Sysmon/OSquery
- Windows Event logs
- Email Servers
How to hunt through this data?
- Searching Office programs launching Powershell
- Command arguments w/encoded command
Then query Kibana for that data to get a visualization for that pattern and attack
How do attacker establish Persistence?
Traditional
- Run keys - Services - Scheduled Tasks
Creative/Stealthy
- Office Templates
- Hijacking Windows features (Applnit DLLs/Accessibility features)
Host Analysis skills
Persistence example - RUN KEYS
What data is needed?
Where to get the data from?
How to hunt through the data?
What? Registry Run Key locations Run, RunOnce, RunOnceEX Where? Powershell script Group policy to deploy Collect to Elastic How? Grouping of executable in run key values Grouping of executable paths Command line commands/Arguments Hashing First seen/last run
Lateral Movement
Two key areas to look into for evidence?
Recon
DNS Zone Transfers, LDAP Enumeration, Port Scanning
Access
PSExec - RDP - PS Remoting
Recon
DNS Zone Transfers, LDAP Enumeration, Port Scanning
Access
PSExec - RDP - PS Remoting
Where do I find the data?
- WVT logs
- Bro/Network logs
- Enumeration artefacts
- IDS log parsing
Four Primary Threat Hunting Techniques?
Searching
Clustering
Grouping
Stack Counting
Datasets - Endpoint Data?
Process execution metadata Registry access data File data Network data File prevalence
Datasets - Network Data?
Network session data Bro logs Proxy logs DNS logs Firewall logs Switch and Router logs
Datasets - Security Data?
Threat Intelligence
Alerts
Friendly Intelligence
Lateral Movement - Attack Scenario
What data do I need?
Where to get it from?
How to hunt through it?
What?
WVT
Bro logs
Where?
WinBeat parsing
Collect to Elastic
How? • Anomalous user/service logins • High count ‘one to many’ connections • Traffic on LDAP ports • Session types/privileges
How Do You Know What to Look For?
Set some prioritized intelligence requirements (PIRs)
What is threat hunting?
“the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions”
Sqrrl defined
Examples of Fileless Malware and Techniques?
Code injection
API Hooking
How to deal with huge data sets?
Machine Learning
ex. Lateral Movement Data Sets
What is so interesting in the Threat Hunter role?
It builds, maintains, and improves defensive and offensive skills.
Gets involved in Machine Learning and scripting
What is Atomic Red Team?
Red Team tests are small, highly portable detection tests mapped to the MITRE ATT&CK Framework.
MITRE ATTACK ?
MITRE ATTACK™ is a knowledge base
- model cyber adversaries’ tactics and techniques
- shows how to detect or stop them
Threat Hunting Use Cases?
Anomaly-based detection as a good first start. Identifying interesting or unaccountable items in a SEIM
- ssh logins at 1 am
- Consistent ICMP traffic to unknown IPs
This will help give a good starting point to hunt for threats,
Additionally
- Anonymizing VPNs/Tor from inside the network
- Logins from strange locations
- More than one remote connection at the same time for the same user or being logged in locally and remotely at the same time.
What is the primary difference between threat hunting and penetration testing?
Penetration testing, you are taking an outside-in approach. But with threat hunting, this is much more of an inside-out approach.
- the assumption (or more specifically, the hypothesis) that an adversary could already be inside your IT Infrastructure. Thus, you are taking steps to ascertain that. If your hypothesis is indeed confirmed, you then will try to mitigate them so that they can’t get in again.
What happens if I don’t find anything in the threat-hunting exercise that I have just engaged in?
There is a very good chance that you will discover other kinds of security vulnerabilities which you thought never existed before.
Should I just pick any random area of the ATT&CK framework to start my threat-hunting exercise?
- First analyze the log files and the respective warnings/ alerts to see what trouble points exist.
- You also need to make sure that you have access permissions for resources which you need for hunting .
example: Don’t search for account manipulation adversaries if the access permissions and tools are not in place first.
Should I move from left to right when using the ATT&CK Framework while executing my exercise?
Don’t have to address each and every cyber-related issue in the framework, and don’t feel overwhelmed by it.
Use the ATT&CK as a support for hypothesis and start from there. If you don’t have a hypothesis at first, start threat-hunting where high-risk and first impact areas are then work from a top-down approach from there.
privilege escalation. What should a threat hunter look for in these instances?
- look into any known gaps or weaknesses that currently exist
- an EDR solution would be the most beneficial technique.
- File Integrity Monitoring
If there are any suspicious changes to files, a history of employee logins must be examined for any types of anomalous behaviors. - misconfiguration, as this is another backdoor for the cyberattacker.
What are the two primary types of threat-hunting exercises?
- On-Demand Investigation Mode: used by security teams to investigate any suspicious or anomalous activities after they have been detected.
- Continuous Monitoring or Testing Mode: continuously monitoring and/or testing their security posture to proactively identify and investigate any suspicious events.
How would you specifically describe data leakage?
the departure of a data packet from the place where it was intended to be stored.
top sources of data leakage?
- Users
- misconfigurations
- Web-based application developed using insecure source code
- Inadequate security controls
How to detect Privilege Escalation?
- EDR solution
- File Integrity Monitoring (or FIM for short)
- Employee logins must be examined for any types of anomalous behaviors.
- Misconfigured systems
Should threat hunting be conducted in one part of an infrastructure, or multiple areas?
Multiple areas for a comprehensive results.
Where are the Visibility Points?
Where/what are the detection points?
Where to setup sensors?
Traffic at all major points
(CoreSwitch-Where VLANS are trunked, Firewalls and their ports, InternetPorts, EdgeRouters)
System logs that control access
- VPN
- 2FA
- O365/Azure
Security Tools
AV, Firewalls, IPS
Logging Sources?
NGFW, WAF
Entry Points
- VPN, RemoteAccess, EdgeRouters, Wi-Fi
DirectoryAuthenticationServices
- ActiveDirectory, Azure/O365, IM, 2FA
Protection/Detection Tools
- IPS/IDS
- AV/HIPS
- Network Sensors
Network bandwidth/traffic monitoring tools?
- PRTG
- TCPdump
- NTOP
- Nagios
Note: Used for anomaly detection
The Components of a Hypothesis Template
- Tactic and Technique
- Procedure
- Collection Requirements
- Scope
- Exclusions
- Analysis Plan
SIEM use for Threat Hunting?
Anomaly Detection uses
- anomalous login activity
- Anomalous blocking by firewalls
- Anomalous denied access events
How to tell if a Windows Core Process is legitimate ?
- expected parent process spawn it?
- running out of the expected path?
- spelled correctly?
- running under the proper SID?
- signed by Microsoft?
What is SMSS.EXE is known as the Session Manager.
Responsible for creating new sessions.
smss. exe
- Executable path?
- Parent Process?
- Username?
- Base Priority?
- Time of Execution?
Executable Path: %SystemRoot%\System32\smss.exe
Parent Process: System
Username: NT AUTHORITY\SYSTEM (S-1-5-18)
Base Priority: 11
Time of Execution: For Session 0, within seconds of boot time
What’s the function of CSRSS.EXE (Client/Server Run Subsystem Process)?
- managing processes and threads
- making Windows API available for other processes
- mapping drive letters, create temp files,
- handles the shutdown process
CSRSS.exe
- Executable path?
- Parent Process?
- Username?
- Base Priority?
- Time of Execution?
Executable Path: %SystemRoot%\System32\csrss.exe
Parent Process: Created by child instance of SMSS.EXE but that process will exist so will appear as no parent
Username: NT AUTHORITY\SYSTEM (S-1-5-18)
Base Priority: 13
Time of Execution: For Sessions 0 & 1, within seconds of boot time
What is Baselining?
A file that will be used for comparisons against current settings and/or configurations.
Compare the current state of a machine, file system, etc. against the baseline to determine anything out of place.
Tools for monitoring unauthorized changes to files?
TripWire SolarWinds AlienVault TrustWave LogRhythm
Baselining Tools ?
- System Center Configuration Manager (SCCM)
- Powershell (Desired State Configuration feature)
- cmdlet: (Compar-Object. Get-Service, Get-Process)
- Microsoft Security Compliance Manager (SCM)
- Powershell (Desired State Configuration feature)
Same as Puppet, Ansible, or Chef
What shoudl be baselined?
• Accounts on a system (user or service)
• Local administrators on a system
• Folder permissions
• Folders contents
– Tasks folder (scheduled tasks)
– Network folders containing internal install executables & files
How is Malware Delivered ?
Physical media
Email (attachments)
URL links
Drive-by downloads
Web advertising
Social media
File shares
Software vulnerabilitiesWhat are the Malware Evasion Techniques?
Alternate Data Streams
Injections Masquerading Packing/Compression (Yoda Packer and UPX) Recompiling Obfuscation Anti-reversing Techniques
How are Alternate Data Streams created and viewed?
Create Streams by:
- CreateFile Windows API
- WriteFile Windows API
To View ADS
Streams-Sysinternals OR PowerShell’s cmdlet Get-Item
Examples of Injections and how they work?
DLL Injection (Windows API CreateRemoteThread()) + others Reflective DLL Injection (Metasploit, PowershellEmpire, C/C++) PE Injection Thread Hijacking
What is Anti-reversing Techniques and how they work?
- Detect that malware is being run in a virtual machine
- Detect that a debugger is attached to the malware
- Junk code can be inserted into the malware as misdirection
Examples of Maleware Persistance?
Autostarts
Scheduled Task
COM Hijacking
DLL Hijacking
Windows ServicesAutostart Locations ?
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run
- HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ Explorer\Run
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ Explorer\Run
To find Autostart locations: AutoRuns - SysInternals
Examples of DLL Hijacking?
- Search Order
- Phantom DLL
- Side Loading
Examples of Windows Services?
- Service Creation (Created by “sc” command
- Service Replacement
- Service Recovery
Malware Detection Tools?
PE Capture
ProcScan
Meterpreter Payload Detection
Reflective Injection Detection
Detection Techniques?
- Fuzzy Hashing (Used by VirusTotal)
- Import Hashing (Used by VirusTotal)
- Execution Tracing
Memory Aanlysis Tools?
- Mandiant’s (FireEye) Redline
* Volatility
Windows Event Logs path?
%SYSTEMROOT%\System32\Winevt\Logs
Event log location in the registry?
HKLM\SYSTEM\CurrentControlset\Services\Eventlog
Why are event logs important?
• logons that failed or that were successful.
• changes to user permissions.
• system services that were created, started, or stopped.
• changes to the audit policy.
• specific application usage.
• events generated by installed applications, such as
AV.
What is done If the the Event information is not clear?
Events and Errors Message Center
Windows Event IDs that should be
monitored ?
Hunting Suspicious Accounts - Event ID 4720 (Account Created)
• 4624 (successful logon)
• 4648 (logon using explicit credentials)
• 4625 (failed logon)
• 4634 (successful logoff)
• 4647 (user initiated logoff)
Windows Event Logs Hunting Events?
Suspicious Account Events Password Attacks Golden Ticket (Kerberos) RDP Sessions Scheduled Tasks Service Creation Log Rotation Clearing Psexec
Windows Event Logs logging tools?
- Sysmon
(sysmonconfig-export.xml - SwiftOnSecurity) - SIEM
Tasks?
- conduct basic static analysis using Merterpreter Reverse Shell (binwalk, ExifTool, and MD5deep) - Kali Linux on some malware found on the internal network ( Analyze and Classify Malware)
Where Behavioral Detection and Machine Learning fails?
When trusting/benchmarking an already compromised environment .
