Threat Hunting Section 5

Question 1

Things to consider when determining what level of risk exists:

Answer 1

1. How can the attack be performed (Can in be performed against our current configurations?)
2. What is the potential impact to the CIA of data
3. How likely is the risk to occur. (how exploitable is it?)
4. What mitigations are in place. (if we already have controls in place to prevent the vulnerability it is effectively mitigated.)

Question 2

Threat modeling

Answer 2

the process of identifying and assessing the possible threat actors and
attack vectors that pose a risk to the security of an app, network, or other system

Question 3

When conducting threat modeling, whose POV are you evaluating the system from?

Answer 3

Both the defenders and attackers POV. You’re evaluating the system from both the inside-out and the outside-in.
▪ By doing this you can start seeing where your systems are vulnerable and what type of mitigations you need to put in place.

Question 4

What are the main areas to considered when conducting threat modeling?

Answer 4

1. Adversary Capability
2. Attack Surface
3. Attack Vector

Question 5

Adversary Capability

Answer 5

▪ a formal classification of the resources and expertise available to a threat actor

Question 6

Types of capabilities (Main and additional considerations)

Answer 6

1. Acquired and augmented
2. Developed
3. Advanced
4. Integrated
   Additional considerations: 1. Likelihood - chance of a threat being realized (usually expressed as a %) and 2. Impact - cost of a security incident or disaster scenario (usually expressed as a dollar amount)

Question 7

what does Acquired and augmented mean in threat modeling

Answer 7

they’re using commodity malware and open source tools and techniques.

Question 8

what does Developed mean in threat modeling

Answer 8

they can ID and exploit 0-day vulnerabilities and deploy significant human and financial resources to attack planning and execution.

Question 9

what does Advanced mean in threat modeling

Answer 9

they can exploit things like supply chains and introduce vulnerabilities early in the cycle where you won’t even know they’re inside your systems.
*This can be especially true if you’re dealing with a nation state because they use an integrated approach when they’re using cyber and non-cyber methods to achieve their goals.

Question 10

Attack surface

Answer 10

▪ the point at which a network or application receives external connections or inputs/outputs that are potential vectors to be exploited by a threat actor.

Question 11

What are some examples of an attack surface?

Answer 11

1. The holistic network - switches, routers, computers, all the things that makeup your corporate data network.
2. Websites or cloud-services - things that could be attacked from an end user either through the web front end or programmatically through our API.
3. Custom software applications - Customizations always introduce vulnerabilities that need to be considered when they’re being delpoyed.

Question 12

Attack Vector

Answer 12

▪ a specific path by which a threat actor gains unauthorized access to a system.

Question 13

Name 3 Attack Vector types

Answer 13

1. Cyber - this means you’re using hardware or software against an IT system.
2. Human - this means you’re using social engineering to conduct your attack through coercion, impersonation or even force.
3. Physical - this means you’re trying to take over local access by being on-premise and touching the thing to do your attack.

Question 14

How is risk assessed?

Answer 14

by factoring your likelihood of an event and the impact of that event.

Question 15

Threat Hunting

Answer 15

A cybersecurity technique designed to detect presence of threats that have not been discovered by normal security monitoring. (proactive rather than reactive like incident response is)

Question 16

What are the steps of threat hunting

Answer 16

1. Establish a hypothesis
2. Profiling Threat Actors and Activities

Question 17

Establishing a hypothesis is derived from..

Answer 17

threat modeling and is based on potential events with higher likelihood and higher impact if they were to occur.
o We sit and think things like, ‘who might want to harm us?’ ‘Who might want to break into our networks and how might they be able to do that?’
o By going through our threat intelligence, we can create a good hypothesis about what type of campaign or what type of adversary group might want to do us harm.

Question 18

Profiling Threat Actors and Activities involves..

Answer 18

the creation of scenarios that show how a prospective attacker might attempt an intrusion and what their objectives might be. (we are really relying on that threat intelligence here)
o We sit and think things like, ‘what TTPs might they use?’, ‘are they an insider, a hacktivist, a nation state or an APT?’

Question 19

What can we start determining from profiling threat actors and activities

Answer 19

what their objectives might be and what systems they might be going after.

Question 20

What does threat hunting rely on

Answer 20

the use of the tools developed for regular security monitoring and incident response.
▪ We are going to be analyzing logs, process info, file system and registry changes from all the different hosts. Generally, all that info is going to be consolidated for us inside of a SIEM.

Question 21

What are we looking for when we are threat hunting?

Answer 21

the things that aren’t detected, things that have bypassed the rules, things where the query isn’t returning the data we expected it to.
o You need to assume that these existing rules have failed when you are threat hunting.

Question 22

Example of a process for threat hunting

Answer 22

1. Analyzing network traffic - determine if theres network traffic to some sort of sus/mal domain or C2 server based on our threat research and reputation DB.
2. Analyze the executable process list - Seeing what programs and services are being run and which ones were opening that network connection. Are these valid connections or something sus?
3. Analyze other infected hosts - to help us see similarities.
4. ID how the mal process was executed - what allowed it to start, is there a way we can block that attack vector against future compromises?

Question 23

What benefits can come from threat hunting?

Answer 23

1. Improve detection capabilities.
2. Integrate Intel
3. Reduce attack surface
4. Block attack vectors
5. ID Critical assets

Question 24

How does threat hunting improve detection capabilities

Answer 24

when we find a way a bad guy got in and bypassed detection, we can feed that info back into the detection plan and rewrite the rule sets and detection algorithms to make sure that you use additional scripting and customizations to detect things more accurately. This way your results from threat hunting can be used to improve your signature-base detection and prevent future infections.

Question 25

How does threat hunting improve integrated intel

Answer 25

threat hunting is a great use case for correlating the external threat intel you’ve been getting with what you’re seeing in our internal logs and other sources. By putting those two things together, you now have actionable intelligence.

Question 26

How does threat hunting reduce the attack surface

Answer 26

As you’re doing threat hunting, you’re able to ID the entire attack surface where a bad guy may have gotten into your network. Based on that you can go back and reduce the attack surface.

Question 27

How does threat hunting help you block attack vectors

Answer 27

you’ll better understand the different attack vectors that are being used and the different TTPs by that bad guy and you can then add additional security controls to block those different ports or interfaces.

Question 28

How does threat hunting help you ID critical assets

Answer 28

as you’re threat hunting you’ll start seeing what things people tend to go after and what are the best defenses for those critical systems and data assets.

Question 29

Open-source Intelligence (OSINT)

Answer 29

▪ Publicly available information plus the tools used to aggregate and search it

Question 30

OSINT can allow an attacker to develop any number of strategies for compromising a target. Name a few places they could find info to leverage

Answer 30

Publicly Available Information, Social Media, Dating Sites, HTML Code, Metadata

Question 31

What might an attack find in your HTML code?

Answer 31

lots of info like IP addresses, names of web servers, OS versions they’re using and what file paths there are, name of people who work there and developers and admin and all sorts of other stuff.
▪ You can find a lot of info about the organization, their capabilities, their practices, and their security posture.

Question 32

why might metadata be important to an attacker?

Answer 32

if you publish a word document or an excel spreadsheet to your website, there’s metadata inside of that, and by going through that metadata we can start collecting a lot of info and start fingerprinting you and understanding exactly what documents belong to your company as we do a wider search across the internet.

Question 33

Google hacking

Answer 33

Open-source intelligence techniques that uses Google search operators to locate vulnerable web servers and applications

Question 34

What are some google hacking methods?

Answer 34

1. Quotes “ “ - make a search more precise
2. NOT - used to exclude results
3. AND/OR
4. Scope - keywords to help define the search such as site, filetype, related, allintitle, allinurl, or allinanchor. (filetype:pdf)
5. URL Modifier - can be added to the results pate to affect the results such as: &pws=0, &filter=0, and &tbs=li:1

Question 35

What is this google search saying: https://www.google.com/search?q=*%40diontraining.com

Answer 35

Google interprets this statement as @diontraining.com and understands that the user is searching for email addresses since %40 is the hex code for the @ symbol. The * is a wild card character meaning that any text could be substituted for the * in the query. This type of search would provide an attacker with a list of email addresses associated with diontraining.com and therefore could be used as part of a spear-phishing campaign.

Question 36

Shodan (shodan.io)

Answer 36

a search engine optimized for identifying vulnerable Internet-attached devices.
▪ You can search for things like thermostats and webcams and ICS and SCADA devices and any other kind of device that’s out there. They do this by going out routinely and scanning the entire internet and conduct banner grabbing to ID the types of devices and the firmware and the OS and the applications that are in use. If those are vulnerable that now gives us a place to look at and start attacking people from.

Question 37

Email harvesting

Answer 37

An Open-Source Intelligence (OSINT) technique used to gather email addresses for a domain.
You can put an email into google and the search results may show you others who work at the company. You can also purchase emails from spammers or legit sites as sales leads.

Question 38

Three of the OSINT sites used by attackers to do the aggregation for them to find out and build profiles on the users:

Answer 38

▪ Pipl.com
▪ Peekyou.com
▪ Echosec.net

Question 39

What is, the harvester

Answer 39

a command line tool used by penetration testers to gather subdomain information and email addresses across an organization as they’re trying to do their pentest to gather info for a follow on social engineering attack.

Question 40

Name some harvesting techniques

Answer 40

1. whois
2. DNS Zone Transfer
3. DNS Harvesting
4. Website harvesting

Question 41

whois

Answer 41

A public listing of all registered domains and their registered administrators

Question 42

DNS Zone Transfer

Answer 42

a method of replicating DNS databases across a set of DNS servers that is often used during the reconnaissance phase of an attack.

Question 43

DNS zone transfers can only be successful if…

Answer 43

your DNS service is misconfigured

Question 44

DNS harvesting

Answer 44

Using Open-Source Intelligence (OSINT) to gather information about a domain, such as any subdomains, the hosting provider, the administrative contacts, and so on

Question 45

Website harvesting

Answer 45

▪ A technique used to copy the source code of website files to analyze for information and vulnerabilities.
▪ You can use a website copier or website ripper and this will allow you to download it to you local machine and take your time offline to go through and look at the application.

Question 46

AbuseIPDB

Answer 46

a community-driven database that keeps track of IP addresses reported for abusive behavior.

Question 47

What are some benefits of using AbsueIPDB for organizations?

Answer 47

▪ It enables the organization to take a proactive approach to its cybersecurity.
▪ The database is constantly being updated with new information from a global community of users.
▪ The organization can also use the AbuseIPDB to monitor their logs for any suspicious activity.
▪ Individuals can also benefit by using this database.

Question 48

Is the info in AbuseIPDB considered 100% reliable?

Answer 48

no. It’s important that you use the AbuseIPDB and combine it with other security measures.
This database is constantly being updated with new information.

Question 49

What parts of the internet are not easily accessible through traditional search engines?

Answer 49

the deep web and the dark web.

Question 50

Deep web

Answer 50

Portion of the Internet not indexed by search engines (like google and bing). This means that we’re looking at things like private databases, subscription-based websites, and other content that is not publicly accessible.

Question 51

What are the following things considered to be apart of?
▪ Medical and Scientific Research
▪ University Libraries
▪ Government Databases

Answer 51

The deep web

Question 52

Is the majority of the info on the deep web considered to be illegal?

Answer 52

The deep web can contain sensitive information that is not meant to be searchable by the general public and the majority of it is NOT considered illegal, malicious or nefarious.

Question 53

How can the deep web help us?

Answer 53

▪ Helps gather intelligence on potential threats.

Question 54

Dark web

Answer 54

Refers to a specific part of the deep web that’s used for illegal activities,
such as the buying and selling of drugs, weapons, and stolen personal information, such as credit card data.

Question 55

The dark web is associated with..

Answer 55

anonymity and encryption which allows people to remain hidden in terms of their location and their activity whenever they’re using the dark web and helps hide their activities from law enforcement and other authorities.

Question 56

What is the dark web considered?

Answer 56

a criminal haven and a high-risk area where
hacking and illicit activities occur.

Question 57

How do you access the dark web?

Answer 57

Accessing the dark web requires specialized software such as, Tor which is the onion router, and knowledge of how to navigate the dark web. You also need to take extensive security measures to protect your identity and location when using it.

Question 58

Accessing the dark web without proper knowledge and precautions can….

Answer 58

put the user at risk of encountering illegal activities, malware, or being targeted by cyber criminals. The dark web was never designed to be used by general users.

Question 59

How can a cyber security professional use the deep web and the dark web to better protect their enterprise networks?

Answer 59

1. as a source of info to gather intel on potential threats. To develop more effective security strategies and improve the overall security of your enterprise network.
2. to monitor stolen data or info related to their org and take appropriate action.
3. to track the prices and availability of tools and services commonly used in cyber attacks.
4. to track activates of known or suspected cybercriminal groups to ID any patters or trends in their methods and techniques. Used to develop more effective defenses

Question 60

Bug bounty

Answer 60

a way for companies to crowdsource security testing of their software services and applications to identify and address potential security issues.