Cyber Threat Hunting Day 5 - WQA

Cyber Threat Hunting
Capstone
Training Day 5
1/10/2021 Blue Team Jakarta, Indonesia 1

Training Agenda
• Threat Hunting Philosophy • Detection Engineering
• Threat Hunting Methodology • Endpoint and Network Threat
• Threat Hunting Maturity Model Hunting
• Threat Hunting People, • Cyber Threat Intelligence
Process, Tools & Technology • Adversaries TTPs
• Threat Hunting Framework • Creating Hypothesis for Threat
• Pyramid of Pain Hunting
• Cyber Kill Chain • Threat Hunting Use Case
• MITRE ATT&CK • Threat Hunting Exercise &
Hands On Lab

Threat Hunting Philosophy
• Threat hunting is a Proactive cyber defense approach. Threat hunting processes perform
proactive and iterative discovery through networks, endpoints, and other infrastructure to
detect and respond to cybersecurity threats that sometimes evade existing security
solutions.
https://twitter.com/Rcfontana/status/1262407505776381952

Threat Hunting Philosophy
• Threat hunting is an proactive cyber defense activity. It is "the

process of proactively and iteratively searching through networks to
detect and isolate advanced threats that evade existing security
solutions."
• This is in different to traditional threat management measures, such
as firewalls, intrusion detection systems (IDS), malware sandbox
(computer security) and SIEM systems, which typically involve an
investigation of evidence-based data after there has been a warning
of a potential threat.

Threat Hunting Principle
• Presumptions of Compromise :
Your prevention technology
will eventually fall or have
already failed without your
knowledge. With Adoption
Assume breach mentality will
increase your awareness of
compromised assets
https://www.clearnetwork.com/cyber-threat-hunting-what-why-
and-how/

Threat Hunting Benefit
• Finding adversaries who have • Supports faster and early

gotten past your current detection of potential
security protection compromise
• Continuous improvement of • Increasing awareness of your
your detection capabilities environment and attack
• With your existing technology, surface
you can not have oversight of • One of method to improve
everything that’s happening, your data collection
at this point threat hunting
help your organization

Sec Mon vs Threat Hunting vs DFIR
Digital
Security Threat Forensic &
Monitoring Hunting Incident
Response

Threat Hunting Vs Alert Based Investigation
Source : https://2016.zeronights.ru/wp-content/uploads/2016/12/ZN16-KHS-Th_Soldatov.pdf

Reactive vs Proactive SOC

Threat Hunting vs Compromise Assessment
• What is the Main Differences Between Threat Hunting and

Compromise Assessment?
• Basically Threat Hunting and Compromise Assessment is a same
activity, but the main difference are :
✓Situation & Condition : TH -> Assuming Compromise will
happen ; and CA -> Compromise is Already happened
✓Location & Object : TH -> All Object Within Organization ; CA ->
Selected Network Segment / Zone Suspected for
Compromised Area
✓Actor (Who performed the activities?) : TH -> Empowered SOC
Team (part of SOC Team) ; CA -> Mostly from DFIR Team

Hunting VS Reactive Response
Hunting Organization Reactive Organization
• Actively looking for Incidents • Incident Starts when

✓Known malware and notification comes in
variant ✓Call from government agency
✓Patterns of activity : evil vs ✓Vendor / threat information
normal
✓Threat Intelligence ✓(NIDS, SIEM, Firewall, etc) Alert

Where Does Threat Hunting Fits

BUILDING AND MATURING
THREAT HUNTING
PROGRAM

{People, Process, Technology} Involvement (1)
▪ People {Threat Hunters}

▪ Who will do the threat hunting? {Dedicated / Outsourced / Hybrid /
Adhoc} ?
▪ What Skillset need to fulfilled for threat hunting team?
▪ KPI Metrics for Threat Hunting Team
▪ Which part of organization is Threat Hunting Team?
▪ Threat Hunting Process
▪ Threat Hunting Framework : {MITRE ATT&CK, Cyber Kill Chain,
Diamond Model of Intrusion Analysis}
▪ Threat Hunting Life Cycle {Explained in Separate Slide}
▪ Threat Hunting Maturity Level Assessment : {Hunting Maturity
Model, Hunting Immaturity Model}
▪ Use Case Development for Hunting

{People, Process, Technology} Involvement (2)
▪ Technology Stack for Threat Hunting

▪ Detection Engineering / Data Source Telemetry : {Endpoint,
Network, Contextual Data (Threat Intelligence, User Activity and
Behavior, Vuln Mgmt Program)}
▪ Threat Hunting Platform and Tools : {Commercial Platform, Open
Source Hunting Tools}
▪ Apps / Tools / Services for Enrichment the Hunting Analysis

PEOPLE {THREAT
HUNTERS}

People - Threat Hunter Skillset (1)
• Analytical Mindset : Having a • Network Architecture:

mindset of curiosity, Ability to understanding how computer
generate and investigate networks work, OSI Layer, knowledge
hypotheses. As an analyst, it’s of TCP/IP, knowledge of basic
increasingly important to be specific protocols (DNS, DHCP, HTTP, SMTP,
in what questions you’re looking to FTP, SMB);
answer during threat hunting. • Attack Methods/TTPs / Attack Life
• Operating System : Knowledge of Cycle : Knowledge of specific attack
Operating System internals, OS vectors, understanding how an
security mechanisms, knowledge of attacker attempts to penetrate your
typical security issues of different network, which attack vectors and
operating systems, tools he/she can use on different
attack stages;

People - Threat Hunter Skillset (2)
• Log Analysis : knowledge of different log • Malware Analysis : Malware analysis a

sources and event types generated by highly specialized skill that aims to
different sources, the ability to analyze determine the origin and purpose of an
logs for anomalies and pivot between identified instance of malware.
data sources to see the big picture;
• Tools for Threat Hunting : Understand
• Network Analysis : the ability to read how to use security analytics platform
and understand packet capture data and (e.g. ELK) and SIEM, how to use packet
determine the malicious nature of sniffer, how open PCAP, how to see and
network traffic; export logs in OS, how to collect logs
from different source, etc
• Cyber Threat Intelligence : Having a skill
and knowledge to leverage threat
intelligence for threat hunting purposes,
always seek for new information from
threat intelligence report,

Threat Hunting Maturity Model
https://hodigital.blog.gov.uk/wp-content/uploads/sites/161/2020/03/Detecting-the-Unknown-A-Guide-to-Threat-Hunting-v2.0.pdf

Threat Hunting KPI Metrics
SANS Whitepaper : Building and Maturing Threat Hunting Program

https://www.sans.org/media/analyst-program/building-maturing-threat-hunting-program-39025.pdf

Threat Hunting Framework : Pyramid of Pain
David Bianco Pyramid of Pain

Source : https://www.slideshare.net/KatieNickels/putting-mitre-attck-into-action-with-what-you-have-where-you-are

Pyramid of Pain
• Pyramid of pain represents the usefulness

of your intelligence
• The higher of the stacks, the more

adversaries have to expend for the
resources.
• It also indicates to gather the artifacts or

threat intelligence from adversaries

Threat Hunting Framework : Cyber Kill Chain
https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-
chain.html
Threat Hunting Framework : MITRE ATT&CK
Threat Hunting Framework Based on MITRE ATT&CK Framework

• https://attack.mitre.org/
Sources : https://threatexpress.com/redteaming/mitre_attack/

MITRE ATT&CK Framework
• MITRE ATT&CK™ is a globally-accessible knowledge base of adversary

tactics and techniques based on real-world observations. The
ATT&CK knowledge base is used as a foundation for the
development of specific threat models and methodologies in the
private sector, in government, and in the cybersecurity product and
service community.
With the creation of ATT&CK, MITRE is fulfilling its mission to solve

problems for a safer world — by bringing communities together to
develop more effective cybersecurity. ATT&CK is open and available to
any person or organization for use at no charge

Sources : https://attack.mitre.org/matrices/enterprise/

MITRE ATT&CK Matrix
How to Read It?
❖ Tactics across the top

✓ What technique accomplish

MITRE ATT&CK Matrix
How to Read It?
❖ Technique for each column

✓ The way adversaries accomplishing
the tactics
✓ Same Technique can be in different
Tactics

Tactic Vs Technique
Tactic : The What” Technique : The How”
Reconnaissance Active Scanning
Resource Development Compromise Account
Initial Access Drive by Compromise
Execution Command and Scripting Interpreter

MITRE ATT&CK Use Case
▪ ATT&CK can help you create a threat-informed defense

▪ Do what you can, with what you have, where you are:
- Detection
- Assessment and Engineering
- Threat Intelligence
- Adversary Emulation
- Threat Hunting
▪ Choose a starting point that works for your team

THREAT HUNTING
TECHNOLOGY STACK

Detection Engineering
Detection engineering is a set of practices and systems to deliver

modern and effective threat detection.
When building a solid detection engineering, the main goal is
to catch malicious things and to not catch too
many not malicious things. If the detection system interrupt an analyst’s
activities because calling attention to things that are not malicious, then
you’re creating more work for the analysts.
Detection products only create value
by detecting things that are truly bad, and most detection products lean
towards detecting more activity so as to not miss anything.

Log Sources

Data, Data, Data, Data, Data …..

Detection Engineering
Source : Fidelis Cyber Security and Vector8 About Data Source Spectrum

Example of Data Sources from Endpoint
Type of Data Description Tools
Operating System logs Useful Data sources. By Default capabilities for each Built in Function from OS
OS.
Process Activity Process start, DLL libraries loading, Process install Sysmon (Windows)
driver, Process perform code injection, Process open Auditd (Linux)
port for incoming network connections, connections, Osquery
Process initiate network connection, Process Endpoint Detection Response
create/change file, Process create/change registry Operating System Logs
key/value
Volatile Artifacts Temporary artifact collected from endpoint data Winpmem, Comae, (for Collecton)
sources for the purposes of hunting that might not EDR
touch the disk on the host Volatility
Data Collection : Memory, Network Conn, Process Google Rapid Response (GRR)
Conn, Velociraptor
Non-Volatile Artifacts Artifacts that resides on the endpoint / host disk. Brimorlabs
Data Collection : Prefetch, Amcache, Shimcache, MFT, KAPE
Registry, bash_history, Task Scheduler Kansa
FastIR Collector

Example of Data Sources from Network
Type of Event Description Tools
Netflow Network traffic flow metadata. NetFlow data is analyzed to create a picture of Silk
network traffic flow and volume. used as a network traffic analyzer to determine Nfsen & Nfdump
its point of origin, destination, volume and paths on the network
Packet Capture Packet Capture is a networking term for intercepting a data packet that is Moloch,
crossing a specific point in a data network. Once a packet is captured in real- Tcpdump,
time, it is stored for a period of time so that it can be analyzed, and then either Wireshark,
be downloaded, archived or discarded. tshark
Network IDS A network-based intrusion detection system (NIDS) detects malicious traffic on Snort, Suricata
a network. NIDS usually require promiscuous network access in order to analyze Bro
all traffic Commercial NIDS
Product
Proxy Log Proxy server logs contain the requests made by users and applications on your Squid
network. This does not only include the most obvious part : web site request by Commercial Proxy
users but also application or service requests made to the internet (for example Product
application updates).
DNS Log One of the constantly re-occurring techniques is DNS-based activities like Passive DNS Log
exfiltration via DNS (Domain Name System) or C2 (Command and Control) DNS Server
communication via DNS. Still, a lot of companies are lacking in DNS logging,
missing DNS-based detection rules, or not aware of their own blindspots.
Data collected : DNS Server, DNS Collected from Network, Host Based (Sysmon
10),

Log Sources – Security Control
Network - based Security Controls
• Intrusion Prevention Systems (IPS)
• Next Generation Firewalls (NGFW)
• Web Application Firewalls (WAF)
• Network Access Control (NAC) solutions
• Web and Email Security Gateways
Host - based Security Controls

• Endpoint Detection and Response (EDR)
• Anti - malware Software
Physical Security Controls

• Camera Systems
• Biometric/card access readers
• Alarm systems

Log Sources - Network Infrastructure
• Network Infrastructure
• Routers
• Switches
• Wireless Access Points
• DNS server
• DHCP server

Log Sources – Host Operating Systems
• System Events
• Servise starts and stops
• System startup and shutdown
• Audit Records
• Authentication attempts
• Security policy changes
• Account changes
• Permission and privilege changes
• Use of privileges
• File accesses

Log Sources - Applications
• Email servers and clients
• Database servers and clients
• File servers and clients
• Web servers and browsers
• COTS applications :
• Supply Chain Management (SCM)
• Customer Relationship Management (CRM)
• Enterprise Resource Planning (ERP)
• Financial Management
• Custom - developed applications

Good Log Data - Quality and Performances Factors
Quality & Performances Factors : Missing Logs, Irrevent Logs,

Time Gap.

Deciding Log Sources and Details

Prioritizing Log Sources

Prioritizing Log Sources - Focus on Prevalent Data Sources

Prioritizing Log Sources - Focus on Class of Data or Product

Prioritizing Log Sources - Focus on Prevelant Adversary Techniques

Threat Hunting Technology Stack and Enrichment Tools
• SIEM
• Log Management / Analysis Platform {Elastic Stack, Graylog, etc}
• Network Detection Response
• Endpoint Detection Response
• X(Everyting) Detection Response
• Threat Intelligence Platform
• Threat Hunting Platform
• SANS Open Source Blue Team Tools
(https://www.sans.org/webcasts/faster-better-cheaper-improving-
security-operations-open-source-tools-112900)
• Github Awesome Threat Detection and Threat Hunting
(https://github.com/0x4D31/awesome-threat-detection)
Types of Threat Hunting
1. IOC Based Threat Hunting

2. Hypotheses Based Threat Hunting
3. Baseline Based Threat Hunting
4. Anomaly Based Threat Hunting

IOC Based Threat Hunting
• Hunting based on IOC collected from Threat Intelligence

• More like into Compromise Assessment
• Checking whether the IOC is present in the environment
• Checking on Specific Threat Actor or Specific Threat Intel Report

Hypotheses Based Threat Hunting
• Creating a hypotheses for certain TTPs

• e.g : Hypotheses for hunting on endpoint, hypotheses for hunting on
network,
• Leverage Framework such as MITRE ATT&CK Framework for creating
hypotheses on TTPs of Threat Actor
• Defining specific asset for hunting (such as Crown Jewel Asset)

Baseline Based Threat Hunting
• Detect something haven’t seen before based on baseline data in the

environment
• Needs larger set of data available about your infra for creating the
baseline
• Sometimes triggers lot of False Positives
• Quite effective to spot changes in your infra

Anomaly Based Threat Hunting
• Siting through the log data available for the threat hunters to spot
irregularities that might be malicious
• Additionally applying patterns on your infra
• Quite useful in Fraud detection

Threat Hunting Hypothesis

Hypotheses Creation Types
Intelligence Driven
• Base hypotheses on TTPs with further context provided by
assessments of the geopolitical and threat landscapes.
Situational Awareness
• Understand the environment, create a situational awareness, and
identify when it changes in some significant way.
Domain Expertise
• Each hunter has a unique set of experiences and skills that influence
hypothesis generation.

1. Create Hypotheses - Intelligence-Driven Hypotheses
• IOCs and TTPs

Best practice 1 : Avoid over-realince on IOCs. Use IOCs for
quick wins, then work to understand adversary TTPs.
Best practice 2 : Base hypotheses on TTPs with further
context provided by assessments of the threat and
geopolitical landscapes.
Example hypothesis : "I know that the Hafnium Group ia a
high-priority threat for my organization because of our
location and industry. If this threat actor is present in our
network, we should be able to detect evidence of multiple
techniques used by the Hafnium Group, consistent with their
known attact paths."

2. Create Hypotheses - Situational Awareness Driven Hypothesis
• Defenders must be aware of their environment.

• Identify when it changes significantly.
• Analysts can develop hypotheses about adversary activities that
might occur in their environment if they have situational
awareness.
Best practice 1 : Focus on the most important assets and
information – Crown Jewels Analysis (CJA).
Best practice 2 : Use information to keep up with rapidly changing
infrastructure, applications, and vulnerabilities.
Example hypothesis : I will limit my search just high-value targets
(crown jewels), such as the domain admin accounts. “If attackers
abuse domain admin credentials in our network, we should be able
to detect outliers like a spike in Domain Admin account logons."

3. Create Hypotheses - Domain Expertise Driven Hypothesis
• Domain expertise relates to the hunter's

experience
• Each hunter has a unique set of experiences and
skills.
• A good hunter should have knowledge of both
the organization's network and the threats faced
• Domain expertise can be viewed as both CTI and
situational awareness in a historical context.
• Experience often comes with an unwanted side
effect: bias.
• Hunters need to be aware of the cognitive biases to
ensure good decisions are made and accurate
conclusions are drawn.
Best practice : The use of models,such as the

Diamond Model of Intrusion Analysis, helps hunters
in structuring data to help overcome biases.

Example : Creating a Hypothesis Around a Threat Group
• Remember : Focus on the most likely threat actors first.

• Let's create an intelligence-driven hypothesis:
"According to a new threat intelligence, the MuddyWater APT group
is targeting telecommunication companies in Europe. So,
MuddyWater is a high-priority threat for my organization. If the
MuddyWater Group is present in our network, we should be able to
detect evidence of multiple techniques used by the MuddyWater
Group, consistent with their known attack paths."
• Note that we should know TTPs used by the MuddyWater
Group to test our hypothesis.

Threat Group - Finding TTPs
• We can use MITRE ATT&CK to identify techniques and tools

used by a threat group.
• MITRE ATT&CK Groups Page: https://attack.mitre.org/groups/
• ATT&CK also provides technique descriptions.
• Still, we need to search specific procedures used by the
Lazarus group

Threat Hunting Use Case

Endpoint Threat Hunting

Use Case 1 : Process Spawn cmd.exe
MITRE Reference : CAR-2013-02-003 https://car.mitre.org/analytics/CAR-2013-02-003/ : Processes
Spawning cmd.exe
• Hypothesis : The Windows Command Prompt (cmd.exe) is a utility that provides command line
interface to Windows operating systems. It provides the ability to run additional programs and
also has several built-in commands such as dir, copy, mkdir, and type, as well as batch scripts
(.bat).
• Typically, when a user runs a command prompt, the parent process is explorer.exe or another
instance of the prompt. There may be automated programs, logon scripts, or administrative
tools that launch instances of the command prompt in order to run scripts or other built-in
commands. Spawning the process cmd.exe from certain parents may be more indicative of
malice.
• Example Use Case Hunting : if Adobe Reader or Outlook launches a command shell, this may
suggest that a malicious document has been loaded and should be investigated. Thus, by
looking for abnormal parent processes of cmd.exe, it may be possible to detect adversaries.

Use Case 2 : RDP Activities
MITRE Reference: CAR-2016-04-005: https://car.mitre.org/wiki/CAR-2016-04-005
• Hypothesis: A remote desktop logon, through RDP, may be typical of a system

administrator or IT support, but only from select workstations.
• Monitoring remote desktop logons and comparing to known/approved originating
systems can detect lateral movement of an adversary.
• Example Use Case Hunting :
Looking for Successful RDP Login not from your Country GeoIP login and after office
hour

Use Case 3 : Stopping Windows Defensive Services
MITRE Reference: CAR-2016-04-003: https://car.mitre.org/wiki/CAR-2016-04-003
• Hypothesis: Spyware and malware remain a serious problem and Microsoft

developed security services, Windows Defender and Windows Firewall, to combat
this threat. In the event Windows Defender or Windows Firewall is turned off,
administrators should correct the issue immediately to prevent the possibility of
infection or further infection and investigate to determine if caused by crash or user
manipulation.
Antivirus services stopped not long after there is a successful logon from internal
network via network services

Use Case 4 : Task Scheduler
MITRE Reference:
CAR-2020-09-001 : Scheduled Task – FileAccess: https://car.mitre.org/analytics/CAR-2020-09-
001/
• Hypothesis: In order to gain persistence, privilege escalation, or remote execution, an

adversary may use the Windows Task Scheduler to schedule a command to be run at a
specified time, date, and even host. Task Scheduler stores tasks as files in two locations -
C:\Windows\Tasks (legacy) or C:\Windows\System32\Tasks. Accordingly, this analytic looks
for the creation of task files in these two locations.
a. Task Scheduler running from a suspicious folder location (e.g : C:\Users\.. ;
C:\Windows\temp\)
b. Task Scheduler running using suspicious Scripting Utilities (LOLBAS) : cscript.exe,
rundll32.exe, mshta.exe, powershell.exe, regsvr32.exe

Use Case 5 : Credential Dumping via Windows Task Manager
MITRE Reference:
CAR-2020-09-001 : Credential Dumping via Windows Task Manager :
https://car.mitre.org/analytics/CAR-2019-08-001/
• Hypothesis : The Windows Task Manager may be used to dump the memory space of
lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is
performed by launching Task Manager as a privileged user, selecting lsass.exe, and
clicking “Create dump file”. This saves a dump file to disk with a deterministic name
that includes the name of the process being dumped.
Hunting for File Creation (thinking about Sysmon Event ID 11 for example), with the
process image is taskmgr.exe

Case Study End to End Threat Hunting Process
Threat Hunters defined the Hypotheses and Start Hunting
1. Hypotheses 1 : User visiting malicious website from Phishing Email
2. Hypotheses 2 : User downloading malicious file after visiting the Malicious Website
(Drive by Download maybe?
3. Hypotheses 3 : Malware Run on the User System after being downloaded
4. Hypotheses 4 : Malware doing persistence mechanism on Infected / Exploited
Machine
5. Hypotheses 5 : Malware contacting Command and Control Server
6. Hypotheses 6 : Threat Actor exfiltrate Sensitive document to Command and Control
Server
7. Hypotheses 7 : Sensitive Data Leaked on the Internet

Hypotheses 1 : User visiting malicious website from Phishing Email
• Data Source for Hunting

• Passive DNS Log, DNS Server Log, Proxy Log, NGFW Log, Sysmon
Log, Email Log, Mail Security Gateway Log
• Platform for Hunting
• SIEM, Security Analytics Platform
• Analysis and Enrichment Data
• DNSTwist, Phishing Domain List, Threat Intelligence Feeds,
VirusTotal, HybridAnalysis, URL / Domain Sandbox Analysis

Hypotheses 2 : User downloading malicious file after visiting the Malicious Website

• Passive DNS Log, DNS Server Log, Proxy Log, NGFW Log, Sysmon
Log,
• SIEM, Security Analytics Platform,
• Threat Intelligence Feeds, Alexa top 1M Domain, VirusTotal,
HybridAnalysis, URL / Domain Sandbox Analysis, Blacklisted Domain
Checker

Hypotheses 3 : Malware Run on the User System after being downloaded

• Prefetch, Shimcache, Amcache, Process Running, Volatile Data
(Memory), Sysmon, Auditd,
• SIEM, Security Analytics Platform, EDR
• File Hash of Process Executed, Parent-Child Process Analysis(SANS
Find Evil Poster as Reference), Folder Location of Executables,
Signed of Binary Files, VirusTotal, HybridAnalysis,

Hypotheses 4 : Malware doing persistence mechanism on Infected / Exploited Machine

• ASEP (Auto Start Extensibility Points), Registry, Startup Services and
Folder, Task Scheduler, Cron Job,
• SIEM, Security Analytics Platform, EDR
• Signature Check, Autoruns Sysinternals, File Hash Check, Date of
Creation,

Hypotheses 5 : Malware contacting Command and Control Server

• Netflow, Firewall Log, NGFW Log, IDS, Proxy Logs, Full Packet
Capture, DNS Log
• SIEM, Security Analytics Platform, NDR, XDR,
• Date of Creation Domain, SSL Cert Attribute Checks, JA3 SSL
Fingerprint, GeoIP Location Data, Threat Intelligence Feeds

Hypotheses 6 : Threat Actor exfiltrate Sensitive document to Command and Control
Server

• Netflow, Firewall Log, NGFW Log, IDS, Proxy Logs, Full Packet
Capture, DNS Log
• SIEM, Security Analytics Platform, NDR, XDR,
• Date of Creation Domain, SSL Cert Attribute Checks, JA3 SSL
Fingerprint, GeoIP Location Data, Threat Intelligence Feeds

Hypotheses 7 : Sensitive Data Leaked on the Internet

• OSINT, Dark Web Search, Underground Forum, Threat Intelligence
Feeds
• Threat Intelligence Platform
• Pastebin, Github, Honeypot

Network Threat Hunting

Why Network Threat Hunting
• ▷The network is the great equalizer

○ You see everything, regardless of platform
○ High level assessment of the terrain
• ▷You can hide processes but not packets

• ▷Malware is usually controlled
○ Which makestargeting C2 extremely effective
○ Identify compromise when C2 "calls home"
○ Must be frequent enough to be useful
• ▷Wide view so you can target from there

5 Steps to Threat Hunting Your Network
Network threat hunting can be broken down into five steps, these are:
1. Identify persistent communication channels leaving your network.
2. Analyze the protocol being used.
3. Identify and evaluate the internal host originating the communications.
4. Scrutinize the reputation of the destination system.
5. Disposition the incident.
The order is important, as its weighted towards reviewing the highest threat
evidence first.
For example, identifying that data to TCP/443 is simply obfuscated and not actually
an SSL or TLS session is far more suspicious that knowing the target IP ended up on
a blacklist from an unverified source.
So by executing our hunt in the order specified above, we can quickly weed out
false positives and focus on the real threats.

Identify Persistence Communication Channels
• If an attacker has compromised an internal system, they need to create
a communication channel in order to send the system its marching
orders.
• So the first thing we want to look for is whether we have any internal
systems that are carrying on persistent communications with one or
more systems out on the Internet.
• The simplest method of creating this covert communication channel is
to have the compromised system call home to a command and control
server and keep the connection open continuously.
• If the connection dies due to a network issue, the connection is
immediately reestablished. Tools like RITA and AI-Hunter, Packet
Capture of the Network or even IDS Log from Zeek will show you these
long connections, but you can also get this info by viewing the state
table in your firewall (if your vendor supports this).

Analyze The Protocol
Next, we want to take a look at the protocol being used to communicate between the two
systems. For some applications, beaconing is just the way they communicate. For example, any
system running Network Time Protocol (NTP) will connect to an NTP server on a very rigid time
interval and transmit the same amount of data each time. This can be easily mistaken for a
control channel heartbeat until you analyze the protocol.
Some things to look out for:
• Protocols where beaconing is normal (like NTP).
• Traffic on a well-known port that does not match the application that normally uses it.
• HTTP communications that include a user agent field that is unique within your environment.
• HTTPS communications that include a client SSL hello that is unique within your environment.
• Be suspicious of HTTPS communications with a server using a self-signed or free digital
certificate.
• Be less suspicious of HTTPS communications with a server using an EV certificate.
• Does the protocol use make logical sense? (example: seeing 1,000+ DNS queries to a specific
domain for unique hostnames is more likely to be C&C communications than normal DNS
traffic)

Identify and Evaluate Internal Host Originating Communication
• Next, we will want to learn as much as we can about the internal system
initiating the sessions. What operating system is it using? What is the
system’s function (user desktop, network hardware, etc)? Is there a functional
baseline to work with to see if this traffic pattern is normal? If we have
previous packet captures from the system, or have other similar systems we
can compare it against, this might help identify if the pattern we are seeing is
normal.
• As an example, many IoT devices check in regularly with a central console. We
may find that all devices exhibiting a specific suspicious behavior are all the
same model of IoT device.
• You may also want to see if the source is running any kind of endpoint
security software or if the logs are being collected to a central location. If we
get to the end of our threat hunt and deem the system as suspicious, the
additional data provided could be extremely valuable in performing a root
cause analysis.

Scrutinize the Reputation of the Destination System
Finally, we will want to evaluate the destination system our internal host is contacting. Some
things to consider:
• Do you recognize the target domain? If it is a vendor or a business partner, the
communications may be associated with a service or product you purchased from them.
• Does the geolocation information make sense? As an example, if you don’t have a vendor or a
field office in China, but you are sending a lot of data there, it could be a problem.
• How old is the target domain? Attackers are notorious for using domains that are less than
seven days old because they can destroy the domain’s reputation and still get a refund from
their registrar. (domain age, SSL Cert age)
• Is the domain or target system on any blacklists? If so, why, and is it applicable to your
situation?
You want to check the integrity of the blacklist entry in order to weed out false positives. For
example, it’s not uncommon for Microsoft and Google Web crawlers to end up on blacklists.
Sometimes this results in blacklisting full subnets that have nothing to do with the identified
activity. Remember that blacklists are usually populated by reports from regular users
(crowdsourced). The integrity of the entry is directly related to the security skills of the person
reporting the incident. With this in mind, it is always worth validating a blacklist entry.

Disposition the Incident
After performing all of the above steps, we will come up with two possible
dispositions:
1. The activity is a false positive. Create a whitelist entry so that the activity is ignored
in the future.
2.The activity is suspicious and warrants further investigation.
• Note that in the second option we may or may not be sure that the internal
system is actually compromised.
• It is simply suspicious enough to warrant a deeper investigation. This may include
checking system logs or capturing and analyzing all system traffic for a specified
period of time.
• It may also include a full forensic analysis of the system. The suspect activity
detected through the above process can be used to help guide the investigation.
• Your incident handling policy should include steps for handling suspicious
systems.

C&C Detection Technique
• ▷ Traffic toandfrom theInternet

○ Monitor internal interface of firewall
• ▷ Packetcaptures or Bro/Zeek data
• ▷ Analyze inlarge timeblocks
○ More data =better fidelity
○ Minimum of 12 hours,24 is ideal
• ▷ Analyze communications inpairs
○ Every outbound session passingthe firewall
○ Ignoreinternal to internal (highfalse positive)

Hunting for Long Connection in the Network
• ▷ You are looking for:

• ▷ Total timefor eachconnection
○ Which ones have gone on the longest?
• ▷ Cumulativetimefor all pair connections
○ Total amount of time the pair has been in contact
• ▷ Can be useful to ignore ports or protocols
○ C2 can changechannels

Wireshark – Statistics - Connections
86,400 seconds =24 hours

Connection Time from Zeek conn.log

Cumulative Conversation in Zeek

Detecting C&C Over DNS
• ▷ Capture all DNS traffic

○ Capture tool of your choice
○ Longer the capture time, the better
• ▷ Filter soit's DNS traffic only
• ▷ Extract to text sowe cansort andcount
• ▷ Reviewtotal FQDNs per domain

Bonus Check on DNS
• ▷ Check domains with alot of FQDNs

• ▷ Get alist of theIPsreturned
• ▷ Compare againsttrafficpatterns
○ Are internal hosts visiting this domain?
○ Is it just your name servers?
• ▷ Unique trait of C2 over DNS
○ Lots or FQDN queries
○ But no one ever connects to these systems

C2 Detection Tools
• Packet Capture Tools

• Tcpdump
• Wireshark
• Tshark
• NIDS
• Zeek (Formerly Bro)
• Suricata
• Snort

Threat Hunting
Hands On Preparation

Threat Hunting Basics
• Threat hunting…
• Is proactive, but benefits from and contributes to reactive
security programs (incident response, forensics)
• Is methodical and repeatable
• Is based on hypotheses (one approach at least)
• Can and should take advantage of automation & machine
learning, but experienced human analysis isstill crucial
• Maps to each stage of the cyber kill chain, and can ideally
detect and help disrupt any stage of an attack
• Cares about context
• Benefits from and contributes to threat intelligence
• Often involves thinking like an attacker to be a better defender

IOCs vs. TTPs
• Indicators of Compromise (IOCs)
• Usually atomic items like IPs, domains, hashes
• Limited value for hunting
• Relatively easy for attacker to change
• Tactics, Techniques, and Procedures (TTPs)
• Based on adversary behavior during an attack
• Valuable when understood & mapped to data for hunting
• Relatively difficult for attacker to change
IOCs and TTPsare interdependent and c an both be utilized

for threat hunting.

https://attack.mitre.org/
https://attack.mitre.org/

Why Elastic Stack for Threat Hunting?
• SIEMs are generally limited, inflexible, and expensive

• Splunk is powerful, but expensive, can be challenging to scale,
and still proprietary
• While not perfect, overall Elastic Stack excels where SIEMs
and Splunk tend to fall short:
• Open source core, modular design, and highly customizable
• Rapid development cycle – notable new features released
in nearly every minor point release
• Cluster can be easily hosted anywhere and is scalable
• Can complement or replace Splunk and/or SIEM
• Elastic Security issteadily maturing

The Elastic Stack
Formerly the ELK Stack

Elastic Stack
• Elasticsearch -index storage and search backend

• Logstash -used to shape logs and ship logs to
Elasticsearch
• Kibana -GUI frontend for search, visualization, dashboards,
reporting and alerting, and Elastic stack cluster
management
• Beats -Lightweight log shippers that are installed on
endpoints
• Examples: Filebeat, Winlogbeat, Packetbeat

Elastic Stack New Features
• Exciting developments in 7.x versions

• Basic features for securing your cluster
(HTTPS, authentication) now free
• Elastic Security
• Elastic SIEM
• Elastic Endpoint Security

Hosting and Installation Options
• On-premises
• Private Cloud
• Public Cloud
• AWS
• GCP
• Azure
• VPS Providers
• 3rd party “ELK as a service” offerings
• Standalone (bare metal, VM,
container)

Logs

Potential Log Sources
Servers Applications
• Web servers • Web applications
• Application/API servers, dev servers • COTS applications
• Database servers • Custom, in-house applications
• File servers, backup/DR servers • Source co d e repos, dev/staging
• DNS servers apps
• Domain controllers, AD, ADFS Cloud / Containerized Infrastructure
• VPN gateways, remote access • Office 365, Azure Cloud
• Hypervisors • AWS, Google Cloud
• VPS providers, serverless app/API
Endpoints
providers
• Laptops, workstations, kiosks, VMs
• Docker containers, Kubernetes
• AV/EDR/EPP
SIEM/SOAR
Network Stack
• Potentially both a destination and source of
• Routers, switches, WAPs
logs
• Firewalls, VPN, SSO, WAFs, IDS/IPS, malware
Open Source Intel
sandboxes • Threat indicator feeds
• Web proxies, DNS resolvers • GeoIP location
• Email servers, spam/phishing filter gateways • Passive DNS
Mobile Devices • Domain registration, whois
• MDM, mobile a p p telemetry • Certificate transparency
• Social media
• Breach dumps

Windows Event Logs
• Even the standard Windows event logs are useful
for threat hunting, DFIR, and monitoring. Examples:

• Login events
• RDP sessions
• New services
• New processes
• PowerShell and other living off the land TTPs
• Crashes
• Logs cleared is itself a notable Windows event…

Sysmon
• Free, actively developed Sysinternals endpoint tool from Microsoft
• Kernel level service that monitors & logs all process activity & more
• https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
• Available
here:

Hunting with Sysmon
Examples of what to look for in Sysmon logs:

• Malware being downloaded and executed
• MS Office macros spawning suspicious processes
• Browser spawning suspicious processes
• Files being deleted or renamed en masse (ransomware?)
• Process injection
• Cross-process activity (lsass.exe’s memory being accessed
by another process)
• PowerShell and other common “living off the land” TTPs
• Unusual network connections

Kibana Crash Course

Accessing Kibana in VM
• Browser support – Chrome/Chromium recommended but

other browsers like Firefox & Safari are supported too
• Kibana: Port 5601 by default

• http://localhost:5601/
• Elasticsearch: Port 9200 by default
• http://localhost:9200/
• (re)start services if not currently running:
• sudo systemctl start elasticsearch.service
• sudo systemctl start kibana.service

Kibana - Home
21
Kibana – Key Features
• Discover
(search)
• Visualize
• Dashboard

Kibana - Discover
• Index Pattern
Filter
• Examples:
• filebeat-* indices
• logstash-* indices
• winlogbeat-*
indices

Kibana - Discover
• Time Range Filter

Kibana – Search (KQL)

Kibana - Search
• Default search syntax based on Kibana Query Language (KQL)

• Format is: FieldName:SearchTerm (autocomplete ishelpful)
• Fields & search terms c an be Case Sensitive
• Boolean operators like AND, OR & nested statements are supported
• * wildcards c an be used, but use sparingly
• Free text searches c an be used, but use sparingly
• Example searches:
• computer_name:ACME-SRV2008-DC
• process.command_line:*powershell.exe*
• "urgent_invoice.docm"

Kibana - Visualize

Visualizations

Visualization Lab #1
Pie Chart:
Top Hostnames

Map (GeoIP) Visualization

Kibana - Dashboard

Kibana - Dashboard

Elastic SIEM

Elastic SIEM
• Free in 7.x
• Work in progress – currently supported data types and
detection rules are limited, new features being a dded
• C a n accelerate or complement simple SIEM use cases
• Not (yet) a full replacement for building out custom
Kibana queries, visualizations, and dashboards
• https://www.elastic.co/products/siem
• Also in development: Elastic Endpoint Security (based on
Endgame integration)

Suggested Next Steps
• Additional training and events
• CTFs like OpenSOC
• Deploy Elastic Stack for yourself
• Elastic Cloud 14-day free trial:
https://www.elastic.co/cloud/elasticsearch-service/signup
• Install in a VM or container
• Trya security-focused Elastic Stack distro like Security Onion
and HELK
• Try Sysmon with a sample config
• Explore the many projects related to log data-driven threat
hunting
• Practice identifying attacker TTPs, mapping to ATT&CK, running
attack simulations, and determining detection potential/gaps

References
• Elastic Stack
• https://www.elastic.co/guide/en/elastic-stack/current/installing-elastic-stack
.html
• https://www.elastic.co/cloud/elasticsearch-service/signup
• https://www.elastic.co/downloads/beats/winlogbeat
• https://www.elastic.co/beats/filebeat
• https://www.elastic.co/siem
• https://github.com/elastic/detection-rules
• Sysmon: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
• MITRE ATT&CK Framework: https://attack.mitre.org/
• Windows Event ID References:
• https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/
• https://www.malwarearchaeology.com/cheat-sheets

Summary and Takeaway
• Threat Hunting needs visibility from your Detection Engineering

• Threat Hunter mindset and knowledge is one of key component in
hunting process
• Automation can help Threat Hunting but still need manual activities
• MITRE ATT&CK can be used as the main framework in threat
hunting process
• Threat Intelligence != Threat Hunting
• Deception Technology is needed to study the attacker behavior and
keep the bad guy busy

Summary and Key Takeaway
• Threat Hunting is important for any organization to helps you

performing a proactive cyber security operation
• Start Your Threat Hunting Program from What you have right now in
your organizations. Don’t wait any longer!
• Adopt the relevant Framework that fit for your organizations. Most
organization is adopting MITRE ATT&CK as their framework
• Technology stack is not only focusing on the platform for hunting, but
also the data source itself. Detection Engineering is the keyword here!
• Continuous Assessment is needed to help you maturing your Threat
Hunting Program

THANK YOU
Q&A

Cyber Threat Hunting Day 5 - WQA

Uploaded by

Copyright:

Available Formats

You might also like

Cyber Threat Hunting Day 5 - WQA

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cyber Threat Hunting Day 5 - WQA

Uploaded by

Copyright:

Available Formats

Cyber Threat Hunting

1/10/2021 Blue Team Jakarta, Indonesia 1

1/10/2021 Blue Team Jakarta, Indonesia 2

1/10/2021 Blue Team Jakarta, Indonesia 3

• Threat hunting is an proactive cyber defense activity. It is "the

1/10/2021 Blue Team Jakarta, Indonesia 4

1/10/2021 Blue Team Jakarta, Indonesia 5

• Finding adversaries who have • Supports faster and early

1/10/2021 Blue Team Jakarta, Indonesia 6

1/10/2021 Blue Team Jakarta, Indonesia 7

1/10/2021 Blue Team Jakarta, Indonesia 8

1/10/2021 Blue Team Jakarta, Indonesia 9

• What is the Main Differences Between Threat Hunting and

1/10/2021 Blue Team Jakarta, Indonesia 10

Hunting Organization Reactive Organization

• Actively looking for Incidents • Incident Starts when

1/10/2021 Blue Team Jakarta, Indonesia 11

1/10/2021 Blue Team Jakarta, Indonesia 12

1/10/2021 Blue Team Jakarta, Indonesia 13

▪ People {Threat Hunters}

1/10/2021 Blue Team Jakarta, Indonesia 14

▪ Technology Stack for Threat Hunting

1/10/2021 Blue Team Jakarta, Indonesia 15

1/10/2021 Blue Team Jakarta, Indonesia 16

• Analytical Mindset : Having a • Network Architecture:

1/10/2021 Blue Team Jakarta, Indonesia 17

• Log Analysis : knowledge of different log • Malware Analysis : Malware analysis a

1/10/2021 Blue Team Jakarta, Indonesia 18

1/10/2021 Blue Team Jakarta, Indonesia 19

SANS Whitepaper : Building and Maturing Threat Hunting Program

1/10/2021 Blue Team Jakarta, Indonesia 20

David Bianco Pyramid of Pain

1/10/2021 Blue Team Jakarta, Indonesia 21

• Pyramid of pain represents the usefulness

• The higher of the stacks, the more

• It also indicates to gather the artifacts or

1/10/2021 Blue Team Jakarta, Indonesia 22

Threat Hunting Framework Based on MITRE ATT&CK Framework

1/10/2021 Blue Team Jakarta, Indonesia 24

• MITRE ATT&CK™ is a globally-accessible knowledge base of adversary

With the creation of ATT&CK, MITRE is fulfilling its mission to solve

1/10/2021 Blue Team Jakarta, Indonesia 25

1/10/2021 Blue Team Jakarta, Indonesia 26

How to Read It?

❖ Tactics across the top

1/10/2021 Blue Team Jakarta, Indonesia 27

How to Read It?

❖ Technique for each column

1/10/2021 Blue Team Jakarta, Indonesia 28

Reconnaissance Active Scanning

Resource Development Compromise Account

Initial Access Drive by Compromise

Execution Command and Scripting Interpreter

1/10/2021 Blue Team Jakarta, Indonesia 29

▪ ATT&CK can help you create a threat-informed defense

1/10/2021 Blue Team Jakarta, Indonesia 30

1/10/2021 Blue Team Jakarta, Indonesia 31

Detection engineering is a set of practices and systems to deliver

1/10/2021 Blue Team Jakarta, Indonesia 32