Upgrading your treat hunting skills to next generation capabilities.
When defending against the next generation of malicious targeting agisnt your network and systems, we as threat hunters have to employ security strategies that are driven by personalized cyber defense context. This hunt style is based on what each user typically does and what workflow each user regularly utilizes. We can alert against the specific use for the organization of your network for traffic and host based anomalies. The way we accomplish this activity now is by establishing YARA and Snort rules.
To begin utilizing vulnerability tools to develop your indicator matrix we have to aggregate intelligence to help us define what is malicious activity vs that of origination activity. Your organization must have this map to navigate the logs of your systems while building alerts for anomalies. With this rule set you can build the metadata and define the strings that are crucial in your YARA and SNORT rules. Also, In this step your organization needs a reporting database to submit and store potential indications of compromise. During attack of your system, faster decisions are going to me mean stop loss of critical information systems and Intellectual Property. The scenario were you have the data to act now to posture your defensive measures effectively based on collected and defined meta is a win for your agency.
No matter the industry there is always someone who wants to know about what you have. The goal is to know how potential attackers will exploit the way your users consume technology and apps so that vulnerabilities used can we more effective and “context-aware”. If you are an org that supports DOD or Gov you are an increased target by nation state intelligence communities that have established effective cyber capabilities to understand our operational context. These malicious actors intelligence capability is improving rapidly and is formidable at gathering OSINT on our activities.
At the time of reporting you will notice unanswered questions, this is when we use dynamic spot rep questions to fill operational vulnerability and intel gaps. As we explained, proper context, is your baseline for driving your operational impact. To assist with the nuance of this task we have industry Python Scripted Frameworks and web based frameworks to analyze and define your activity. Generally speaking, I use my Python Scripted Frameworks for searching on system for anomalies and web based frameworks for getting context of my significant activity.
Orgs like Group-IB, HackerOne, FireEye and Kaspersky focus on providing products and services for detecting and preventing advanced persistent threats and spear phishing while preventing and investigating high-tech crimes and online fraud. To hunt and defend against cyber actors with advanced persistent capabilities is helpful to ingest industry reporting on what is going to or already hit you network. As they do the research and analysis for techniques and TTPs of high-tech crimes you must employ their knowledge into your security practices.
What are these web based frameworks?
- www.threatcrowd.org – allows you to quickly ID infrastructure and malware.
- www.virustotal.com – is the Google for virus and malware information.
- www.hybrid-analysis.com – is for link chaining of domains, IP and Hashes
- www.ipalyzer.com – finds whois Name records, geo, etc.
- https://otx.alienvault.com – threat vectors and indicators of compromise (IOC).
- www.threatminer.org – data aggregator which relies on a number of open source data feeds.
- http://passivetotal.org – Investigate threats by pivoting through attacker infrastructure data.
- https://dnslytics.com – Find out everything about a domain name, IP address or provider.
- www.joesandbox.com – detects and analyzes potential malicious files and URLs on Windows, Android, Mac OS, Linux, and iOS for suspicious activities.
- https://www.unphp.net – decode base 64 code of php.
We at iShare-Solutions use scripted OSINT tools to integrate data analysis into our security workflow. After a compromise we begin our research with system and software logs for understanding of what is the malware and what attack vector is used. We take the indicators what we can find and use open source research to define them.
An initial scan for whois, name records, etc. to get a baseline for the actor ID. Then we begin map the C2 communication of the systems involved in the attack call chaining or C2 mapping. This is necessary to visualize and define how malicious action are traversing the internet and the connections it makes for blocking second stage activity. The companies we spoke of earlier as some of the best providers of detailed analysis and actionable suggestion of high profile security incidents. I am militant about finding and analyzing actual TTPs instead of only IOCs (i.e. hash values, IP addresses).
The one of the most successful attack vectors is spamming phishing emails with links and attachments inside that trick a user to activate them. Once activated these embedded links point to dirty websites with second stage infection vectors. Use pivoting through attacker infrastructure tools to define what the second stage will be and set blocking for that until threat is neutralized.