Threat Hunting: Detecting Adversaries
Threat hunting requires that the hunter understand the mind of the adversary and seek to take out attacks before the hunters can themselves be detected. So how is that exactly done, and how can hunting methods be improved to allow hunters execute skillfully without getting detected?
In this article, we shall see that detecting the adversary is not an entirely straightforward thing. We will, however, focus on methods that hunters can take to minimize detection, and thus see how this can work to avoid a hunter’s detection.
Taking Time to Understand the Adversary Mindset
It has been said that it takes a thief to catch a thief, and this is not any different when hunting for threats in a system. The adversary will often make small mistakes that lead to the discovery of their malicious actions. Such abnormal activities serve as red flags and we need to understand them. Understanding said abnormal behavior (such as the ones discussed below) allows the hunter to target specific areas of high risk, effectively enabling the hunter to take out the adversary before detection.
The following are some common abnormal behaviors to look out for:
Many organizations make use of PowerShell daily to manage their IT infrastructure. Attackers will leverage this to execute malware within the network. Hosts responding with unusual failed PowerShell errors and program execution should serve as a warning that something is amiss. Look out for these, determine their origin and take out the attackers.
HTTP User Agents
When hunting, be sure to be on the lookout for suspicious user agents. This is because attackers will often hurriedly attempt to download extra tools and scripts to use during an active attack. Default user agents used by tools such as PowerShell and Python are often an indication that something is not right. Once discovered, pinpoint the source and take it out.
Command Line Process Execution
Attackers will make heavy use of the command line, in some instances to launch malware. Monitoring how processes are started is something that cannot be overlooked. For instance, a process that has been started from PowerShell with the execution bypass flag should be enough to raise suspicion. Process IDs could also give away attacks. For instance, a process with a small ID is normal since many processes launch at system startup. Malicious processes will often have large process IDs which will require monitoring. As soon as you discover these, you know something’s not right.
Attackers will perform lateral movement within the network in an attempt to discover other hosts that can be attacked. You will need to keep an eye of this behavior on your network, as it could help prevent a potential attack. This is where SIEMs will come in handy. Be on the alert of any suspicious network traffic.
Since attackers will often make attempts to exfiltrate data from your network, it is important that you consider enforcing strict egress filtering rules that reduce the protocols leaving your network. This is also important, since it is quite difficult to tell encrypted information hidden within commonly-used protocols within the organization.
Once all this suspicious behavior has been spotted, it is time to fall back on some good old tools.
How Can You Leverage Offensive Hunting Tools?
Skilled hunters will need to ensure that they employ tools that give them proper visibility into the activities being performed in the network. As a hunter, you need to be able to detect an attack by narrowing it down to the most relevant data in your network, faster than your adversaries can effectively hide their malicious activities. This will require making use of the most effective tools and strategies.
The following tools should be considered in environments where active threat-hunting occurs.
1. Microsoft Sysinternals SysMon
Microsoft Sysinternals SysMon provides a trove of functionality while assessing processes and file hashes. SysMon can provide a hunter with relevant and valuable information about parent processes, network connections and loaded driver and Dynamic Linked Library information (along with their signatures and hashes). SysMon also allows hunters to drill down to registry events (such as CREATE, DELETE, KEY VALUE RENAMES and so on) and WMIEvents (such as WMIEventFilter and Consuming activity).
Bloodhound allows you as a hunter to visualize your Active Directory environment in a more robust manner. Using graph theory, Bloodhound can identify otherwise-obscure attack paths within your network that attackers can use to compromise your entire Active Directory.
The framework requires Java to run, so you will need that, Neo4j and the Bloodhound application itself.
You will then run an ingestor that will collect a trove of data from your Active Directory, either using Sharphound (built on C#) or the Invoke-BloodHound (PowerShell) tools. Once you have executed these, you will be provided with a set of .CSV files that you will upload to the Bloodhound application. So in terms of visibility using Bloodhound, you as the hunter will get the following:
- All domain admins
- Shortest paths to acquire domain admin privileges
- Top 10 users with most sessions
- Top 10 computers with most local admin rights
- Top 10 computers with most admins
- All users with foreign domain group membership
Combining these with other tools such as Empire, you’ll be able to get unbelievable information that if applied properly could outsmart any adversary. Take a look at how Empire can be applied within this realm.
3. Network Metadata Monitoring
You need to be able to pinpoint sources of alerts within the network before an attack can execute to maturity. This can be effectively done when you are logging network metadata so as to accompany alerts that originate from IDS. One such IDS that can significantly help in tracking the load of data transiting your network is Bro IDS. What Bro does is log multiple .txt files per protocol that can then be ingested by a SIEM.
Hands-On Defensive Concepts for Threat Hunters
Once you have understood the attacker’s mindset and how to employ your hunting tools effectively, it will be time to familiarize yourself with some best practices. The following actions will take you a step further in detecting adversaries.
1. Get Proactive
You will notice that attackers jump on new exploits as soon as they drop and will go to the extent of purchasing zero-days from underground forums and from the Dark Web. As a hunter, it’s important for you to use some of the same tactics when you’re preparing for future attacks. Research by getting into forums to discover the latest exploits being run in the wild and get your hands dirty by actively looking for incidents within your network. While you’re at it, keep an eye on outlier detections which will be caused unintentionally by non-malicious individuals.
The importance of joining forums and communities is that people often will come up with ideas that will sometimes work. Check out Malware Archaeology’s work on logging cheat sheets, for instance. Here you will gain insight on advanced logging and learn some search strings with Splunk.
2. Use Best Practice for Drills
While conducting attack drills and tests in your controlled environments, be sure to follow best practice. An example of a good detection framework is the Mitre Adversarial Tactics, Techniques and Common Knowledge (ATT&CK). Endgame calls this a “revolution in security” and RedCanary refers to it as the “best current repositories of attacker tactics.”
3. Look for “Known Bad”
There are tools you can use to perform advanced endpoint scanning. In this case we are going beyond antivirus solutions. For instance, consider Loki IOC scanner or even SparkCore. These tools will provide results that can be ingested into your SIEM. They even allow you to compile your own Yara signature set that can be used with the default ones that Florian provides.
4. Enforce Strict Password Management
By having a strong password, you can beat an attacker or limit their efforts before they get further in their attack. Strong and complex passwords mean that time and great effort will be invested in attempting to crack them, and even better, multiple different passwords can safeguard your organization from attacks that result from credential reuse.
How then can your multiple complex passwords be managed?
Enter password managers. You can use a centralized password manager that is combined with a YubiKey or any soft key system — for instance, Authy. This method of password management is heavily effective and works with databases such as KeePass, Dashlane, PasswordSafe, 1Pass and even LastPass.
It is obvious by now that a huge part of detecting the adversary depends on your organization’s behavior in how it conducts threat hunts. A hunter that is equipped with the right tools and strategy will always be ahead of a determined adversary. If adequate preparation is made while mastering the defensive concepts and tools are leveraged as described above, you will be close enough to completely eradicating the red flags discussed above.
As technology evolves every day, attaining a position of full security is a temporary achievement. Threat hunting should be a continuous exercise. But by learning how to detect adversaries before they know you’ve spotted them, you can take your threat hunting to the next level and earn yourself a little more peace of mind.
- Threat Hunting: Ten Adversary Behaviors to Hunt For, Sqrrl
- Blue Team Tips, Sneaky Monkey
- Automating the Empire with the Death Star: getting Domain Admin with a push of a button, byt3bl33d34 (GitHub)
- The ATT&CK Matrix Revolution In Security, Endgame
- Red Canary Introduces Atomic Red Team, a New Testing Framework for Defenders, Red Canary