Threat Hunting for File Hashes as an IOC
Threat Hunting is “the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.” This is a proactive measure which is on top of the traditional reactive ones like IDS, Firewall, and SIEM.
IOCs – What, Why & How
Indicators of Compromise consists of “artifact observed on a network or in an operating system that with high confidence indicates a computer intrusion.” These mainly consist of Hash Values, Malicious IP’s, Malicious Domain names, Host and Network artifacts, Exploit tools and TTPs (Tactics, Techniques, and Procedures). Identification of the IOC’s is used for early detection of future attack attempts using intrusion detection systems and antivirus software.
When dealing with IOC, we need to have a clear understanding and procedure in place for deriving efficient and effective results. Some of the questions that help nudge in the right direction are as follows:
- What is it that you are looking for?
- Where will you find it?
- How do you intend to use it?
The Pyramid of Pain
The widely discussed concept of categorizing IOC’s, known as ‘THE PYRAMID OF PAIN‘ categorizes Hash Values at the base of the pyramid termed as Trivial. Fundamentally, this encompasses values such as MD5, SHA1 and similar artifacts that represent specific suspicious or malicious files. They come in handy, for establishing a unique identification for specific malware/ malicious samples which have been observed in a security incident. Today due to the dynamic nature of adversaries and threat campaigns, it is often redundant keeping track of them without additional context and contextualization.
Threat Hunting and Threat Intelligence both talk extensively about Indicators of Compromise such as Hash values for their processes. Threat Intelligence is the provider of these Indicators with additional context, making it possible for a Threat hunter to get into action right away. One of the ways in which Threat Hunting platforms like Endgame, Sqrrl, and Cybereason optimize their usage of IOC’s like Hash value is by not generate more than one alert when testing the same sample for more than one occurrence on the same endpoint.
Thus, Numerous alerts of the same filename and hash on the same endpoint are suppressed by the platform to minimize the alert fatigue and enable enterprise-wide contextualization of the analyzed hash.
They achieve this by processing the hash and running an enterprise search to identify endpoints where the same file was executed, the full path and source (registry), along with the number of times it was initiated, the process name, user, PPID, domain and First seen – Last seen. Security analysts use these IOC’s to aid in their overall analysis and mitigation strategy for hunting activities for systems that may have already been compromised.
They do that by adding them to the hunting lists on endpoint detection and response (EDR) solutions as well as network- and host-based blacklists to detect and deny malware implantation and command-and-control (C2) communication.
These platforms hunt for malicious activity, through a unique set of analytics aimed to identify signature-based, known attacks as well as unknown attacks. These are identified based on behavioral as well as community-sourced indications of compromise and threat feeds. These Hunting Engines looks for interconnected anomalies and risk indicators (collectively, “evidence”).
When sufficient evidence is found, the engine reports the detection of malicious activity. This enables the analyst at this point in the investigation, to accurately determine that the file in question is malicious in nature. From this point onward, the same can be investigated further for static and dynamic analysis. Most organization have now started implementing an Automation and Orchestration platform like Demisto to streamline and automate the process of responding to an IOC.
Automation & Orchestration
DEMISTO is one such platform which investigates the presence of a file hash and open network connections in the environment. These platforms can query various Endpoint Detection & Response (EDR) solutions for such data points. If the Endpoint Detection platform can identify the file with the given Hash Value, then the affected system can be determined as infected or compromised. The resolution in such cases may differ based on the organization’s response strategy. Ideally, the best practice is to quarantine the impacted system and conduct analysis to determine the infection vector and propagation.
However, the overall effectiveness can go far beyond that, Demisto explains their complete functionality as such “Security orchestration involves interweaving people, processes, and technology most effectively to strengthen the security posture of an organization. By streamlining security processes, connecting disparate security tools and technologies, and maintaining the right balance of bot powered security automation and human intervention, security orchestration empowers security professionals to effectively and efficiently carry out threat hunting and incident response.”
Now while we are talking about utilizing a Threat hunting platform for investigating for maliciousness with IOC’s such as hashes, it is important to remember that the same platform can be utilized to hunt for more covert attack vectors such as Fileless Malware. Fileless attacks, such as process injection, allow attackers to execute malicious code within legitimate processes to avoid detection.
Such attacks are now becoming more and more frequent and sophisticated, in the recent times, we had such malware observed in the Russian targeted attacks against Ukraine’s critical infrastructure. E.g., Fancy Bear and Cozy Bear, which are deemed to be Russian GRU and FSB nation-state malware. All matured Threat Hunting platforms have detection mechanism for such attacks, which focuses on Credential dumping, Credential manipulation, Event collection, Exploit execution, Malicious file configuration, permission theft and most important process injections to look for such behavior. In case of a malicious process injection, the investigation will kick off with information about the source of the injection and the injected process, including the thread IDs.
For effective threat hunting, it is essential to understand how a threat unfolds so that we as defenders can surgically intercept them. An example would be a recent campaign by FIN8, a well-known Threat Group which was targeting selected individuals in several corporations.
Knowing the intention of the attacker and the modus operandi, we can focus on analyzing all malicious macros delivered to our organization as part of a suspected spear-phishing campaign (we can also refer to the IOC’s such as Hash values from the previous or ongoing campaign) and look for additional downloaded code used by FIN8. Aspects of the FIN8 arsenal include code that is present only in memory, which will require memory analysis tools or equivalent visibility hence having a matured Threat Hunting platform will make the hunting process streamlined and efficient.