Threat Hunting: Remediation
Introduction to Remediation
The majority of a threat hunter’s role is looking for the “needle in the haystack” by using a variety of different tools and techniques to look for threats that may or may not even exist. However, sometimes the threat hunter actually finds something that has slipped past the organization’s defenses. At this point, it’s time to perform remediation.
At this stage in the process, the assumption is that the threat hunter already knows everything there is to know about the threat. They’ve detected signs of compromise, performed an in-depth investigation and ferreted out all its secrets. Now it’s time to get rid of it and move on.
The strategy used by a threat hunter during remediation depends on the sophistication of the hunter and the attack. In some cases, basic remediation strategies may be effective for elimination of the threat. However, advanced adversaries have the ability to detect and evade these steps, meaning that more comprehensive measures may be required.
Basic techniques for remediation
There are many ways to remediate an attack with varying levels of difficulty, sophistication and success. Depending on the sophistication of the adversary and the tools that they use, some techniques may be sufficient in some cases and ineffective in others. In this section, we explore some simple techniques for remediation of threats discovered during threat hunting.
One of the simplest ways of dealing with malware on a computer is triggering a restart. In fact, this response is so widespread that a common question when hearing about a malfunctioning computer is “Have you tried turning it off and back on again?” This type of response is often effective for simple issues, but most malware and threat actors have evolved beyond the point where this is even a threat to their operations.
Malware commonly implements persistence mechanisms, like scheduled task execution, DLL injection and registry modifications, to ensure that it can continue to execute after a system reboot. During the investigation phases of the threat hunt, searching for these types of mechanisms is an important step. Attempting to remove an infection via a reboot will be ineffective if these persistence mechanisms are not disabled and may be a trigger for the next stage of the attack.
Restore from backup
For organizations that are confident of the circumstances of the malware attack but do not want to perform in-depth analysis, restoring from a backup may be a good option for remediation. When performing a threat hunt, it is often relatively easy to identify the initial infection vector. If the threat hunt was initiated in reaction to anomalous behavior by a compromised machine, investigating the cause of the anomalous behavior can help pin down the attack vector. By restoring from a backup predating the attack, the organization can be fairly confident that the threat is eliminated on the compromised machine.
The main limitations of restoring from a backup are the potential organization impacts and the chance of missing malware persistence mechanisms. Using a backup restore to clean up an infection means that a complete restore is necessary in order to be certain that all vestiges of the malware are eliminated. As a result, any data stored on the computer will be eliminated.
Using backup restoration to remove infections also overlooks the potential of persistence mechanisms that are not based on the primary filesystem. Malware may have infected removable media and other systems and can reinstall itself on the restored machine if this media is not sanitized as well. Alternatively, the threat actor may have compromised one or more accounts on the machine and can resume their attack post-restore at their leisure.
For a more targeted approach to malware remediation, killing processes can be a good option. If a threat hunter has performed a comprehensive investigation and isolated the threat to one or more executing programs, then there is no point in affecting the entire machine in the remediation process. A threat hunter can specifically kill each of the affected processes to remove the threat without the need for restoring from a backup.
The main issue with this is that it’s still overkill in many situations. Several different attacks are based on injection of malicious code into an otherwise legitimate process. An advanced threat hunter can identify and remove only the malicious components of an affected process, further decreasing the impact of remediation.
Advanced threat remediation
When dealing with advanced adversaries, traditional threat hunting and remediation techniques are insufficient. When hunting for advanced adversaries, relying on traditional IOCs and signatures simply isn’t enough, and using simple techniques for remediation is more likely to tip off the adversary that they’ve been detected than to do anything to remove them.
Remediation when dealing with advanced adversaries is a multi-stage process. It is vital to cut off every potential point of access when removing their access to the system. Important steps in this process include:
- Identifying and remediating the initial infection vector: Destroying their foothold on the system is useless if they can get right back in again the same way
- Discovering and sanitizing all potentially breached systems: Many threat actors move laterally very rapidly, so the initial infection point is unlikely to be the only compromised system
- Forcing password changes on breached accounts: Any account with anomalous activity (password changes, unusual usage and so on) during the incident should have a forced password change
- Searching for and removing persistence mechanisms: Malware can use several different mechanisms to ensure continued access to the system
- Ensuring integrity of critical system processes: Compare hashes of programs saved on disk and in memory to known-good hashes to ensure that they haven’t been modified or replaced
- Locating and removing lookalike programs: Some attacks rely upon the use of lookalike processes or programs in unusual places in the file system
- Surgically remove malicious code running on the system: When dealing with a malicious thread in a benign process, killing only the thread is a subtler way of cutting off an advanced attacker’s access
When dealing with an advanced adversary, remediation can be a difficult task. The attacker may be actively monitoring the state of the compromised system and may take steps to hide from you or diminish the effectiveness of remediation strategies. Comprehensively investigating the threat (in a subtle way) before taking any remediation steps decreases the probability of an oversight making the remediation process a waste of time.
Developing your threat remediation capabilities
Effectively remediating threats discovered during a threat hunt requires an understanding of what malware and threat actors can and will do. The cyberthreat landscape is continuing to evolve, and new threats like fileless malware are designed for the sole purpose of circumventing traditional threat hunting strategies. Without understanding the potential threats and what to look for, the probability of an unsuccessful remediation is high since a single overlooked registry key can be enough to restore an otherwise-eradicated infection.
All of the other phases of the threat-hunting process are built up for remediation. Taking the time to completely understand the threat allows you to surgically remove it, minimizing organizational impact and maximizing your effectiveness. Taking the time to study potential attack vectors (the MITRE ATT&CK framework is a great resource) is definitely worth the time and will pay off in your remediation efforts.
- Hunt Evil: Your Practical Guide to Threat Hunting, Sqrrl
- Detecting Modern Adversaries: Why Signatures Are Not Enough, Endgame
- Serious Threat Hunting: Hunting for Advanced Adversaries Without Indicators of Compromise, RSA 2016
- MITRE ATT&CK, Mitre
We've encountered a new and totally unexpected error.
Get instant boot camp pricing
A new tab for your requested boot camp pricing will open in 5 seconds. If it doesn't open, click here.