There’s a strong chance you know what your organization is trying to protect. In many cases, this is probably in the form of data. It could be customer data, trade secrets, and forms of classified information. This data can be stored in many places: databases, email, and file shares to name a few. From advanced adversaries to ransomware, data is a target. The largest data breaches of 2017 were discovered after the fact—meaning, the data had already been lost. In this post, the goal is to go on a threat hunt for network share recon. In particular, the objective is to find early signs of abnormal network reconnaissance before catastrophe strikes.
In 2015, a targeted attack was discovered. Exposed by Cymmetria, the campaign was known as Patchwork. Their findings discovered that the campaign targeted “personnel working on military and political assignments, and specifically those working on issues relating to Southeast Asia and the South China Sea.” While that is not news to some, one notable action taken by the actor was an attempted connection to a discovered host via Remote Desktop Protocol (RDP). After failed brute force attempts, the attacker moved on to another target. This fact may seem insignificant, however, the RDP server itself was a decoy. These alerts provided an early warning and additional details on the behavior of the attacker.
What is your team hunting for in 2018? If you don’t know, how can you be sure you are positioned to safeguard your organization?
In the days of old, threat hunting was regarded as an ad hoc service for an organization. It is now an intrinsic part of an organization’s defensive posture and provides the organization the ability to be nimble and seek out threat actors in their environment based on the most recent attacker TTPs. Threat hunting has undeniable return on investment for an organization, but with threat actor dwell times still averaging in the hundreds of days, the investment matters more.
In my previous blog, I explored the areas where certain areas of Active Defense could be used to help seed a hunt.These techniques allow the Threat Hunter to go on the offense (in terms of more proactive defense). This is Read More »
For this example, I will limit my search to just high value targets, such as the domain admin accounts.
Authentication requests are used to identify accounts or users that are allowed to access the network and its resources. Similar to legitimate authentication, attackers may use compromised or distinct accounts to identify itself to a authentication server and may also use existing accounts in order to blend in with normal authentication traffic.
Fortune 50 Company
Full packet capture, Proxy logs, DNS logs, Endpoint data
Preferred Hunting Techniques
Baselining, Outlier analysis, Behavioral analysis
NetWitness, Splunk, Wireshark
Varying degrees of attacking back have been hotly debated for years. Everything from fear of retaliation to collateral damage. Proponents claim that what we as a security collective have been doing for years is simply not working. The truth is, breach after breach is reported despite the millions, if not billions, of dollars spent by organizations to secure their assets. I will not try to solve the debate here; however, as a threat hunter, there are certain areas of Offensive Countermeasures, or Active Defense, that can readily be used to track down an adversary—and hopefully before any real damage occurs.