There’s a strong chance you know what your organization is trying to protect. In many cases, this is probably in the form of data. It could be customer data, trade secrets, and forms of classified information. This data can be stored in many places: databases, email, and file shares to name a few. From advanced adversaries to ransomware, data is a target. The largest data breaches of 2017 were discovered after the fact—meaning, the data had already been lost. In this post, the goal is to go on a threat hunt for network share recon. In particular, the objective is to find early signs of abnormal network reconnaissance before catastrophe strikes.
In 2015, a targeted attack was discovered. Exposed by Cymmetria, the campaign was known as Patchwork. Their findings discovered that the campaign targeted “personnel working on military and political assignments, and specifically those working on issues relating to Southeast Asia and the South China Sea.” While that is not news to some, one notable action taken by the actor was an attempted connection to a discovered host via Remote Desktop Protocol (RDP). After failed brute force attempts, the attacker moved on to another target. This fact may seem insignificant, however, the RDP server itself was a decoy. These alerts provided an early warning and additional details on the behavior of the attacker.
What is your team hunting for in 2018? If you don’t know, how can you be sure you are positioned to safeguard your organization?
In the days of old, threat hunting was regarded as an ad hoc service for an organization. It is now an intrinsic part of an organization’s defensive posture and provides the organization the ability to be nimble and seek out threat actors in their environment based on the most recent attacker TTPs. Threat hunting has undeniable return on investment for an organization, but with threat actor dwell times still averaging in the hundreds of days, the investment matters more.
In my previous blog, I explored the areas where certain areas of Active Defense could be used to help seed a hunt.These techniques allow the Threat Hunter to go on the offense (in terms of more proactive defense). This is Read More »
For this example, I will limit my search to just high value targets, such as the domain admin accounts.
Authentication requests are used to identify accounts or users that are allowed to access the network and its resources. Similar to legitimate authentication, attackers may use compromised or distinct accounts to identify itself to a authentication server and may also use existing accounts in order to blend in with normal authentication traffic.
Varying degrees of attacking back have been hotly debated for years. Everything from fear of retaliation to collateral damage. Proponents claim that what we as a security collective have been doing for years is simply not working. The truth is, breach after breach is reported despite the millions, if not billions, of dollars spent by organizations to secure their assets. I will not try to solve the debate here; however, as a threat hunter, there are certain areas of Offensive Countermeasures, or Active Defense, that can readily be used to track down an adversary—and hopefully before any real damage occurs.
In the first part of this series, I discussed how suspicious file types could lead to the discovery of malicious activity. I also discussed how to hunt for suspicious file types traversing your network using data sources like HTTP proxy events. In this article, I’ll continue our focus on hunting for suspicious files types by examining the presence and execution of files on the host. I’ll also discuss additional steps you can take to help investigate suspicious file types once you’ve discovered them on your network or systems.
In our Boston Bsides 2016 talk, David Bianco and I briefly mentioned the use of isolation forests to find unusual behavior in cybersecurity log files. Today, we will take a deeper dive into the techniques that we experimented with. These experiments were run in collaboration with Dimitar Karev, our RSI intern. The results we present here are also discussed in a paper that Dimitar wrote for CompSysTech’17. In our experiments, we look at HTTP log data to explore isolation forests’ capability to find malicious outliers under various conditions. We also explore tuning the algorithm parameters and feature space to produce optimal results.
“How do I hunt?”. The instinctual first question uttered by anyone with a mind to build a threat hunting program. Any answer should, as all good philosophies, change over time. You get new information, gain new experiences, etc. The only sure answer is never a singular one. Any threat hunting initiative is a daunting task. This stuff is hard. It’s not even the actual technical competencies that are hard, it’s the logistics of it all. This post endeavors to define a starting point by offering varied plans of attack, how they influence the success of a hunt team, and how Sqrrl can help with those plans.