Sqrrl Blog

Apr 14, 2016 11:16:00 AM

Cyber Threat Hunting (2): Getting Ready

Originally posted by Samuel Alonso, KPMG Global Security Operations Center threat hunter at http://cyber-ir.com/2016/02/05/cyber-threat-hunting-2-getting-ready/ 

In my previous post, I went through the basics of hunting and its benefits for organizations and their analysts. To continue the journey, today I am going to cover the preparations you need to do before you go out there and hunt. 

As you need some degree of preparation for many of the activities we do on a daily basis, you can improvise, but I suggest you don't as hunting is an activity that requires a high level of concentration so you only want to focus on what it is important for the hunt.

The following is a list of basic things to have ready before you start the hunt. The list is subject to be modified according to your needs; however, this should cover the basics.

  1. Technology deployed in your network and its layout
  2. Network baseline
  3. Devices log format
  4. Tools
  5. Most valuable assets of your network (Crown Jewels)
  6. Understanding of the attack life cycle

1. Technology deployed
This is a very important aspect before you start hunting: to understand all the technology used in your network. You should be able to identify the brand, how it is used and what for. It is also very important to understand the layout of your organization’s network.

2. Network Baseline
This one is a no-brainer. If hunting is detecting anomalous behaviour or deviation from the baseline, it makes sense to start understanding the normal flows of information and behavior in the network you are protecting.

3. Device log format
Understanding all log format being thrown at you by your network devices is of extreme importance. You want to do this well in advance before starting your hunt. You will not enjoy studying your logs at the same time as trying to find the needle in the haystack.

4. Tools
The tools you choose will influence the result of your hunting exercise. If you choose bad tools that are not supporting your objective or not performing as expected, you will not get the results you are aiming for.

5. Your Crown Jewels
Where is your most valuable information in the network? This is one of the most important questions you have to answer about your organization. You will not deploy resources where the value of your assets are low. You will want to maximize the amount of resources available to protect the most sensitive zones in your network.

6. Understand the attack life cycle
It is vital for you and your organization to understand, in detail, the kill chain and attack life cycle so that you stop your adversary in his tracks, minimizing the impact for an organization in case of compromise.

The reality check.

This the best part…. In many organizations, you may not have some of these basics such as Network layout, Baseline and Crown Jewels. It is not that your organization is ugly, it is simply that many networks were built in recent decades and they scaled up very fast to support the business, so they were not well-documented.

Unfortunately these are the ones that are more important within the basics as the others are mostly operational and you can acquire them with ease.

What happens after the reality check?

Special_Forces   VS  guerrilla_fighters

I know what you are thinking…

You thought you were doing special operations when the reality is that you are going to be doing guerrilla warfare. If you have a security visualization tool and a data analytics solution you are well equipped. Both technologies together can provide the best support to hunt as visualization can help to make sense of large amounts of information and this helps to pinpoint anomalies that later can be investigated in detail through data analytics.

We will go through different techniques to detect adversaries inside the network using only logs and without help of advanced solutions. This approach requires you to understand very well the current techniques used by adversaries to get into your network, establish persistence, pivot and ultimately exfiltrate information. This is probably the challenging part of this journey, you need to be up to date to understand their techniques, tactics and procedures (TTP’s).

The only tool I would recommend is a scripting language to help you parse and filter the logs, although you could choose to go through 5,000 lines of logs without it. Good luck.

Hunting is about spending a lot of time searching for something that is elusive by nature. APT's are not designed to be easily detected and if you are going to hunt, you better be well equipped for it.

What are the best locations to hunt?

The main locations where you can start your hunt are:

  • Perimeter
  • Internal Network
  • Endpoint

In these locations you'll have to pull out and correlate information from different devices such as firewalls, proxies, routing devices and DNS servers, to mention a few. You'll also need to understand which are the indicators that may signal the presence of an adversary trying to penetrate or actively penetrating your organization.

Which location is the best?

In any of the mentioned locations you can find signals of adversary presence; however, the endpoint is where you will have higher chances to detect this activity. The main reason for this is because the adversary will leave the largest forensic footprint in the endpoint over time.





From the charts above, we can infer that in order to detect an intruder we will need to go through different areas in our network. Initial exploitation can be detected in the perimeter or endpoint, command and control can be detected in the perimeter as well. Privilege escalation can be found in the endpoint, and data exfiltration can be detected anywhere in the network. The log sources we are using is something I will cover when I explain the techniques used by the adversary to penetrate, extend and accomplish his mission.

Now we are ready to start hunting! In coming posts I will explain some of the techniques and logs we need to look into in order to detect intrusions.





Hunting in the Dark – HTCIA 2015 from Ryan Kazanciyan

Topics: Cyber Hunting, Threat Hunting, Cyber Threat Hunting