Security Operations
Mister_Security
SecOpsweek5lesson2threathunting.pptxThreat hunting
Learning objectives
Can understand technical details of threats and threat actors
Understand what threat hunting is;
Understand the concept of threat intelligence;
Be able to use Mitre ATT&CK to perform threat hunting.
Threat hunting
3
Threat hunting
4
The process of actively searching for evidence of previously-undetected cyber threats;
A complementary proactive approach to the reactive approach of standard SOC activity;
Threat intelligence
https://www.securnite.com/index.php/onepress_service/cyber-threat-intelligence/
email.exe
Threat hunting
5
Company A
Vendor labs
Update Server
Company B
Company C
Get payload from x.x.x.x
Download from http://abc.com
Scan for sensitive data
Copy data
Send to [email protected]
| Hash | File name | IP | URLs | |
| # | Email.exe | x.x.x.x | Abc.com | [email protected] |
Indicators of Compromise
(IOC)
TI
database
Company D
Query
Response
Scans the files
Check with TI
IoC
Threat intelligence
Threat intelligence is evidence-based knowledge (e.g., context, mechanisms, indicators, implications and action-oriented advice) about existing or emerging menaces or hazards to assets. - Gartner
In short:
TI is a database of IoC
It is a subscription-based service offered by many vendors
Threat Intelligence Communication Standards
7
Cyber Threat Intelligence (CTI) standards facilitate the exchange of threat information by specifying data structures and communication protocols:
Structured Threat Information Expression (STIX) - specifications for exchanging cyber threat information between organizations.
Trusted Automated Exchange of Indicator Information (TAXII) – specification for an application layer protocol that allows the communication of CTI over HTTPS. TAXII is designed to support STIX.
https://oasis-open.github.io/cti-documentation/
Cyber Threat Indicators
8
Each attack has unique identifiable attributes that are known as cyber threat indicators or simply attack indicators.
Automated Indicator Sharing (AIS) system that enables sharing of verified attack indicators with public and private sector organizations using STIX and TAXII
https://www.cisa.gov/ais
Threat Intelligence feeds
9
https://socradar.io/the-ultimate-list-of-free-and-open-source-threat-intelligence-feeds/
AlienVault (https://otx.alienvault.com/ )
SANS Internet Storm Center (https://isc.sans.edu/)
Threat Intelligence platforms (TIPs)
the consolidation of threat intelligence feeds from multiple sources,
automated identification and containment of new attacks,
security analytics, and integration with other security tools like SIEM
https://www.esecurityplanet.com/products/threat-intelligence-platforms/
Threat hunting model
10
https://www.securonix.com/threat-hunting-architecture/
TaHiTI - Threat Hunting methodology
11
Targeted Hunting integrating Threat Intelligence
https://www.betaalvereniging.nl/en/safety/tahiti/
Map threats to ATT&CK
12
Process of mapping to ATT&CK
Find the behaviour – what the adversary does?
Research the behaviour
Translate the behaviour into a tactic
Figure out what technique applies to the behaviour
Optional: compare the results among analysts
13
1. Find the behavior - example
The most interesting PDB string is the “4113.pdb,” which appears to reference CVE-2014-4113. This CVE is a local kernel vulnerability that, with successful exploitation, would give any user SYSTEM access on the machine.
The malware component, test.exe, uses the Windows command "cmd.exe" /C whoami” to verify it is running with the elevated privileges of “System” and creates persistence by creating the following scheduled task:
schtasks /create /tn "mysc" /tr C:\Users\Public\test.exe /sc ONLOGON /ru "System"
When executed, the malware first establishes a SOCKS5 connection to 192.157.198.103 using TCP port 1913. The malware sends the SOCKS5 connection request "05 01 00" and verifies the server response starts with "05 00".
https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html
14
https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html
2. Research the behavior - example
Use google, speed guide.net for port numbers
15
3. Translate the behavior into a tactic
What is the adversary trying to accomplish?
ICS
Initial Access
Execution
Persistence
Evasion
Discovery
Lateral Movement Collection
Command and Control
Inhibit Response function Impair Process Control Impact
Enterprise
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Mobile
Initial Access Execution
Persistence
Privilege Escalation Defense Evasion Credential Access Discovery
Lateral Movement Collection
Command and Control Exfiltration
Impact
16
https://attack.mitre.org/tactics/enterprise/
TA0043 Reconnaissance The adversary is trying to gather information they can use to plan future operations. pre-attack: before try to break into a system, OSINT, gathering info so that an operaiton can be successful
TA0042 Resource Development The adversary is trying to establish resources they can use to support operations.Turn the OSINT findings into resources they need to support their operations. e.g. writing malware; registering domains; buying VPNs.
TA0001 Initial Access The adversary is trying to get into your network. Initial foodhold; fishing, get into a supply chain, first steps to get into an enviornment execution.
TA0002 Execution The adversary is trying to run malicious code. Have adversary controlled code running on a victim system. Buffer overflows or user clicking on a piece of malware.
TA0003 Persistence The adversary is trying to maintain their foothold. credential chaning; or any other interruption that could potentially cut off their access and keep them from coing back in. Malware restarts upon reboot, ensuring that access if open for future attempts to come into the environment.
TA0004 Privilege Escalation The adversary is trying to gain higher-level permissions. Need to be administrator, or root; beyond a normal user in order to accomplish goals
TA0005 Defense Evasion The adversary is trying to avoid being detected. Eg.naming files after another comoon system utility; hiding tools from security systems running on a computer.
TA0006 Credential Access The adversary is trying to steal account names and passwords. dumping from the local system, getting them off the domain controller.
TA0007 Discovery The adversary is trying to figure out your environment. Where am I, where I landed, is this the system I want to go; want to get into other computer
TA0008 Lateral Movement The adversary is trying to move through your environment. Get remote systems; a remote desktop protocol to another system, secure shell across the network
TA0009 Collection The adversary is trying to gather data of interest to their goal.
TA0011 Command and Control The adversary is trying to communicate with compromised systems to control them.
TA0010 Exfiltration The adversary is trying to steal data. send data out of the door,
TA0040 Impact The adversary is trying to manipulate, interrupt, or destroy your systems and data. CIA
3. Translate the behavior into a tactic
Example:
The most interesting PDB string is the “4113.pdb,” which appears to reference CVE-2014-4113. This CVE is a local kernel vulnerability that, with successful exploitation, would give any user SYSTEM access on the machine.
The malware component, test.exe, uses the Windows command "cmd.exe" /C whoami” to verify it is running with the elevated privileges of “System” and creates persistence by creating the following scheduled task:
schtasks /create /tn "mysc" /tr C:\Users\Public\test.exe /sc ONLOGON /ru "System"
When executed, the malware first establishes a SOCKS5 connection to 192.157.198.103 using TCP port 1913. The malware sends the SOCKS5 connection request "05 01 00" and verifies the server response starts with "05 00".
Command & control
Command & control
Persistence
Privilege escalation
Execution/Discovery
17
4. Figure out what technique applies
Example:
The most interesting PDB string is the “4113.pdb,” which appears to reference CVE-2014-4113. This CVE is a local kernel vulnerability that, with successful exploitation, would give any user SYSTEM access on the machine.
The malware component, test.exe, uses the Windows command "cmd.exe" /C whoami” to verify it is running with the elevated privileges of “System” and creates persistence by creating the following scheduled task:
schtasks /create /tn "mysc" /tr C:\Users\Public\test.exe /sc ONLOGON /ru "System"
When executed, the malware first establishes a SOCKS5 connection to 192.157.198.103 using TCP port 1913. The malware sends the SOCKS5 connection request "05 01 00" and verifies the server response starts with "05 00".
Command & control | non-application layer protocol (T1095)
Command & control | non-standard port (T1571)/ Multi-Stage Channels (T1104)
Persistence - | Scheduled Task/Job: Scheduled Task T1053.005
Privilege escalation | exploitation for privilege escalation (T1068)
Execution | command and scripting interpreter (T1059)
Discovery | system owner/user discovery (T1033)
18
Download mitra-attack-inclass-exercise.pdf from Canvas
Make groups of 5 students
Read through the report and pay particular attention to the highlighted text;
Research the behavior if needed;
Translate the behavior into a tactic by selecting one from the dropdown list;
Figure out what technique applies to the behavior by filling in the textbox;
Group A page 1-11
Group B page 12-25
20 minutes
Exercise
19
Assignment
20
Analyse a threat report using the ATT&CK mapping process to find the techniques and sub-techniques, as well as recommendation on mitigation and detection.
