First, a rant. If you are a twitter fan and have spent any time looking at the #ThreatHunting hash tag you may have seen that a lot of people and companies talk about hunting, but never really explain the methodologies they use or why they use them in the first place. It’s really more of a why you should be hunting. I think this is a disservice to those that want implement this type of strategy, but find it difficult to get started. I would love to see more people share their experiences and less of why we should be doing it. Ok, rant over, sorry.
I spend a lot of time thinking about and studying intrusions while trying to define similarities between all of them. I think that the more similarities I can find across different intrusions and actors, the harder it will be for any adversary to go unnoticed for prolonged length of time. In a way, I believe this is a step above detecting at the TTP level.
Picture the following scenario.
- A web server running Tomcat is compromised by weak administrative credentials.
- The attacker uploads a war file and installs a webshell.
- The attacker accesses the webshell and executes whoami which returns the system account.
- The attacker executes several os commands to determine where he is and where he can go. (ipconfig.exe net.exe, ping.exe…)
- The attacker uploads and executes mimikatz to collect credentials that can be used for lateral movement.
- The attacker attempts to mount the c$ share on several remote machines using the credentials obtained via mimikatz.
- Tools are eventually pushed to the c$ share on a remote machine and executed via wmic.
This example may be overly simplistic and only a small piece of an intrusion, but I think it illustrates the point that I’m going to make. Every intrusion will introduce abnormal into your environment. These abnormalities are typically seen in the following ways:
- Communication between machines
- User authentication
- Processes execution
- Filesystem activity
Just like developing a detection strategy that looks for IOC’s across various points of the kill chain, I think it’s also important to devise a strategy to hunt for anomalies that will need to exist when an intrusion occurs. The benefit of hunting for these anomalies is that we are targeting the effects of behaviors and should be agnostic of specific tools or actors.
It is often said that you need to baseline your environment before you can begin detecting anomalous behavior. I’m not sure that I fully agree with this. I think at some point you need to understand what the difference between normal and abnormal looks like, but I don’t think it always hinges on baselining. If we build generic queries around least occurrence and first seen we have a chance of identifying the above as well as many other types of lateral movement or actions on objective.
- Inbound HTTP POST requests with compression extensions by URI path.
- Operating system commands executed by a web server process.
- Explicit logon events by count and time.
- Explicit logon events by process name.
- $share access by source host and username
- Process creation spawned by web server process.
- Files being written by web server process.
- Explicit logon by user, hostname and process.
- Failed authentication by source host and username count.
- Files being written to $ share
Distinguishing normal from abnormal can often be difficult, especially if you look at events singularly. Administrators will generate anomalous events just by their daily activities. Users may generate anomalous events just because a new application was installed or they are working on a new project. I believe that if you devise a strategy to hunt for the above 4 categories of abnormal and start looking at sum of events in different categories vs singular events you can begin to bubble the things that need to be investigated to the top. It may take quite a bit of work to get to this level, but the detection capability will last far beyond a single adversary and single intrusion.
As always, I would love to know what you think. Feel free to reach out on twitter ($jackcr) or use the comments section.