Threat Hunting - Introduction
Threat Hunting is human centric process of proactively searching data and discovering cyber threats.
Hunter:
Offensive-based Strategy | Think like Attacker | Understand Cyber-Threat & Kill Chain | Knowing Network Architecture | Data Analysis
Business goals are:
Reducing the dwell time, and minimizing residual risks by stopping adversaries before completing their objectives.
The technical goals of threat hunting are:
- Detecting threat that none of technology can detect
- Detecting the adversary before the goal is achieved, not at code execution.
- Detecting advanced attacks which are evading security controls
- Detecting TTPs instead of IOCs, and
- Detecting malicious behavior quicker and more frequently.
Framework/Model for Hunters:
- Mitre ATT&CK - Tactics or Tools, Techniques & Procedures - This help to identify IoC and method on adversary entry point > pivot > goals
- Pyramid of Pain
- Cyber Kill Chain
- Diamond Model (This can be link to Mitre ATT&CK and Kill Chain to perform Defense Gap Analysis)
Threat Hunt Mindset
Threat Intelligence Division (Known/Indicator-based detection) - Strategic | Tactical | Operational
As Hunter, Tactical (What | When) | Operational (How) information (Know Bad hunt)
- Tactical (What | When) > This is were TTP, Chain Kill and Diamond Models are used to identify the adversary pattern of attacks, also know signature.
- “What - they do” | “How - the adversary does”
Digital Forensic - (Technique/Anomaly-based/Unknown) - Network | Host | Memory Forensics/Analysis
Hunter will still use TI but one step ahead on analyzing for any IoC - Human based detection
- Attack Based Hunting | Did….this happen in my network?
- Analytics-Based Hunting | Does anything in….data look malicious?
Threat Hunting Simulation - Practice | Learn
Hunting Start-up:
Threat Intelligence | Know
As an Hunter, keep up to date on:
- Threat intelligence Report,
- Threat Feeds (Sharing and Exchange) and
- IoC/IoA
Threat Hunting Hypothesis
Hypothesis Methodology
- Pick a Tactic & Technique
- identify procedure(s)
- Perform an attack simulation or Data analysis
- Evidence collected
- Scope
After Successful hunting, create detection or optimize query/rule/signature to improve defensive gap and proceed with next hunting.
References:
[1] https://my.ine.com/
[2] https://www.threathunting.net/reading-list
[3] https://www.sans.org/white-papers/37172/
Advisory Published - October 2021
Important Advisory/Best Practices - Sept 2021
Date:10/18/2021 >> BlackMatter Ransomware
Recommandation:
- Use multi-factor authentication.
- Implement Detection Signatures
- Use Strong Passwords
- Patch and Update Systems
- Limit Access to Resources over the Network
- Implement Network Segmentation and Traversal Monitoring
- Use Admin Disabling Tools to Support Identity and Privileged Access Management
- Implement and Enforce Backup and Restoration Policies and Procedures
Critical Security Vulnerability Summary - October 2021
Critical List:
Date:10/04/2021 >> CVE-2021-41773 | Apache HTTP Server | Version Impacted: 2.4.49 and 2.4.50 | Vulnerability | Active Exploitation | PoC
Advisory Published - September 2021
Important Advisory/Best Practices - Sept 2021
Date:09/28/2021 >> Selecting and Hardening Remote Access VPNs
Recommandation:
- Configuring strong cryptography and authentication
- Running only strictly necessary features
- Protecting and monitoring access to and from the VPN
Date:09/22/2021 >> Conti Ransomware Advisory
Recommandation:
- Use multi-factor authentication.
- Implement network segmentation and filter traffic.
- Scan for vulnerabilities and keep software updated.
- Remove unnecessary applications and apply controls.
- Implement endpoint and detection response tools.
- Limit access to resources over the network, especially by restricting RDP.
- Secure user accounts.
- Backups
Critical Security Vulnerability Summary - September 2021
Critical List:
Date:09/23/2021 >> CVE-2021-20034 | SonicWall SMA100 series | BUG | NO Active Exploitation
Date:09/21/2021 >> CVE-2021-22005 | VMware vCenter Server/Cloud Foundation | Version Impacted 7.0, 6.7 | BUG | Active Exploitation
Incident Response (IR) Guidelines
"IR planning is the key element on taking necessary actions when an incident is triggered for security breach. This can assist in faster remediation and recovering from a security threat."
Incident Response Cycle
Preparation
Policy Creation
- Policy should contain statements that provide authority for incident response, assign responsibility to the IR team, and describe the role of individual users and state organizational priorities.
Building PPP (Plan/Process/Procedures)
- The Plan is needed to organized things, meet requirements and improve coordination.
- Process will streamline the incident handling and escalations to correct the team/department.
- Develop a procedure (playbook) that describe the steps that individuals will follow in the event of a specific type of cybersecurity incident.
Communication
- List on correct individuals to be reach out during the incident (can be also based on severity)
- Internal: within the organization
- External
- Customers
- Public Relations/Media
- ISP/Vendors
- Law Enforcement/Regulatory requirements
Technical
- Building strong cybersecurity defenses to reduce the likelihood and impact of future incidents.
- Backup running
- Network Equipment (FW)
- AV Installed
- Logs collection/retention
- Packet capture
- Permissions
- NTP
- SIEM
Testing/Training
- Security Awareness and security programs to non-technical staff
- Technical Certification /Courses /learning provided to IT professionals.
- Practice makes perfect (testing). Simulates live conditions.
Documentation
- Everything needs to be recorded so that it can be referenced.
Detection & Analysis
24x7 Monitoring and Alerting
- SIEM - Logs (Physical & Cloud)
- Network Traffic (IDS/IPS)
- Antivirus
Vulnerabilities
- Internal/External Scans
People
- Insider Threat
Incident Investigation
“Analysis is often more art than science and is very difficult work.”
- Finding odd behaviour/anomalies and documenting all the related information.
- Reverse Engineering
- Note all the actions taken on the incident findings.
- Determine Severity Level Classification.
- Next steps base on the incident severity/impact and investigation outcomes.
- Notification (As per preparation phase - communication)
Containment, Eradication, & Recovery
Isolation/Segmentation
- Shut down a system, disconnect it from a network, disable certain functions.
- Recommend to Isolation/Contain - to learn the behaviour and keeping the evidence intact.
- Sinkhole and redirecting malicious network traffic to sandbox segment.
Removal
- Scan/Manually delete malware/completely removed/disable accounts
Sanitization/Reconstruction/Backup
- Rebuild - know-good state
- Patching
- Permission reviews
- Restoration of services and verification of logging
Documentation
- Confirmation all the infected hosts are in know-good state
Post-Incident Activity
Lesson Learned
- Recommendations
- Improving security measures/incident handling process
- Using Collected Incident Data
- Risk Assessment
- Controls/implementations
- Actual Root Cause
- Rewrite policies and procedures
- Damage
Evidence Retention/Incident Data
- NIST SP 800-86, Guide to Integrating Forensic Techniques into Incident Response, for additional information on preserving evidence.
Checklist
- List for Verification /Review /Confirmation (Table format)
Report
- Summary Report
Information Sharing
- Co-ordination /level on information (technical/non-technical)
References
[1] Comptia CySA+ Study Guide (CS0-002)
[2] NIST - Computer Security Incident Handling Guide - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Subscribe to:
Posts (Atom)