Tag Archives: Hunting

TTP-Based Threat Hunting – Why and How?

In its simplest definition, threat hunting is a process to identify whether adversaries reached to the organization’s network or not.

Despite many precautions taken at the perimeter level and many technologies used, breaches cannot be prevented. As a result of this situation, technologies to detect whether an attacker is inside have also come to the fore in recent years. EDRs and NDRs are mostly developed and used for detecting and they use many different methods for this.

Pyramid of Pain

In the event of a breach, the most important way to lower dwell time is to implement a regular and continuous threat hunting process. Earlier, as discussed in pyramid of pain, there are several methods for threat hunting like using signatures, IoCs, anomaly detection or TTPs.

A signature can be IP addresses, domains, or file hashes about the threat actor but as you can see above, they are at the bottom of the pyramid. Because they can be changed very easily by the attacker and these information mostly include false positives. When attackers register a new domain, or get a new IP address, it will be a 0-day for the organization and will be impossible to detect the attack via IoC sweep.

Therefore, using the attackers’ TTPs for threat hunting will give much more accurate results. Attackers do not change the techniques that they are using frequently, especially if they have been successful before with these techniques. The MITRE ATT&CK framework is the best way for this technique. Many organizations have adapted their infrastructure to miter or continue to work on this issue. If they haven’t started this yet, they should start as soon as possible.

Threat Intelligence: For a better and continuous threat hunting, threat intelligence is essential. There are lots of techniques and tactics in Att&ck and analysts must decide with threat intel where to start. For a start, it may be a good method to start by identifying the actors that will threaten them depending on the country, region and sector of the organization. This process will prioritize TTPs for hunting. It must be ensured that the threat intel provides this information up-to-date.

Developing Hypotheses: After prioritizing the TTPs for hunting, next step is to creating the hypotheses. This step means determining the data that should be collected to detect the adversarial behavior. According to the required data, it is determined with which security controls the detection should be made.

At this stage, also there is a need to make a gap analysis to be ensure that we can detect all the related activity. If necessary, other security controls should be added. This process can be done with security validation tools like Verodin, since In Verodin all tests and reports are Att&ck based. Hunt teams should correct both they can get needed logs from every piece of the network and these logs are sent to SIEM regularly. So Verodin also should be used for these steps.

This data selection phase also provides to use SIEM more effective. By understanding the adversarial techniques, organizations can reduce the log size by reducing the volume of data collected. This will also allow analysts to encounter fewer false positive alerts and saves time.

The most annoying thing in SIEM administration is the volume of data. Thus, while we are getting data from host or network security controls, we should carry out that we do not send useless data to the SIEM. Be careful about both EDR and especially NDR solutions can create huge amount of data.

A Glimpse into AI and the SOCs of the Future

About twenty years ago, antivirus, IPS and firewall were managed by security teams – mostly organizations had only one information security team, and the most important thing was getting up to date IPS signatures and antivirus database. But, SOCs are growing year by year because of new attack techniques and new security controls to prevent them. Today, an enterprise organization has more than fifty different security technologies to defend against these complex attacks. But, a SOC has two core elements: Security controls and people.

With the increasing number of devices, the logs of all these devices need to be analyzed and interpreted. And the log size that needs to be analyzed has reached enormous amounts. As data grows, human resources must also increase in direct proportion. Meanwhile, one of the biggest problems of the sector is to find trained analysts. We see that many organizations are trying to continue their SOC operations with less personnel than they need. And, these personnel is not only responsible for incident response, but also for red teaming, purple teaming, threat hunting, threat intelligence, and others.

The task of an analyst is not only to examine that log, but also to analyze the logs of other devices with the findings he/she detects after the examination. While the log size increasing day by day, it may take hours in some cases to analyze all these logs for only one incident. Because of these situations, many SOC analysts are experiencing burnout on the job and most of the organizations cannot response to alerts as fast as it should be.

At this very point, AI, the most popular technology of recent years, comes to the aid of SOCs. The use of AI powered autonomous platforms – as an example, Mandiant’s Automated Defense and DarkTrace’s Cyber AI Analyst – have become widespread and looks like it will have a bigger role in future SOCs. These devices can collect logs, analyze, determine and keep analyzing other system’s logs to decide whether the alert is false positive or a real incident. With AI, all these processes are done at machine speed and analysts can get the results in a very short time. So, this provides SOC teams to respond as fast as possible. Additionally, AI makes fewer mistakes than human analysts. In recent years, we saw many cases that although there were logs showing an attack, it was marked as false positive by analysts and closed.

AI is still evolving. As in all other fields, it is obvious that it will add a lot to us in the field of information security in the future. And with this evolving AI, in future SOCs, team member will focus on threat hunting, threat intelligence and red teaming works more. This situation will enable people to do better quality work and to educate themselves.

An Estonian Sentenced Because of Ransomware Conspiracy

The US Department of Justice announced that an Estonian man – Maksim Berezan, 37 – was sentenced to 66 months in prison because of ransomware conspiracy. He was apprehended in Latvia and extradited to the United States.

According to the court documents, Berezan had participated in at least 13 ransomware attacks, seven of which were against U.S. victims, and that approximately $11 million in ransom payments flowed into cryptocurrency wallets that he controlled. Berezan used his ill-gotten gains to purchase two Porsches, a Ducati motorcycle, and an assortment of jewelry.

While we have long been in the business of protecting money, from the earliest days of coins and paper, to plastic, and today’s more accessible and commonplace digital currencies, we also remain in parallel footprint to the evolution of criminal behavior into cyberspace,” said Matthew Stohler, special agent at the US Secret Service.

Ransomware thieves are not safe in any dark corner of the internet in which they may think they can hide from our highly trained investigators and law enforcement partners worldwide. Together with our critical partners we are dedicated to protecting the public and securing every iteration of our money and every part of our national financial infrastructure.

Has Lapsus$ been arrested?

Lapsus$, which is seen as the most active threat group of recent weeks seen as responsible for attacks like Okta, Samsung, Nvidia and others. Before announcing the Okta breach, Lapsus$ also had threatened to breach Microsoft.

At the beginning of the week, Bloomberg reported that the leader of the group may be a 16-year-old English teenager.

After all these events, City of London police have arrested seven teenagers aged 16 to 21 accused of being members of the Lapsus$ group.

According to the BBC, the City of London Police have arrested seven alleged Lapsus$ members, but the leader of the group is among them has not been specified. At the time of the investigation, all of them were released. The investigation continues.

He never said anything about any hacking, but he is good with computers and spends a lot of time on them. I always thought he was playing games. We intend to limit him from computers,” the father of aforementioned boy admitted.

Lapsus$ deploys several tactics to compromise systems that other threat actors use less frequently.

Their tactics include phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multi factor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets,” said Microsoft in their blog about tactics and techniques of Lapsus$.

Lapsus$ also prefer to use Telegram for their announcements instead of forums in Dark Web or social media. Lastly, the group announced on Telegram that they will be on vacation until 30th of March, just after Okta breach.

Meanwhile, the group announced a new member as new chat moderator on Telegram today.

BotenaGo Malware Source Code Published

AT&T Alien Labs last week announced that the source code of BotenaGo malware has been published in GitHub. BotenaGo was discovered and named in November 2021 by Alien Labs again, and according to the post of Alien Labs, the source code of this malware has been published on 16th of October 2021.

It is noticed that too few AV vendors can detect (3/60) this malware already and now it is more dangerous because with the published source code, it is possible to change code simply and create new variants to bypass the detection.

It is also possible to find a source code analysis and IoCs of the malware in the post with recommended actions suggestions.

CTI does not mean Fraud Detection

Organizations invests more and more to security tools, breach statistics keep increasing. About ten years ago and more, attackers were mostly alone, and were using basic tools, so it was easier to block them. But with the advanced techniques and tools, and the groups that came together to attack, made these attacks more difficult to block. There was no such thing as intelligence on our agenda. Some basic blacklists and virus databases were enough against most of the attackers.

CTI (Cyber Threat Intelligence) has become indispensable nowadays. We need more and more information about attackers day by day to gain advantage in this fight. At the same time, we see that a lot of people confuse threat intelligence with fraud. People seem really confused about what to expect from threat intelligence. In this post, I try to mention the needs and usage for CTI.

IoCs: Of course, IoCs are one of the most important things that we are waiting from a CTI product. We are feeding our tools with IoCs and this is the simplest thing for our security intelligence. It is possible to find open source IoCs on many historical threats on the internet. Our expectation from a CTI product should be that it gives us the latest IOCs on threats. While evaluating a CTI tool, it should be observed how much IOC it gives compared to its competitors. Some CTI vendors are mostly using Open IoCs, so it is important to check this value before paying money. Meanwhile, the accuracy of the IOCs is also an issue that should not be overlooked. There will be no point in pushing so many wrong IoCs into our systems every day, even those false positive IoC will cause us to waste time. And time is the most important value in a battle.

TTPs: According to Pyramid of Pain – we discussed in the related post deeply – TTPs are the most valued information for defenders. Sun Tzu says that “if you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” Of course this is very meaningful. If you do not know what tools, techniques and tactics your enemies are using, it d be very difficult to win a battle. For a defender, the most valuable information are these TTPs and tools that the enemy is using. From a CTI vendor, this must be one of your most important expectations.

Threat Groups: As mentioned before, attackers now works together, they come together and join forces. And while a group is successful on technique with specific tools and malwares, they rarely change these TTPS and tools. So, it is very important to know who is targeting your geography, country and sector. With these information, organizations get really useful IOCs for themselves, and can design their defense according to these attackers’ TTPs. According to this, maybe tracking the threat groups are also the most important thing for the first two bullets (IoCs and TTPs). You can take random IOCs and install them on your systems, but this is never the same as working with the information of attackers you know who they are.

Vulnerabilities: are critical because attackers use these vulnerabilities to infiltrate. It is vital to be aware of vulnerabilities as quickly as possible after they appear. Meanwhile, the information whether these vulnerabilities are exploitable or not, and their criticality and knowledge of affected systems should also be among the things you expect from CTI. Of course, you need a proactive patch management to use these information in success.

Dark Web Tracking: Every day, a lot of information about companies is offered for sale on the dark web or different attackers and groups come together by communicating here. It is not possible to track all forums and portals in dark web continuously for a security team. One of the expectations from the CTI should be the constant monitoring of the dark web and access to information about threats to the organization.

CTI is not Fraud Detection: Fraud is an important subject to save customers our and users. There are many fraud techniques that fraud teams need to be aware of but CTI is not fraud. As mentioned at the beginning, people seem really confused about what CTI and fraud are. Some CTI vendors provide fraud data to their customer. It is undisputed very valuable. But a CTI product should not be evaluated solely on the fraud information obtained. For a good CTI investment, the above issues should be evaluated.

Threat Hunting III – Pyramid of Pain

As we mentioned in the previous sessions, IoCs are crucial important for a proactive threat hunting process. Threat hunters should know most of the information of newly threats and implement them to their hunting processes. Pyramid of Pain classifies IoCs and helps us understand better the usefulness of them.

The pyramid of pain was created by David Bianco (Fireeye). He also has a Youtube video for presenting it.

Pyramid of Pain

This pyramid classifies the IoCs and with going up the pyramid, IoCs help us more to detect the suspicious. Also, as we go up, it is harder to obtain these IoCs. Now, lets check these IoC types shortly;

Hash Values: A hash value is a unique identifies of the data. In theory, the hash value of each data is expected to be unique to itself. So, it gets easier to identify a data, file with its hash value. As an example, you can see below the hash values (both md5 and sha256) of openvpn.exe.

Hash values of openvpn.exe

Hash values are at the bottom of the pyramid because it is very easy to change a file’s hash value and if you do not have the newly changed hash, that means you cannot detect this file anymore.

IP Addresses: IP blacklists still used by many different products, however it is also easy to change the IP address for an attacker. So, it is again does not help much to detect an adversary.

Domain Names: Everyday we can see that attackers can obtain new domain names very fast and can continue their attacks with ever changing domain names.

Network/Host Artifacts: These are the clues that adversaries left on the pc or network. These can be registery keys, processes, user agent strings, etc. Surely, to obtain such information, a forensic analysis need to be done in compromised pcs or networks.

Tools: Adversaries have their favorite tool to attacks, like pentesters have. It is important to know the tool that your enemy using and if you are good at detecting these tools, you can easily detect the attack or this situation forces the attackers use some other tools. This situation will slow down the attack and will save your time.

TTPs: Tactics, techniques and procedures are the patterns of activities or methods of a specific threat actor. As you all know, you can find all TTPs in the Mitre’s website and they are the most valuable data to identify an attack. If you know the TTPs of your enemy, it means you know what to check for a possible attack and mitigate.

Searching for IoC with Redline

Redline is a free tool for investigation malicious activity through memory and file analysis. It has a lot of features for investigation but in this post, we will only mention searching for IoCs in the endpoint with Redline.

In previous post, we created an IoC to detect WinSCP.exe. Now, we will search it with Redline as the example.

We will go on with “Create an IOC Search Collector” menu in the main page of Redline. For doing this, we browse the folder that including IoCs we want to search in the PC. We have only one IoC here but if you have more IoCs in the folder, you will see all of them in “Indicators” tab.

Then we create a folder for IoC Collector and after clicking “Next” button, we show this folder. Redline creates the IoC Collector in this folder. We will now use RunRedlineAudit.bat file with the command line. Once the bat file finishes running, it will create a folder called “Sessions” and save outputs to this folder in the same directory.

Just run the “RunRedlineAudit.bat” file and wait for finishing. Then, open the “Sessions” folder. Each IoC sweep placed in its own folder calle “AnalysisSessionX”. This was our first sweep, so we click on “AnalysisSession1” folder. Our IoC report will be in “AnalysisSession1.mans” file. So, we click on this file, and it will take some time it generates the report.

When IoC report generated, we can see it on Redline tool, “IOC Reports” tab. As you can see in the screenshot, our WinSCP Indicator IoC got hits. When we click on it, we can see why this IoC got hit. Here, our IoC catch the file with its MD5 hash value and file name. With clicking on “View Details” button, we can see more details about the hit.

Data Collection with Redline

As we discuss before, Redline is a great tool for investigating endpoints. In this post, we will explain how to collect memory data with Redline.

First, in the main page of Redline, we click on “Create a Standard Collector” button. In the opened window, we click on “Edit your script” label and be sure we choose all we need for memory analysis. Then we create a folder for analysis and show it with browsing in the Redline window.

This process will create the data collector in the folder we choose. Then we open a cmd and run “RunREdlineAudit.bat” script in this folder.

Once the script starts to run, you can see some analysis created in “Audit” folder. Sure, it will take some time to finish the analysis.

When it finishes, click on “AnalysisSessionX.mans” file in the “Audit” folder and this will open Redline again.

This file provides us all the information that we checked at the beginning (Edit your script).

Creating IoCs with Mandiant IOCe

In “Open Threat Exchange” post we mentioned that shared IoCs by other parties on Open Threat Exchange. Open IoCs are nice since they are manufacturer independent and can be used in a lot of different technologies for detecting threats.

Viewing Existing IoCs

In this post, we will mention on Mandiant IOC Editor. First of all, Mandiant IOCe could be used to view open IoCs which you downloaded from different sources. Here, we will show a simple example to view an existing IoC. So, as example, we download an IoC from Open Threat Exchange. This is the IoCs of malicious files found on Pulse Connect Secure devices. This is an xml file downloaded and has 108 IoCs containing 36 MD5, 36 SHA1, and 36 SHA256 hash values. You know, IoCs are not only hashes. They can contain a lot of different attributes about the attack, but in this example, we only have hash values. Later in this post, we will create IoC with different attributes also.

After we download the IoCs as xml file, from File > New > Indicator From File menu and choose the xml file. Here, we can see all the IoCs we downloaded and if we want we can change, delete or add IoCs in that file.

Output of the xml file

Create an IoC

It is also so easy to create IoC with Mandiant IOCe. We start from File > New > Indicator menu. Firstly, IOCe provides us to give a name and description for the IoC. As the example, we will create IoC for detecting WinSCP file. Let’s check hash values of WinSCP.exe file first. MD5 and SHA256 is enough for us now.

MD5 and SHA256 values of WinSCP.exe file

From Item > File Item menu, we choose File MD5 and paste the MD5 value of the file. Let’s do the same for File sha256 menu. Additionally, we add File Name in OR logic.

Then, we can add more attributes from hundreds of items in IOCe. We tried to show some of them in the screenshot below.

Creating IoC with Mandiant IOCe

Do not forget that attributes you choose should be unique to the file, so it can be detectable and less false positives occur. Description is important while creating an IoC, since open IoC is developed to be used by everyone, and if you create an IoC, it is better to write enough description to understand by others.