Threat Hunting Immersive Notes from Active Measures
What is threat-hunting? An overview of terms.
As defined by NIST: Threat-hunting is “the proactive searching of organization systems, networks, and infrastucture for advanced threats. The objective is to track and disrupt cyber adversaries as early as possible in the attack sequence and to measurably improve the speed and accuracy of organization responses.”
IOC (Indicators of Compromise) can be defined as “pieces of forensic data, such as data found in system log entries or files, that identify potentially malicious activity on a system or network.” IOC can be network-based or Host-based. Beginners might use IOC lists
FQDN: Fully Qualified Domain Name.
Threat-hunting as a hypothesis-based method
- come up with ideas/questions and go prove it right or wrong
- need a baseline of “normal” to be able to detect abnormal behaviour esp for “behavioural analysis” but you would not need such analysis when hunting for user downloading files from the internet (for example).
- proxy traffic threat hunting example: look at URI, regex off the file name and extension, stack analysis, etc.
- When is baselining useful?
net.exeornet1.exeabuse cases.
Follow-up Questions
Why is “DNS over HTTPS” not real security?
- C2 acts like DNS server
- looks for specific queries
- system is impersonated
- looks up info, local system checks for caches, finds nothing so it goes to the internet
- goes to evil site
- asks question of evil site, response contains... EVIL
???
What is TTL?
- DNS TTL = time each step takes for DNS to cache a record. A shorter time means faster updates, longer time is usually used for reputable resource hosting sites like libraries, reference sites.
What is DMZ?
- perimeter network (part of old sec model?)
Detection for C2
- auto-encoders
- neural nets
datamashto find “c2 channel jitter”?- rotate FGDN to multiple C2 servers
- MOOBIX? rotating c2 from multiple
- Domain fronting – IP addresses shifting
- a mail server can be a C2 – “SSL interception breaks things”?
- CDN?
What to look for in Threat Hunting Analysis:
- session size
- unexpected protocol use, i.e. too many FQDNs
- detect C2 over DNS: capture all DNS traffic, filter, extra text/size/count, review total FQDN
How to track?
- external IP tracking
- internal IP tracking
Other follow-up Questions:
- Supple Chain attacks: Sunburst – Solarwinds binaries were digitally signed even though they contained malicious code — meaning that app whitelisting does not work here.