Threat Hunting

The 2024 CrowdStrike Threat Hunting Report emphasizes the evolution of adversaries as they navigate through identity, endpoint, and cloud domains. As adversaries adopt increasingly stealthy techniques and shift across these domains, threat hunting teams must adapt and refine their strategies to effectively track and neutralize these advanced threats.

Identity based attacks are rising dramatically. According to Verizon’s 2022 Data Breach Investigation Report, credential-based attacks have become the top path for threat actors to reach enterprise information assets. Microsoft estimated that they blocked almost 26 billion identity attack attempts in 2021. Similarly, Akamai estimates 193 billion credential attacks were blocked in 2020. As more organizations transition to the cloud and a work-from-anywhere model, securing the enterprise network against identity threats is vital. A comprehensive Identity Threat Detection and Response (ITDR) solution is the best defense against identity attacks.

For most enterprise security staff, the answer is “Hmmm, not sure if that’s for me”. It’s true that threat hunting is a bit daunting: What goals am I going to achieve? What will I do if I actually find an adversary? Do I have the skills needed? Isn’t this just going to generate more work and “issues” to track down? A recommended approach is to start with limited, clear objectives – ones that you really can’t ignore. Our first example: Post-compromise. Here’s the scenario: you identify the endpoints that have malware on them and you remediate them. But you have no idea if the adversary has established additional footholds within your network. Since “Hope is not a strategy”, you should initiate an active response to try and find him.   Now it’s time for a bit of threat hunting. Hunting boils down to two steps: Defining a hypothesis Testing that hypothesis (as effectively and cheaply as possible)

The cybersecurity guidelines issued by the Reserve Bank of India (RBI) in 2016 serve as a stark reminder of the need for robust cyber threat detection and response. Although the RBI released extensive IT security guidelines in 2011, it felt compelled to update its guidance with the “Cyber Security Framework in Banks” (CSF) five years later, because the original advisory didn’t sufficiently address the need for post-breach capabilities. Since we at Acalvio are all about “post-breach”, it’s great to see the central bank for such a large country take a leadership role in mandating effective response capabilities. Let’s look at the Cyber Security Framework at a high level. The core goal of the CSF is to compel banks to establish adequate capabilities to reliably detect, respond to, and contain threats that have penetrated their defenses. This is clear from the three main sections (annexes) of the CSF: Baseline security controls, including Real time monitoring Anomalous behavior detection Core controls: configuration management, patching, access control etc. Establishing a Cyber Security Operation Centre It is important to note that the SOC guidelines specifically call out the use of honeypot services. This is one of the very few specifications of a particular technology by the framework, which speaks to the clear value of honeypot solutions in detecting and responding to advanced threats. Establishing an Incident Response plan and supporting program The IR plan includes a Cyber Crisis Management Plan (CCMP) which should address incident Detection, Response, Recovery and Containment. Incident Notification: Banks must promptly notify the RBI of all “unusual” cyber-security incidents whether successful or not. The notification can take no more than 6 hours, which means that detection and analysis much take place extremely quickly. “The systems that NEED to be put in place as a part of the Cyber SoC requires the following aspects to be addressed….Counter response and Honeypot services” Cyber Security Framework in Banks, RBI, 2016

Acalvio Threat Research Lab Retadup worm has been in the news recently. It was first observered infecting Israeli Hospitals [1] and recently it was observered active in South America mining for Crypto Currency[2]. The details of the worm have been published by Trend Labs[1][2].  This blog will share the spreading technique used by the worm (For comparison see our analysis of the Petya malware propagation techniques). Retadup’s wormlike behavior consists of copying itself to the drives as malicious .LNK files, named as normal looking shortcuts like “Games.lnk”, “Downloads.lnk”. As shown in figure 2.0, it makes use of the AutoIt function “DriveGetDrive”.  The function “DriveGetDrive” enumerates all the letter drives of specified drive type and returns an array of available drives. Retadup enumerates the array and copies its script folder, which consists of the interpreter (usually named WinddowsUpdate.exe) and the malicious script file (e.g. WinddowsUpdate.zip), to the destination along with several malicious link files which execute the au3 interpreter with command line like: “cmd.exe /c start ..<ScriptDir>\<InterpreterBinary>.exe..<ScriptDir>\<MaliciousScript>.zip & exit” Once the file gets copied, spreading requires user interaction on the destination host since the link file has to be manually executed to start execution on another host. This spreading technique will be detected by distributed deception architecture. Deception centric architecture involves having honey drives at the endpoint which will get returned to the function call DriveGetDrive. When the malicious files gets copied to the  honey drives for the engagement of the threat,  it will raise an alert for the possibility of a compromise. Malicious activity of the Retadup worm like extracting passwords, installing keylogger will classify the file as malicious in the engagement platform and the infected endpoint can be isolated from the network. The IoC which is generated from the engagement will be used for quarantining the infected machines. The material discussed above further establishes the potential of distributed deception solutions and their efficacy for Advanced Threat Detection.  References: [1] Information Stealer Found Hitting Israeli Hospital [2] New Retadup Variants Hits South America, Turn to Cryptocurrenty mining 

The majority of today’s breaches are comprised of sophisticated multi-stage attacks.  The stages of such attacks can best be described by a “Cyber Kill Chain”, which breaks down cyber intrusions into the following steps:  Recon  → Weaponize → Deliver → Exploit → Install → Command & Control → Action.   Most inline or endpoint protection products have the capability to detect one of the stages of an attack, but lack the ability to analyze the entire activity chain.  This prevents security operations teams from seeing the full context of the attack. If one were to allow the attack to be played out completely, one can learn more about these threat actors, making it easier to stop future attacks. In this blog, I will demonstrate this using a case study of a common attack. This particular attack was stopped by a perimeter based device.  Based upon the analysis of the attack, we will discuss internal security weaknesses in organizations.  I will then discuss one of the recommended approach for analyzing a multi-stage attack that is aimed at identification and remediation of the internal weak links in an organization. Figure 1 shows a file titled “Verify.pdf”, which was stopped by an email filtering solution.  Since there is a mismatch between the comment, which shows as Bank of America,  and the email address, which shows as kolumbus.fi, the file is declared as malicious and is quarantined. Figure 1 –   Malicious attachment detected by Email Filtering Solutions. When the attached PDF file is dissected, as shown in figure 2,  it can be seen that the file is a making an HTTP request: Figure 2.0.  HTTP request inside the PDF If we do a quick search for the domain,  as shown in figure 3, it is malicious and is detected by one vendor Trustwave. Figure 3 – Virustotal Detection of the Embedded URL link However, if we check for the endpoint detection of the pdf file, as per VirusTotal figure 4, it evades 53 endpoint protection products. Figure 4.0 Virus Total Score for the File Based upon this quick analysis of the stopped threat, it can be observed that even though the threat got stopped, there are many internal weak links in an organization: Detection of the  malicious pdf downloader (as shown in figure 4.0 ) at the end point is missing. If the malicious pdf downloader would have been able to reach the end point via some other delivery mechanism it would have infected the organization. Detection of the malicious communication (as  shown figure 3.0 ) by the network inspection devices is almost non-existent, since true targeted attacks will contain a fresh, previously unknown C&C server that is not in any known blacklist. One of key indicators to detect the threat is a mismatch of comment in the email address,  which is  “Bank of America” and email address “kt1448@kolumbus.fi”.   If the descriptor (Bank of America) was missing, then the same attack might have been able to reach the endpoint via email. So the detection algorithm to stop the attack can be bypassed by a variation of the attack. These weak links can be exploited by other threat actors attack who leverage slight variants of it. Given that majority of breaches these days involve multi stage attacks, the recommended architecture for the analysis of the multi stage threat, will be to have a threat analysis platform which allows execution and analysis of every stage of a threat. In order to determine if an entity is malicious, besides using analysis algorithms, Threat Analysis platform must also leverage time-independent correlations, which gives an ability to correlate the events which happened before or after in a virtualized network, to classify an entity as malicious. In this way, each malicious entity which was part of the threat gets detected. Identification of every malicious entity  of the  threat will allow  an organization to capture all the malicious indicators involved in a multi stage attacks, and not just the initial stages. This can then can be used to strengthen internal defenses in a more robust and comprehensive manner.