Upgrading your treat hunting skills to next generation capabilities.
When defending against the next generation of malicious targeting against your network and systems, we as threat hunters have to employ security strategies that are driven by personalized cyber defense context. This hunt style is based on what each user typically does and what workflow each user regularly utilizes. We can alert against the specific use for the organization of your network for traffic and host based anomalies. The way we accomplish this activity now is by establishing YARA and Snort rules.
To begin utilizing vulnerability tools to develop your indicator matrix we have to aggregate intelligence to help us define what is malicious activity vs that of origination activity. Your organization must have this map to navigate the logs of your systems while building alerts for anomalies. With this rule set you can build the metadata and define the strings that are crucial in your YARA and SNORT rules. Also, In this step your organization needs a reporting database to submit and store potential indications of compromise. During attack of your system, faster decisions are going to me mean stop loss of critical information systems and Intellectual Property. The scenario were you have the data to act now to posture your defensive measures effectively based on collected and defined meta is a win for your agency.
No matter the industry there is always someone who wants to know about what you have. The goal is to know how potential attackers will exploit the way your users consume technology and apps so that vulnerabilities used can we more effective and “context-aware”. If you are an org that supports DOD or Gov you are an increased target by nation state intelligence communities that have established effective cyber capabilities to understand our operational context. These malicious actors intelligence capability is improving rapidly and is formidable at gathering OSINT on our activities.
At the time of reporting you will notice unanswered questions, this is when we use dynamic spot rep questions to fill operational vulnerability and intel gaps. As we explained, proper context, is your baseline for driving your operational impact. To assist with the nuance of this task we have industry Python Scripted Frameworks and web based frameworks to analyze and define your activity. Generally speaking, I use my Python Scripted Frameworks for searching on system for anomalies and web based frameworks for getting context of my significant activity.
Orgs like Group-IB, HackerOne, FireEye and Kaspersky focus on providing products and services for detecting and preventing advanced persistent threats and spear phishing while preventing and investigating high-tech crimes and online fraud. To hunt and defend against cyber actors with advanced persistent capabilities is helpful to ingest industry reporting on what is going to or already hit you network. As they do the research and analysis for techniques and TTPs of high-tech crimes you must employ their knowledge into your security practices.
What are these web based frameworks?
- www.threatcrowd.org – allows you to quickly ID infrastructure and malware.
- www.virustotal.com – is the Google for virus and malware information.
- www.hybrid-analysis.com – is for link chaining of domains, IP and Hashes
- www.ipalyzer.com – finds whois Name records, geo, etc.
- https://otx.alienvault.com – threat vectors and indicators of compromise (IOC).
- www.threatminer.org – data aggregator which relies on a number of open source data feeds.
- http://passivetotal.org – Investigate threats by pivoting through attacker infrastructure data.
- https://dnslytics.com – Find out everything about a domain name, IP address or provider.
- www.joesandbox.com – detects and analyzes potential malicious files and URLs on Windows, Android, Mac OS, Linux, and iOS for suspicious activities.
- https://www.unphp.net – decode base 64 code of php.
We at iShare-Solutions use scripted OSINT tools to integrate data analysis into our security workflow. After a compromise we begin our research with system and software logs for understanding of what is the malware and what attack vector is used. We take the indicators what we can find and use open source research to define them.
An initial scan for whois, name records, etc. to get a baseline for the actor ID. Then we begin map the C2 communication of the systems involved in the attack call chaining or C2 mapping. This is necessary to visualize and define how malicious action are traversing the internet and the connections it makes for blocking second stage activity. The companies we spoke of earlier as some of the best providers of detailed analysis and actionable suggestion of high profile security incidents. I am militant about finding and analyzing actual TTPs instead of only IOCs (i.e. hash values, IP addresses).
The one of the most successful attack vectors is spamming phishing emails with links and attachments inside that trick a user to activate them. Once activated these embedded links point to dirty websites with second stage infection vectors. Use pivoting through attacker infrastructure tools to define what the second stage will be and set blocking for that until threat is neutralized.
In conclusion, contextualizing cyber threats is essential for improving your security posture. By understanding the context of a threat, you can better identify, assess, and mitigate the risks. There are a number of tools and techniques that can help you contextualize cyber threats, including:
- Threat intelligence: Threat intelligence can provide you with information about the motivations, capabilities, and tactics of threat actors.
- Security awareness training: Security awareness training can help your employees identify and avoid phishing attacks and other social engineering threats.
- Endpoint security: Endpoint security solutions can help you detect and block malware and other threats that target your devices.
- Network security: Network security solutions can help you protect your network from unauthorized access and intrusion.
- Data security: Data security solutions can help you protect your sensitive data from unauthorized access, disclosure, or modification.
By implementing a comprehensive security program that includes these elements, you can significantly improve your organization’s security posture and reduce your risk of a cyber attack.
Here are some additional tips for contextualizing cyber threats:
- Stay up-to-date on the latest threats. Threat actors are constantly evolving their tactics, so it’s important to stay up-to-date on the latest threats so that you can identify and mitigate them.
- Understand your organization’s risk profile. Not all organizations are created equal. Some organizations are more likely to be targeted by cyber attacks than others. By understanding your organization’s risk profile, you can prioritize your security efforts where they’re needed most.
- Implement a layered security approach. No single security solution can protect your organization from all cyber threats. A layered security approach that includes a variety of security solutions is the best way to protect your organization.
- Train your employees on security best practices. Your employees are your first line of defense against cyber attacks. By training them on security best practices, you can help them identify and avoid phishing attacks and other social engineering threats.
- Have a plan in place in case of a cyber attack. No matter how good your security is, there’s always a chance that your organization could be the victim of a cyber attack. By having a plan in place in case of a cyber attack, you can minimize the damage and recover quickly.
By following these tips, you can improve your organization’s security posture and reduce your risk of a cyber attack.by