“Threat actors do everything in their power to blend in and attempt to become a ghost in your network,” said Tim Bandos, Director of Cybersecurity for Digital Guardian. “So it is the job of the security professional to be the ghostbuster!”
Cybersecurity is a reality for every company, Bandos said, and getting business to understand the reality of digital threats is a slow process. “This year, with all the high-profile corporate hacks, most [companies] are starting to understand that [hacks] happen to everyone,” he said.
SEE: Three ways encryption can safeguard your cloud files (Tech Pro Research)
Bandos is right to suspect most companies don’t prioritize cyber-resiliency. Recent data suggests an average 250-day lag between when cyber-strikes hit and are detected by most companies. Slow response time, he said, can often be attributed to corporate naiveté about intrusion detection and threat response protocol. Companies and consumers have experienced multiple waves of technological change in the past decade. “It’s natural to feel overwhelmed by cybersecurity challenges,” he said. “[Security] isn’t easy.”
Attacks can originate both inside and outside your company, and pursuing cyber threats is a lot like convention sleuthing. Digital Guardian’s 2017 enterprise threat report explains the details of where most companies are vulnerable and how to sniff out threats. “It requires patience, persistence, and a keen eye,” Bandos said. “When done correctly, it can be both exhilarating and rewarding.”
SEE: Cybersecurity in 2017: A roundup of predictions (Tech Pro Research)
First, Bandos said, determine threat vectors and points of access. Gather data about your system, potential vulnerabilities, and previous hacks. “The first weapon any cyber threat hunter needs is data. A centralized Security Information & Event Management (SIEM) system is preferred, but simple access to proxy logs and antivirus logs is also highly beneficial. If there are hundreds or even billions of events, the hunting process whittles away the noise like a digital wood carver chipping away to reveal his masterpiece.”
The data aggregation and culling process should reveal a short list of suspicious activities. Proxy logs are a great place to start hunting, he said, because warning signs like slow connections and automated behavior are easy to spot. “It’s imperative to have an intelligence-driven approach to this process,” he said, “otherwise you’ll likely end up feeling like you’re banging your head against the proverbial brick wall [of big data].
In an interview with TechRepublic, Bandos detailed the threat hunting process and best practices for rooting out and responding to intrusions.
Low and slow connections: Is traffic being sent out port 22 through proxy servers or even firewalls? Of course it’s good practice to source-restrict this clear-text protocol, but if it’s not locked down, look for any exfiltration patterns in the data.
Same number of bytes in and out: Do any network connections exhibit the same pattern of bytes in and bytes out each day? This was more prevalent several years ago, but malware today still leverages this technique of beaconing out to its master to let them know they’ve implanted successfully. Monitoring for the same amount of bytes up and bytes down on a frequent basis could reveal a sign of suspicious activity.
SEE: Cybersecurity spotlight: The ransomware battle (Tech Pro Research)
Suspicious sites: Identify a listing of all dynamic DNS sites that are visited by endpoints and look specifically at the outliers across your organization. If only three machines out of 20,000 visit one specific site, command and control infrastructure may be at fault. Of course there could be other explanations as well but it is definitely something worth examining further. Windows Logs can often be overlooked, but again they provide a good hunting ground.
Failed logon attempts: It might sound obvious, but looking for successive failed access attempts using multiple accounts could indicate a brute force. Focusing on one failed attempt per account may uncover a threat actor trying to log in with passwords they’ve previously dumped from the environment in the hope that one may still work. This would be Event IDs 4625, 529-539.
Explicit credentials: Profile your “a logon was attempted using explicit credential”‘event logs and whitelist out normal activity. This would be for Event ID 4648 and/or 552. This log kicks off when a user connects to a system or runs a program locally using alternate creds. Did someone say “Lateral Movement”? Threat actors love to move laterally!
SEE: Security awareness and training policy (Tech Pro Research)
Privilege changes: Escalation of privileges will often occur once a foothold has been achieved within an environment. These logs may assist in the identification of such activity. It’s good to profile your IT admin’s legitimate activities as well since they’ll more often than not cause a bit of noise themselves. Event ID 4728, 4732, 4756.
Low-hanging fruit: Log clearing – Windows Events 104 & 1102; EMET crash logs – 1 & 2; Application crashes and hangs – Windows Events 1000 & 1002; Windows Defender errors – Windows Events 1005, 1006, 1008, 1010, 2001, 2003, 2004, 3002, 5008
AV scanners and software are all primarily signature-based, meaning they detect malware by identifying a segment of code within a file that matches their internal database of malicious code. Unfortunately it’s fairly elementary to identify this code segment that AV will trigger on, make changes, recompile it, and create new code that will no longer be flagged as malicious. However, threat actors do make mistakes when they’ve made a successful intrusion.
Signs of password dumping programs: Research what your AV provider flags as a password dumping program and go searching! For example, one of McAfee’s password dumping detection tools is called HTool-GSECDump. There are countless examples of threat actors running a password dumper, AV detecting and removing it, and the attacker then successfully executing another dumper that wasn’t detected. So although they’ve achieved their initial objective, they’ve left behind a clue of evidentiary value.
Common backdoors: Knowing your adversary/ies is the ultimate goal here. Then you can begin to profile their tactics, techniques, and procedures. You’ll know the tools they most commonly use and the types of backdoors they may leverage. Some common advanced threat backdoors include PlugX, 9002 RAT, Nettraveler, Derusbi, Winnti, and Pirpi. If you come across names like these within your AV logs, you’ll know something untoward is taking place. So once again, research what your AV vendor calls these detections and go hunt for them.
Dropper programs: Identify any detections with the name “dropper” in it. A dropper program is intended to download/install a backdoor or virus, only initiating the download when the “coast is clear.” If a dropper has been detected, it’s possible there is still something lurking in the depths of the OS it was detected on.
Source: SANS ISC SecNewsFeed @ March 6, 2017 at 09:24AM