SeanKilfoyISYS671Week8 – Advanced Pen Testing Paper Hunting takes cybersecurityto the next level by making it an active process in which security analystssniff out traces of cyber attackers and go in pursuit, relentlessly tracking andhunting down their prey (Ashford, 2015). In anticipating opposition tocyberattacks, organizations can build stronger defenses, because they can findand fix vulnerabilities in their networks and systems before they are attackedmaliciously. Proactive defense is key to mitigating operational risk, becausecleaning up the aftermath of an attack is much more costly than proactivedefense strategies. Hunters typically look at allprocesses, tools, commands, and network file shares that are running in anenvironment to find potential vulnerabilities that typical security systems,like firewalls, antiviruses, etc.
, would miss because they are not malicious inand of themselves, but a trained eye can recognize if something isinappropriate, unlikely, or unusual, which can signal that something is wrong.According to an interview by Computer Weekly, Ben Johnson of Bit9 + CarbonBlacksays that this innovation in cybersecurity arose because large, well-resourcedcompanies are getting hacked on a daily basis (Ashford, 2015). Becauseattackers are always innovating and evolving their capabilities, there mustalso be innovation and evolution of defense capabilities. Hunting typicallyinvolves the most enthusiastic, passionate, and security driven securityanalysts, because it is these individuals that enjoy proactively investigatingand not waiting for alerts or emergency calls to come in. They know how tothink like an attacker, act like an attacker, attack like an attacker, how tocommunicate with the attackers, and the good ones can even infiltrate cybercriminals’ minds and organizations to learn their techniques and find out whattheir plans and deeds are. For example, according to another article byAshford, many hunters that work for security companies, such as RSAFraudAction, do this, and are long-standing members of hacker forums, talkingdirectly to hackers (2016). This kind of proactive security is a bit extreme,and as such, these actions are carried out by only the most dedicated hunters.
At the most basic level, hunters are looking for abnormal, unusual orsuspicious behavior, especially in relation to high-value data assets, whereverthere is risk and attackers may be active (Ashford, 2015), which could beanywhere on a network, at any time, with or without real login information oradministrator privileges.One of the reasons hunters mustexist and are in high demand is because attackers can mask their attacks tolook like normal network and/or system usage, which doesn’t get flagged byautomated security systems. For example, when an attacker steals valid usercredentials and uses them to log on to a network or network device, it isdifficult to detect them because there is no malware or malicious code; itsimply looks like a user has logged in to their account.
A hunter would lookfor multiple logins at the same time. A hunter could look for the terminal orcommand line command to pull password hashes into a file, like the bkhive command, which dumps the syskeybootkey from a Windows system hive, and the samdump2command, which dumps Windows (up to Vista) passwords and hashes. This commandis not a command that a typical user would know, and so a hunter could collectall processes and commands running on all endpoints of a network, making itpossible to identify compromised computers by tracking commands, like theaforementioned Windows command, that most people don’t know about.Advanced persistent threatspresent significant challenges to the security community and changes howorganization need to view, implement and manage security operations, accordingto Rackspace (2017). Advanced persistent threats occur when attackers capable of breaching datainfrastructure through continuous targeting, and then remaining within thatinfrastructure, undetected, to locate and access valuable information, and asDaniel Clayton, a former British intelligence officer who now serves as adirector of security operations at Rackspace, describes, advanced persistentthreats are typically “groups of individuals that have the resources andmanpower to persistently target a company or organization 24 hours a day for aslong as it takes to get the job done” (Rackspace, 2017). While preventionmeasures, like web application firewalls, intrusion detection and preventionssystems, and anti-virus software, can be effective against some attacks, likeDDoS, viruses, Trojans, and other attacks that remain consistent across allplatforms, the reality of advanced persistent threats has made many of thesemeasures obsolete in the modern world of cyber security. Effective security nowrequires firms to assume penetration and continually and actively scan theirenvironments for malicious activity.Modern security providersdeploy sophisticated technology and highly skilled analysts to actively patrolenvironments and locate anomalies.
Cyber hunting is a focused and iterativeapproach to searching out, identifying, and understanding adversaries internalto the defender’s networks, according to Lee (2016). The formal process ofthreat hunting should not be confused with an attempt to prevent adversariesfrom breaching the environment or for defenders to eliminate vulnerabilities inthe network (Lee, 2016).There are three factors toconsider when judging an organization’s hunting ability: the quality of thedata they collect for hunting, the tools they provide to access and analyze thedata, and the skills of the analysts who use the data and the tools to findsecurity incidents. Bianco describes a hunting maturity model based onprimarily the skills of the analysts, because they are the ones who turn datainto detections (2015). The quality of the data that an organization routinelycollects from its IT environment is also a strong factor in determining the HMMlevel. The more data (and the more different types of data) you provide to anexpert hunter, the more results they will find. The toolset for collecting andanalyzing the data is a factor as well, but a less important one.
Given a highamount of analyst skill and a large amount of good quality data, it’s possibleto compensate for toolset deficiencies, at least to a degree. The huntingmaturity model ranges from HMM0, the initial stage of maturity, in which, anorganization relies primarily on automated alerting tools, such as IDS, SIEM,or antivirus, may incorporate feeds of signature updates or threat intelligenceindicators, and routinely collects little or no data, to HMM4, the leadingstage of maturity, in which an organization automates the majority ofsuccessful data analysis procedures and routinely collects high levels of data.In HMM4, organizations will turn any successful hunting process into operational,automated detection, which frees analysts from the burden of running the sameprocesses over and over, and also allows them instead to concentrate onimproving existing processes or creating new ones. This makes HMM4organizations extremely effective at resisting adversary actions, by allowingthem to focus their efforts on creating a stream of new hunting processes,resulting in constant improvement to the detection program as a whole (Bianco,2015).
Both HMM0 and HMM4 organizations carry out automation, but theautomation that they carry out is different. HMM4 organizations always haveautomation in the front of their minds as they create new hunting techniques,whereas HMM0 organizations rely entirely on their automated detection, whetherit’s provided by a vendor or created in-house. They may spend time improvingtheir detection by creating new signatures or looking for new threat intelfeeds to consume, but they are not fundamentally changing the way they findadversaries in their network. Even if they employ the most sophisticated securityanalytics tools available, if they are sitting back and waiting for alerts,they are not hunting.
HMM4 organizations, on the other hand, are activelytrying new methods to find the threat actors in their systems. They try newideas all the time, knowing that some won’t pan out but others will. They areinventive, curious, and agile, qualities you can’t get from a purely automateddetection product.
Although a good hunting platform can certainly give yourteam a boost, you can’t buy your way to HMM4. Bianco recommends HMM2 for CISOslooking to start hunting operations (2015). HMM2 describes organizations thatare able to learn and apply procedures developed by others, and may make minorchanges, but are not yet capable of creating wholly new procedures themselves. HMM2organizations have schedules to apply security procedures on a regular basis.A couple recommendations Iwould make for organizations looking to implement hunting operations would beto monitor endpoint process creation, as well as searching for indicators ofcompromise. Many organizations look for logs to analyze but as Carvey describesin his Dell SecureWorks presentation, a malicious attacker can repurpose syslogso that logs aren’t giving proper information, and this would have to bedetected by monitoring for these processes (Carvey, 2015).
Organizations shouldlook for endpoint processes that show artifacts or indicators that maliciousactivity is occurring in the network. Indicators, like endpoint processartifacts, can show lateral movements in internal networks. Web shells can beused to gain access to an infrastructure, by compromising a web server, andthen moving to internal systems. Examples include is a Windows server runningApache and WordPress or by manipulating an IIS server. An attacker can alsogain access with a web shell to an SQL server from a web server. The attackercan gain access to a web server, put a web shell on it, and with RDP access onboth servers, the attacker can access the web shell in Internet Explorer byconnecting it to localhost.
Then theyuse the web shell to issue SQL injection commands, using xp_cmdshell and then create a user account on the SQL server. Thiscan be found by looking through the browsing history, to see where the attackerwas accessing localhost. In thiscase, the organization wouldn’t have event logs, because the attacker deletedthe web shell after they were done, but there would be logs in the web server.
Another file system indicator can be found on IIS servers with ASPX web shells,because the first time it is accessed, the .NET framework creates a page calledthe_name_of_the_web_shell.compile.In other words, the framework actually compiles it. These are file system artifactsthat a hunter should look for when looking for advanced persistent threats,because attackers can come in, install a web shell, delete it after use, andrepeat this process as much as they want, all the while going undetected in thenetwork, because they actually created a legitimate login to the SQL or IISserver. Only if someone was actively looking for those indicators would theyfind out that web shells had been installed by malicious users. If an attackercrashes a web browser, it will create a session restore file, which, if theattacker doesn’t reinitiate the browser to delete that file, will remain on thesystem. Parsing through a compromised system after it has been taken offlinewill allow the forensics team to find these files and see what commands wereissued through the web shell, as well as the username and password that theattacker used to access the SQL server, because the username and password wouldget stored in a config file.
Carveystates that clusters of indicators, not individual artifacts, should be lookedfor, “because there are a lot of things that go on within an infrastructurethat, if you look at them in isolation from everything else, could look likethreat actor activity, because a lot of the stuff that we see threat actorsdoing is stuff that a normal admin might do” (2015).Process creation monitoringis useful in live detection of attacks being carried out. This enables securityprofessionals to see commands used by attackers, as they are being used, likechecking the time of the remote system, checking to see if the task iscompleted, reissuing the task.
Hunters should look to see if a process wascreated, when it was created and compare that to the hours of operation of thatorganization or the working hours of the person that normally uses that endpointand other clusters of indicators like registry keys, passwords that were used,event logs, file systems, etc. Take, for example, the sticky keys attack. Inthe Windows registry, there is a key called image file execution options withspaces between all the words, that Microsoft left in place so that users canadd debugging capabilities to binaries. An attacker can modify this registrykey, via RDP access to the system, with the reg.execommand line utility. The attacker creates a subkey for one of the twoaccessibility tools, hc.
exe or utilman.exe, and points the debuggervalue to cmd.exe.
Even if all thepasswords in the organization’s infrastructure are changed, and the attackercan still access the infrastructure, all they must do is RDP to that system,and when the login screen shows up, instead of inputting credentials, they justhit the shift key five times, and get a system level command prompt. Attackersuse command line tools to do anything on a system. Once in, they can createusers, change passwords, dump passwords, and anything else. The only way todetect this is to monitor for process creation and see that cmd.exe is being launched in places thatit shouldn’t be, perhaps at times or on systems that should show no use, or onsystems on which users should not be launching cmd.
exe. Another suggestion I would make is to make use of shimcache and amcache. This allows systems administrators to see what has been runon a system and when and for how long. This can be started by running itthrough Python directly or by making a Windows EXE from the Python script,provided on its GitHub Page, https://github.com/mandiant/ShimCacheParser.ShimCache data should be collected and analyzed from all Windows endpoints inan organization, both clients and servers. Servers are particularly important,because they are “usually the number one initial entry point for breaches,especially internet-facing servers, or other servers and DMZs,” says DavidSharpe, in his DerbyCon 2015 talk (Sharpe, 2015).
Amcache replaced Shimcache,starting with Windows Server 2012 and Windows 8, and provides the same functionas Shimcache, but has more useful fields for hunting, such as an SHA1 hash ofthe file, as well as more useful timestamp fields. Data from these cachesshould be stacked and analyzed for sequences of recon activity, net commands,pings, archivers, like RAR, being ran, and EXEs running out of abnormallocations on the disk. An example would be if an Amcache timeline were created,and EXEs were found, being run from the C:users location, this would be anabnormal location for EXEs to be run, as this does not normally occur.I would also recommend miningserver antivirus logs, because they are a consistent, high yield data source tohunt for intrusions, which is especially true for internet-facing assets.According to Sharpe, about 20% of all targeted intrusions have AV firesomewhere along the timeline (2015). If an intrusion attempt has progressed farenough along to where an AV product triggers, then that is helpful.
At best, therewill be a blocked intrusion, but there will still be an exploitable hole thatneeds to be addressed. The worst case scenario is that the intrusion is faralong and AV picked up one tool in a long series of events that need to beaddressed. Things to look for include web shells, AV detections while the fileis under webroot or C:windows, any kind of backdoors and malware street namesidentified by intelligence sources and experience. This should be supplementedby custom host intrusion prevention systems detection, with HIPS rulestargeting how malware tools work. Look for credential dumpers, like WCE,pwdump, gsecdump, fgdump, or Mimikatz. Netstat data should be minedto find rogue listeners across all endpoints, especially servers on the networkedges. The command netstat -nabo topull the data and mine it. An example of an indicator of compromise could be ifone TCP port has bound to it multiple process names and paths on a singlesystem.
This would be impossible on a normally-running system. In this case,intruder activity could be interleaved with legitimate SQL server activity.Netstat data output should be stacked for all internet-accessible servers bylistening port, and see how many ports show up just once.
This data should alsobe stacked by the full path to the process’ binary, and see how many paths showup just once. Additionally, all output should be preserved as a baseline, andall new listeners that appear over time, especially those acrossinternet-facing systems, should be tracked (Sharpe, 2015).There are many companies thatoffer proactive hunting services for fees, but I would recommend that anorganization also have in-house hunters that are proactively seeking outcyberattacks. Outside consultation should be utilized in order to improvein-house hunting. In striving to be an organization with competentcybersecurity measures in place, the organization should collect very largeamounts of data from across the enterprise and at all endpoints. All thesuggestions I have made in this paper have involved compiling large amounts ofdata sets to find abnormalities in the operations of the organization.
It isonly with these data sets that we can analyze the data and find indicators ofcompromise. WorksCitedAshford, W. (2015, October 13). Cyber securityinnovation is crucial, says security evangelist. Retrieved December 15, 2017,from http://www.
computerweekly.com/news/4500255332/Cyber-security-innovation-is-crucial-says-security-evangelistAshford, W. (2016, March). Hunters: arare but essential breed of enterprise cyber defenders.
Retrieved December 15,2017, fromhttp://www.computerweekly.com/feature/Hunters-a-rare-but-essential-breed-of-enterprise-cyber-defendersBianco, D. (2015, October 15). A SimpleHunting Maturity Model. Retrieved December 15, 2017, from http://detect-respond.blogspot.
com/2015/10/a-simple-hunting-maturity-model.htmlCarvey, H. (2015, July 25). BsidesCincy2015 01 Lateral Movement Harlan Carvey.
Retrieved December 15, 2017, fromhttps://www.youtube.com/watch?v=dYoYMsJ5aIcLee, R.
M. (2016, February). The Who,What, Where, When, Why and How of Effective Threat Hunting. Retrieved December15, 2017, from https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785Rackspace. (2017, September 29).
AGE OFTHE CYBER HUNTER: HOW A NEW GENERATION OF THREATS CHANGED THE CYBERSECURITYPARADIGM. Retrieved December 15, 2017, fromhttps://www.rackspace.com/sites/default/files/white-papers/age-of-the-cyber-hunter-white-paper_1.pdfRackspace.
(2017). ENTERPRISE SECURITYTODAY – WHY SPEED MATTERS. Retrieved December 15, 2017, fromhttp://go.rackspace.
com/brand-deepdives26.htmlSharpe, D. (2015, September 28).
Fix Me19Intrusion Hunting for the Masses A Practical Guide David Sharpe. RetrievedDecember 15, 2017, from https://www.youtube.com/watch?t=1=MUUseTJp3jM