Definition of Cyber Hunting by our good friends at Wikipedia: “Cyber threat hunting is “the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.” This is in contrast to traditional threat management measures, such as firewalls, intrusion detection systems (IDS), and SIEM Systems, which typically involve an investigation after there has been a warning of a potential threat or an incident has occurred.” In short, hunting begins when traditional security methods fail. Teams are called upon to enter contested terrain and defeat attackers. This article discusses the high level process of how a team would approach such a situation. In later articles we will step through each phase of an attack, discuss technical methods and use some open source tools as a demonstration.
Each of these principals could be and probably have been individual white papers. The objective here is to lay the foundation for deeper discussions in hunt.
The first principal is “Objective”. “Begin with the end in mind.”. This is a quote from the book The 7 Habits of Highly Effective People and should serve as a reminder throughout the entire engagement. Ultimately the objective should make sure that the clients need is met. To meet the clients need, there needs to be an understanding of what the client is asking. Once the objective is understood, efforts can be aligned to achieve objective. Note that sometimes what you think should happen doesn’t match the objective of the client! The client may want to stop the bleed while you want to take a more systematic approach to get to the root cause of the intrusion.
2. Cyber Kill Chain
The second principal of hunting is the “Cyber Kill Chain“. A cyber kill chain can be thought of as the lifecycle of an attack. MITRE uses a matrix called ATT&CK (Adversarial Tactics, Techniques and Common Knowledge) that identifies Tactics, Techniques and Procedures (TTPs) for phases of the kill chain. Using a cyber kill chain defensively allows defenders to characterize behaviors and identify objectives of an attacker. As defenders, if we can orient ourselves to our attackers tactics and their goals we can anticipate their next step. We can also use this to possibly characterize or identify our attacker and help guide our operation with further research.
2. OODA Loop
The third principal of hunting is “OODA Loop”. OODA stands for Observe, Orient, Decide, Act. Notice that the term has the word loop in it. This is because the OODA loop is a decision cycle that is constantly running. Observe, pull in data from everywhere and take notes. Orient, analyze the data and figure out what phase of the Cyber Kill Chain the enemy is in, who they are, what is their goal, what tools are they using. Decide, with the information present and put resources to that effort. Act, employ the decision. Using the OODA Loop concept to drive decisions gives everyone a clear thought process to make informed, logical decisions. It also can be used “offensively” when thinking about how the defenders actions influence the attackers, or even better, what the attackers decision making process looks like. Are the attackers making observations of their environment as they pivot from one host to the next looking for a way to root level access?
Wrapping it all up in a very brief description our three principals can look like this.
A team is called upon to identify the root cause of a attack where it is suspected that the attackers were able to obtain domain admin privileges. The company that hired the team has stated they expect them to identify if any sensitive data has left their networks, identify if the enemy still remains, and to secure the network.
- Observe – Pull logs, pcap, memory scrapes, personnel interviews etc
- Orient – With the data presented a Remsec variant backdoor has been identified and a determination has been made that the attacker is in the command & control phase of the kill chain. With research its discovered that this command and control tactic has been used by Strider threat group. With deeper research this threat actor has been identified as using connection proxies as the data exfiltration TTP. The team now has a place to look when trying to determine if sensitive data has left the network.
- Decide – A decision to update the Intrusion Detection System, Firewall and Host Intrusion Prevention Systems with the indicator of compromise list here has been made. The goal is to shut off the attackers access to their command and control malware.
- Act – The changes decided upon are implemented, and the cycle begins all over again to determine if further action is needed.
All of this is to say that identifying a tool an attacker is using is easy, figuring out the attackers goal and getting inside of their head to anticipate their next move is the hard part. The “Pyramid of Pain” does a nice job of displaying this theory. Ultimately the goal of a hunter is to stop the bad guys. Making logical, data driven decisions that deny the adversary employ their tactics, techniques and procedures to achieve their objectives while allowing the customer to achieve theirs is key to success.