Entity-driven hunt scenario

Your organization may be part of information sharing distribution list that includes different entities in your sector

Different financial institutions may be experiencing an attack (could be phishing or DDoS), and they share details about the attack in the distribution list

Purpose

Suppose you received information that different financial institutions are experiencing Microsoft Password expiration-themed phishing campaigns

You are provided certain information regarding the senders, subject and URLs

The purpose of this entity-driven threat hunt would be to identify if your organization is experiencing this phishing campaign or has experienced it already

Scope

You review the indicators of attack used by the phising campaign to determine the scope

Here are some of the indicators used by the campaign:

  • Subject: Password expiration reminder

  • Sender: admin@xxxx.com where xxxx stands for the evil domain

  • URL: xxx.evildomain.net

  • Body: Password for your account expires today, act immediately!

Determine what techniques/tools you would focus on

Identify data that is needed for the hunt at a high level, based on the techniques/tools in scope

Hypothesis development

  • Based on information gathered, you should identify the tool needed for your hunt

  • The analytic question is if your organization is targeted by this campaign, there would be influx of emails with the associated indicators

  • Expected outcome is to be able to prove the hypotheses by locating the emails in your environment

Formulate

The hunter should formulate a plan to conduct the hunt, based on the scope

Identify data sources needed for the hunt, based on the hypothesis

  • You need email gateway logs to identify emails from the phishing campaign into your environment and determine if they were successfully delivered

  • You need proxy logs to identify URLs/domains visited based on user clicks and the associated status of where the request is allowed/blocked

  • Logs from email security solutions to identify if the email was detected as phishing

Determine analysis techniques needed to answer questions from the hypothesis

  • You need a searching techniques to look for the artifacts

Understand the tools required to gather and analyze data

  • You need an email gateway that routes your inbound email

  • A proxy solution is needed to log the URL visits

  • Email security solution

Execute

After planning, the hunter should execute the hunt by collecting and analyzing relevant data to answer questions from the hypotheses

Gather data from all the sources identified in the previous stage:

  • Email gateway logs

  • Proxy logs

  • Email security solution logs

Utilize analysis techniques to prove or disprove hypotheses:

  • Search email gateway logs for the sender/subject/URL

  • Search proxy logs to identify URLs/domains visited by end users and if the site was successfully presented to the user

  • Search email security logs to determine if the email was flagged as suspicious and blocked before delivery or removed from end user mailboxes post-delivery

Employ additional tools/techniques/data sets as needed

  • Identify if any additional data is required for analysis of if any other tools are required to capture aditional data

  • For example, the sender may have changed the sender address or the URL for your organization

  • You may have different proxy solutions that you need to gather data from for complete coverage

Capture results as you proceed with hunt

  • As you are done reviewing each indicator, document the results

  • If there any challenges, identify and document them

Develop threat hunt report that captures all essential details of hunt along with any additional observations

  • Summarize findings for each analytic question from the hypotheses

  • Outline results from each data set analyzed

  • Document any gaps identified that limited your ability to gather or analyze data

Feedback

Identify lessons from each stage of the hunt to use in the feedback stage to improve the hunting process

Involve all parties from the hunt and seek their feedback for the different stages

  • How valuable was the crowd-sourced data that was used as a trigger for the hunt?

  • Were there any additional data elements that could have been gathered?

  • What could we improve for each stage of the hunt?

  • Did we select the right indicators to focus on in t he scope stage?

  • Did we consider all data sources for analysis?

  • Were there any deviations in logging?

  • Were there any tools that we were missing to collect and analyze data?

PreviousUnstructured hunt scenarioNextSituation-driven hunt scenario

Last updated