Situation-driven hunt scenario

Purpose

Sensitive data like PII is of utmost importance to your organization, and it is one of the crown jewels for your organization

PII is stored is encrypted locations at rest, transmitted over encrypted channels in motion and in use

Your internal risk assessment indicates that data exfiltration via password-protected attachments is a concern

The purpose of this situation-driven threat hunt would be to identify if data exfiltration via password-protected attachments is happening in your environment

Scope

You review the mechanisms to password-protect files to determine the scope

Here are some of the ways that files can be archived/password-protected:

  • Most common method is through zip files

  • Another method is via password-protected rar archives

  • 7zip can also be used to archive and encrypt

  • Some threat actors use .cab files

Determine what techniques and tools you would focus on

Identify data that is needed for the hunt, based on the techniques and tools in use

Hypothesis development

  • Based on information gathered, you should identify the tool needed for your hunt

  • The analytic question is if your organization is targeted by this campaign, there would be outbound emails with password-protected attachments

  • The expected outcome is to be able to prove the hypotheses by locating these outbound emails in your environment

Formulate

The hunter should formulate a plan to conduct the hunt, based on the scope

Identify data sources needed for the hunt, based on the hypothesis:

  • Email gateway logs to identify outbound emails with password-protected attachments

  • DLP logs to determine if these outbound emails are allowed/blocked

  • Endpoint logs to determine the processes or command line arguments to identify compression/encryption of data

  • Endpoint logs to identify file creation with the respective extension/headers

Determine analysis techniques needed to answer questions from the hypothesis

  • Searching techniques to look for the respective artifacts

  • Grouping techniques to group by archival type if needed

Understand the tools required to gather and analyze data

  • Email gateway that routes your outbound email

  • DLP solution to log outbound emails with password-protected files

  • Endpoint logs for process creation, file creation and command execution

Execute

After planning, execute the hunt by collecting and analyzing relevant data to answer questions from the hypotheses

Gather data from all the sources identified in the previous stage

  • Email gateway logs

  • DLP logs

  • Endpoint logs

Utilize analysis techniques to prove or disprove hypotheses

  • Search DLP logs to identify this activity and determine the result

  • Search email gateway logs for the password-protected .zip, .7z, .rar, .cab files

  • Search endpoint logs to look for any new files created with .zip, .7z, .rar, .cab files based on output from DLP logs

  • Also look for file access to identify files that are port of the archive

Employ additional tools/techniques/data sets as needed

  • Identify if any additional data is needed for analysis, like capturing command line arguments from endpoints

  • For example, additional password-protected file types may need to be considered for the hunt

  • You may have different DLP solutions that you need to gather data from for complete coverage

Capture results as you proceed with the hunt

  • As you are done reviewing each file type and data type, document the results

  • If there are any challenges with data required for analysis, identify and document them

Develop threat hunt reports that capture all essential details of the hunt along with any additional observations

  • Summarize findings for each analytic question from the hypothesis

  • Outline results from each data set analyzed

  • Document any gaps identified that limited your ability to gather or analyze data

Feedback

Identify lessons from each stage of the hunt to use in the feedback stage to improve the hunting process

Involve all parties from the hunt and seek their feedback for the different stages

  • How valuable was the internal risk assessment data that was used as a trigger for the hunt?

  • Were there any additional data elements that could have been gathered?

  • Did we select the right data points to focus on in the Scope stage?

  • Did we consider all data sources for analysis?

  • Were there any deviations in logging?

  • Were there any tools that we were missing to collect and analyze data?

PreviousEntity-driven hunt scenarioNextNetwork Threats

Last updated