Structured hunt scenario

Purpose

CostaRicto was a suspected cyber-espionage compaign that targeted multiple industries worldwide, with a large number being financial institutions

Your senior management is concerned that this is a potential threat to your organization, and your threat hunting teamwas summoned to hunt for this compaignand to report back

The purpose for your threat hunt is to determine if there is any indication that your organization is being targeted or if it is a victim

  • The goal is to uncover presence of CostaRicto in your environments and determine where you have gaps in your protection/detection

  • The hunting ground is the locations of sensitive data that the threat actors are interested in exfiltrating

  • Identify any assumptions for your threat hunt in terms of the locations where data is and what normal usage is

  • Identify any limitations for the hunt like data or resource availability

  • The desired outcome is to successfully accomplish the goals set forth for the hunt

Scope

You review the tactics and techniques used by this campaign to understand how the campaihn operates during each phase of the attack life cycle to determine the Scope

  • This is what differentiates structured hunts from other type of hunts

Here are some of the techniques used by the campaign:

  • Data from local system: Data and files collected from compromised networks

  • Develop capabilities: Custom malware PS1, CostaBricks and SombRAT used

  • External remote services: Remote tunneling using SSH tool to maintain access

  • Ingress tool transfer: Downloaded malware and tools onto a compromised host

  • Network service discovery: Employed nmap and pscan to scan target environments

  • Obtain capabilities: Obtained open-source tools to use in their operations

  • Proxy: Used a layer of proxies to manage C2 communications

  • Scheduled task/job: Scheduled tasks created to download backdor tools

Here are some of the tools used by the campaign:

  • CostaBricks

  • PowerSploit

  • PS1

  • PsExec

  • SombRAT

  • Tor

Determine what techniques and tools you would focus on and identify the network/systems involved

Identify data that is needed for the hunt at a high level, based on the techniques/tools in scope

Hypothesis development

Based on intelligence gathered, you could select a specific tool for your hunt or focus on all phases of the attack life cycle and consider TTPs for each phase

  • There are several hash files, file names, domain names and IP addresses you could collect for SombRAT from your threat intelligence

  • The analytic question is if SombRAT is used during the campaign, the set of observables associated with SombRAT malware will be present

  • Expected outcome is to be able to prove the hypotheses by locating the artifacts in your environment

Formulate

The hunter should formulate a plan to conduct the hunt, based on the scope

Identify data sources needed for the hunt based on the hypothesis:

  • EDR/AV/IDS logs to see if there are any alerts for this specific malware

  • You need proxy logs to identify URLs/domains

  • Firewall logs to search for IP addresses

  • Endpoint logs are needed to determine execution of specific file

Determine analysis techniquest needed to answer questions from the hypothesis:

  • You certainly need searching to look for the artifacts

Understand the tools required to gather and analyze data:

  • You need a EDR solution to scan for the hashes and file names on endpoins

  • A proxy solution is needed to log the URL visits

  • Firewall to log connections to IP adresses

Execute

After planning, the hunt needs to be executed by collecting and analyzing relevant data to answer questions from the hypotheses

Gather data from all the sources identified in the previous stage:

  • EDR/AV/IDS logs

  • Proxy logs

  • Firewall logs

  • Endpoint logs

Utilize analysis techniquest to prove or disprove hypotheses:

  • Search EDR/AV/IDS logs to see if there are any laerts for this specific malware

  • Review proxy logs to identify URLs/domains

  • Search firewall logs to search for UP addresses

  • Review endpoint logs to determine execution of specific file

Employ additional tools/techniques/data sets as needed:

  • Data from a packet capture solution may be utilized to determine what occuring in the network communication

  • Identify if any additional data is required for analysis or if any other tools are required to capture additional data

Capture results as you proceed with the hunt:

  • As you are reviewing each element, document the results

  • If there any challenges, identify and document them

Develop threat hunt report that capture all essential details of hunt along with any additional observations:

  • Summarize findings for each analytic question from the hypotheses

  • Outline results from each data set analyzed

  • Document any gaps identified that limited your ability to gather or analyze data

Feeedback

Identify lessons from each stage of the hunt to use in the Feedback stage to improve the hunting process

Involve all parties from the hunt and seek their feedback for the different stages:

  • What went well during each stage of the hunt?

  • What could we improve for each stage of the hunt?

  • Did we select the right TTPs to focus on in the Scope stage?

  • Did we consider all data sources for analysis?

  • Were there any gaps in logging?

  • Were there any tools that we were missing to collect and analyze data?

  • Was there a knowledge gap?

PreviousCyber threat hunting: Lessons learnedNextUnstructured hunt scenario

Last updated