Unstructured hunt scenario

We looked at an example of IOC-based hunting in Module 4

We also discussed analust intuition as another way to conduct unstructured threat hunting

It is defined as a method of finding malicious activity whithout knowing exactly what type of threat you are looking for

In short, unstructured hunting is investigative work where a cyber-threat hunter observes behavior and looks for anomalies

Purpose

DNS is a vital internet protocol that converts URLs to the corresponding IP address

  • Used by webservers, web apps, email, even malware

DNS requests to unusual or suspicious domains may be generated by malware setting up command-and-control channels

  • DNS monitoring and blacklisting are an important component of threat hunting

A threat hunter with this intuition could make suspicious DNS requests the purpose of a threat hunt

Scope

Here are some examples of suspicious DNS requests:

  • Random domains: Malware and C2 servers will use domain generation algorithms (DGAs) to generate random domains (like dfdkkk.com) to evade blacklisting

    • These domains are often less than 24 hours old!

      • Embedded IP addresses: IP addresses embedded in domains should be a warning sign

      • Irregular top-level domains: Unusual or unexpected top-level domains

  • NXDOMAIN: Requests to non-existent domains could be a typo or an indication of malware on the system

  • Unusual hours: Most DNS traffic should occur during standard business hours as employees use the internet

  • Abnormal volume: Unusual volume of DNS requests from a vertain computer or for a certain domain may indicate an attack

  • Blacklist hits: Requests to known malicious domains indicate that a system has been infected with malware

Hypothesis development

  • Based on intelligence gathered for blacklists or the specific criteria you selected to focus on, determine the best tools to use

  • If this to blacklisted domains is part of your scope, you can obtain several blacklisted domains leveraging threat intelligence

  • The analytic question is if there are any hits to the blacklisted domains, there is evidence of malware present in your environment

  • Expected outcome is to be able to prove the hypotheses by identifying hosts attempting the DNS requests in your environment

Formulate

The hunter should formulate a plan to conduct the hunt based on the scope

  • Identify data sources needed for the hunt based on the hypothesis

    • DNS logs to identify DNS domain resolution activity, including domain-to-IP address mappings and identification of internal clients making resolution requests

    • You need proxy logs to identify URLs/domain connection attempts

  • Determine analysis techniques needed to answer questions from the hypothesis

    • Searching to look for the artifacts

    • Stack counting for determining the number of DNS requests for each domain

    • Grouping to group all endpoints connecting to by domain

  • Understand the tools required to gather and analyze data

    • A DNS solution is needed to log the DNS requests

    • Proxy to identify doman/URL requests

Execute

After planning, the hunt needs to be executed by collecting and analyzing relevant data to answer questions from the hypotheses

Gather data from all the sources identified in the previous stage

  • DNS logs

  • Proxy logs

Utilize analysis techniques to prove or disprove hypotheses

  • Search DNS logs to see if there are any requests for the blacklisted domains

  • Review DNS logs to identify endpoints making these requests

  • Search proxy logs to identify endpoints making connection attempts to be bad domains

Employ additional tools/techniques/data sets as needed

  • If there are no hits based on your initial criteria, consider other criteria like requests to NXDOMAINS, etc, to iteratively conduct your hunt

  • Identify if any additional data is required for analysis or if any tools are required to capture additional data based on your iterative process

Capture results as you proceed with the hunt

  • As you are conducting your hunt, document the results for each iteration

  • If there any challenges, identify and document them

Develop threat hunt reports that capture all essential details of the hunt along with any additional observations.

  • Summarize findings for each analytic question from the hypotheses

  • Outline results from each data set analyzed

  • Document any gaps identified that limited your ability to gather or analyze data

Identify lessons from each stage of the hunt to use in the feedback stage to improve the hunting process

Involve all parties from the hunt and seek their feedback for the different stages

  • What went well during each stage of the hunt?

  • What could we improve for each stage of the hunt?

  • Did we select the right criteria to focus on in the scope stage?

  • Are there additional criteria we could use?

  • Did we ask the right analytic questions for hypotheses development?

  • Were there any tools that we were missing to collect and analyze data like a feed of known dynamic DNS (DDNS) domains into your SIEM or log aggregator?

PreviousStructured hunt scenarioNextEntity-driven hunt scenario

Last updated