A recent article discussed the keys to becoming a level 4 maturity threat hunting program. This article will bring these concepts into the real world by discussing examples of attacks that required that high level of threat hunting maturity to find them and defend against them.
The case studies we’ll discuss are:
For additional details on these case studies as described by CISO of FirstBank, CSO of Red Canary and Detection Engineers and Threat Researchers from Red Canary and Carbon Black, watch the webinar “Becoming a Leader - An Insider Look at a Level 4 Threat Hunting Program.”
If you are a company that plans to make an acquisition, this is a critical situation for threat hunting teams to be prepared for. There have been many public examples of this happening with large companies like Yahoo and others. The stakes are high as no one wants to buy their way into a breach.
Adversaries can easily get into a small company and sit there for months at a time. When an acquisition happens, security teams are typically given about 2 weeks to evaluate the network of the company they are acquiring. Often times there is no context and no historical visibility on the endpoints. There is a time crunch on connecting the networks and the adversaries often go unnoticed.
How do you connect these networks while keeping your network safe? Tony Lambert, Detection Engineer at Red Canary says “It is critical to work with experts that have industry context as to the behaviors of common solutions.” If you are acquiring a company in the finance sector, make sure you have a resource on your team familiar with the software used. This can go a long way to helping provide context into endpoint activity.
Brian Baskin, Sr. Threat Researcher at Carbon Black comments that “One of the biggest constraints you’ll be working against is a lack of historical visibility. When you find something in an M&A health check, you don’t have the kill chain, you’re just at the end.” To mitigate this, Lambert states that “Threat intelligence is what saves the hunt here. It helps incorporate context so you can figure out what is going on.”
Baskin says that “Solutions like the CB Predictive Security Cloud (PSC) are extremely valuable in these situations to provide the threat intelligence needed.” The PSC aggregates and correlates threat intelligence from the threat hunting community at large to understand what attacks are happening and reveal industry specific trends. This can fill in the blanks when evaluating a new acquisition where you are lacking the context and visibility needed.
Brenden Smith, CISO at FirstBank recommends a proactive approach. He advises “You need to have your tools sets and knowledge databases ready to go and flexible so that visibility can be consumed from multiple different tools. It is critical to ensure your threat hunting program is as adaptable and flexible as possible to be prepared for an acquisition.”
While this case study is specific to an ATM, the same defense concepts can be applied to any non-traditional endpoint. Attacks on ATMs are nothing new, but they are a challenge for threat hunters. This is something First Bank’s CISO, Brenden Smith, works hard to defend against.
Back to the basics, an adversary can physically drill a hole into the ATM shell about the size of a quarter. They will then plug in a USB to the machine that will execute something malicious. Often times threat hunting teams aren’t thinking about power tools as an access method versus phishing, so it is critical to expect the unexpected.
Any threat hunting team that has non-traditional endpoints like ATMs needs to have steps in place so they can catch events like this and quickly immunize other ATMs/endpoints in the area since the adversary may be moving around laterally to spread the attack.
Smith says that “Protecting against this starts with whitelisting. But it doesn’t stop there.” His threat hunting team at FirstBank takes the activity and pulls out all the various ways it could occur at each endpoint. Then they build indicators of compromise (IOCs) and automate the response process so that it scales with the size of their environment.
Lambert adds the advice, “Don’t have a process or a hunt that is so well defined that you can’t modify it. You will encounter non-traditional attack methods where you need to be flexible.”
Building on the advice from Lambert that you need to be flexible for when you encounter non-traditional attack methods, this is a great example of that. Attackers will find ways to mask their behavior so that any available telemetry appears benign.
Lambert describes a real example of this, “We had a company that had a widespread WannaMine infection where there was lateral movement, credential theft, as well as a mining payload that was also being used. We did the traditional hunt for credential theft, but we didn’t see any of that. We had to hunt for trusted processes that were exhibiting this behavior. What we found was the adversary was injecting xmrig for mining and Mimikatz into PowerShell so we didn’t see the behaviors being used.”
Lambert states the most important advice for threat hunters is to “allow for wiggle room in the middle of creating detection capabilities and creating things like hunt searches in order to take non-traditional techniques into account. “
Keith McCammon, CSO at Red Canary advises in situations like this to “eliminate as much of the attack surface as you possibly can.” He recommends using a framework like ATT&CK to allow you to have a structure to follow where the hunt leads. The most important step in this hunt was having the confidence to move from hunting the traditional methods to the non-traditional.
“In the new world of cyberattacks, adversaries are using ‘living off the land’ techniques,” states Lambert. Instead of using their own tools, attackers are increasingly leveraging software that are already on your endpoint. This means that threat hunting programs need to be developed with processes that are both flexible and prepared to hunt for these non-traditional approaches. “All of these case studies highlight the need for resiliency,” states McCammon. “Sometimes it’s doing what you need to do in order to get the hands-on static indicators relevant to your industry or threat model. Other times it’s about using a framework like ATT&CK to force resiliency. You have to go both ways.”
Time is a key factor to effectively hunt for non-traditional attacks like these. Smith advises organizations to “invest in the tools to handle all the generic attacks so that your team has the time to handle the more sophisticated ones that have the potential to be extremely damaging.” McCammon adds that organizations need to “ensure that your threat hunting process allows for time to be proactive.” The majority of threat hunting is reactive, but it is having the time to explore that really matures a threat hunting program.
For those threat hunting programs that are just getting started and may be overwhelmed by the sophistication of the attacks in these examples, Smith recommends to take small steps and “look at the threat intelligence that is out there for some quick wins.” That will help you begin to grow and mature your threat hunting program. Baskin adds that, “Having the right roles in place for threat hunting is also really important. Whether in-house, partners or contracts, get the resources in place. Especially in IR. Having a team in place to run down initial indicators and a team to put context to it of good, bad or really bad is essential.”
To see the live discussion on these case studies and on becoming a level 4 threat hunting program, check out the webinar referenced in this article from Red Canary, FirstBank and Carbon Black threat hunting leaders.
The post Real World Examples Demonstrating the Need for Mature Threat Hunting appeared first on Carbon Black.