Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/27/2019
02:30 PM
David Mashburn
David Mashburn
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Threat Hunting 101: Not Mission Impossible for the Resource-Challenged

How small and medium-sized businesses can leverage native features of the operating system and freely available, high-quality hunting resources to overcome financial limitations.

Threat hunting is considered to be an essential part of modern cybersecurity operations. There are numerous benefits to this type of activity such as the proactive identification of threat actors in your environment, potentially reducing the dwell time of adversaries in your network, and the identification and resolution of benign but significant issues that can improve overall enterprise IT operations.

For resource-challenged organizations, threat hunting is often deemed mission impossible. This is not true. The benefits of threat hunting can be realized by deploying a methodical approach.

The first consideration prior to implementing threat hunting activities is the maturity of your security operations. While the thought of moving from a passive, detection-oriented posture to a hunter is an exciting prospect for many teams of defenders, it is likely that many organizations would be better off first improving their configuration management, patch management, and vulnerability management efforts, which are often challenging for organizations with dedicated teams in those functional areas.

These important processes, typically, are less mature in smaller organizations. As a result, small or resource-constrained security teams would be well served to review their operational maturity against some of the available information security guidance documentation, such as the Center for Internet Security Critical Security Controls. The CSC helps organizations prioritize security control implementation, and while threat hunting is one of the items in the CSC, it is recommended only after organizations have achieved a specific level of security operations maturity.

Onward to Threat Hunting
After demonstrating effective asset management, patch management, and vulnerability management, an organization is better suited to spin up threat-hunting efforts. Looking at the IT systems for a typical small or medium-sized organization, we often find Windows desktop in an Active Directory domain. It is also likely that there is some sort of cloud presence, most likely in the software-as-a-service area. It's in this type of environment that we can explore how some native capabilities can be leveraged to support threat-hunting efforts.

The lifeblood of threat hunting is security data. This will typically be in the form of logs, whether it is network-related data such as firewall or web proxy logs, or endpoint data from the operating system or from the endpoint security suite. To effectively hunt, data from client endpoints must be collected centrally. Given the prevalence of client-side attacks such as phishing, and the observed pattern of attack behaviors that use compromised clients to persist and move around the environment, the critical data related to adversary activity will often only be in the endpoint logs.

While the collection of endpoint logs may conjure visions of expensive SIEM solutions or yet another agent to be deployed and managed, this data collection problem has a straightforward solution. A native feature in Windows, Windows Event Forwarding, can be leveraged to solve the problem of endpoint log collection, and it is at a cost that will make management happy: zero. Managed via Group Policy, endpoints can be configured to push data to a central server. For many small organizations, a single server or even an existing low-activity server would be suitable for this data collection role.

Once this data from endpoints is centrally collected, the hunting can begin. Ideally, this data would be further consolidated into an existing SIEM or log aggregation solution to facilitate searching and correlation. However, if that option does not exist, there are projects that provide PowerShell scripts to perform analysis of this forwarded log data. One example is the DeepBlueCLI project authored by Eric Conrad, freely available on his GitHub profile. This series of scripts provides a basic set of threat-hunting capabilities by looking for evidence of malicious behavior in the endpoint log data.

Log Data and Other Indicators
If the capability does exist to roll this data into some sort of log correlation tool, then the flexibility to hunt for different indicators expands greatly. A resource such as the Mitre ATT&CK framework can be used to look for specific elements from various stages of the attack life cycle, providing a wealth of indicators to use as the basis of the hunting process. From an endpoint perspective, this methodology provides a ready way to get started with endpoint hunting in Windows event logs. However, Windows event logs are not the only source of data that can support threat hunting efforts.

Network-based data is another essential data source that can be used to find indications of adversary activity in your environment. Data such as netflow, firewall logs, proxy logs, DNS logs, and DHCP logs can all play a role in threat hunting. Collection of these log types may be more difficult in some environments due to access issues, performance overhead associated with the log generation, and the ability to effectively analyze the data source. These sources can provide a wealth of information that can show signs of threat actors, such as unusual user-agent strings, unusual data volumes or destination IP addresses, unusual client-to-client data flow for specific protocols such as SMB, odd hostnames or MAC addresses with DHCP leases, and indications of DGAs in certificate names and URLs. These are only a few of the indicators that can be used for threat hunting, but they can be highly effective components that will lead to successful hunt efforts.

Threat hunting can be effectively performed in smaller or resource-constrained environments. Leveraging native features of the operating system and using freely available, high-quality hunting resources can overcome financial limitations. Staffing constraints may be more difficult to address, but prioritization of security tasks based upon the highest value that they offer to the organization will drive the time that can be allocated to threat hunting.

If you wish to learn more about threat hunting, David Mashburn will be giving a talk on this subject "Hunting Highs and Lows: Misadventures in Threat Hunting" at SANS Pittsburgh in July, or you can research these concepts online.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

David Mashburn is a SANS Certified instructor and an IT Security Manager for a global non-profit organization in the Washington, D.C. area. He has experience working as an IT security professional for several civilian federal agencies, and over 15 years of experience in IT. ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DavidHamilton
50%
50%
DavidHamilton,
User Rank: Apprentice
4/16/2019 | 5:05:32 AM
Dig deeper
There are always a thousand and one ways to handle any given situation if we look far enough. We need to first take note of what the root of the problem is before drilling into possible solutions. We can never rectify the issue if we were to focus solely on the surface which is already chaotic enough.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...