Are you a "Hunter"?

Published: 2015-08-16. Last Updated: 2015-08-17 00:04:07 UTC
by Guy Bruneau (Version: 1)
22 comment(s)

It sound like an interesting question, isn't it? But what I'm referring to is us analyst that searches for unusual activity or you just wait for a trigger from an IDS/IPS or that a rule will trigger something from the SIEM.

I watched the opening keynote by Amit Yoran President of RSA at the RSA Singapore conference [1] and he was made reference to large organizations who have cutting edge security software/hardware and how bad they are still failing at catching bad actors still go undetected for a long time. He shared five points to go by to help catch bad actors in a network: Does it really Help (this shiny new device or software), Visibility, Identity, Intelligence and Prioritize. The fourth point Intelligence is where he talks about "CISO that gives their security team the time to hunt and learn their environment to understand what normal looks like are much more rapidly identifying unusual patterns (23:53m)"[1]

I do go "hunting" looking for unusual activity and pattern IDS/IPS or even the SIEM doesn't know about. There is a lot of threat intelligence out there that can be used to detect unusual pattern of activity. Maybe you have a security device that use some form of feeds to detect bad actors (i.e. some vendors use DShield feeds), reviewing what they trigger might yield interesting data. How about taking the time to review if the systems communicating with the HR server(s) are part of the allowed list? This example could be added to a SIEM to trigger for unusual activity.

If you are a “hunter”, what do you look for?

[1] http://www.rsaconference.com/media/the-game-has-changed?

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

22 comment(s)

Comments

I'm most certainly a hunter. When I'm not doing other things I will usually login to random machines inspect process lists, look at web requests coming in. Usually if the IDS hasn't spotted something I usually do when I take a look around the network in what I call my "Combat Patrols".

Most of the time, when the IDS does report something, I'll investigate and find something else entirely, either because the rule has found some other kind of malicious behaviour, or it was a false positive, but something else unrelated catches my eye.
I also watched this, and was shocked to see the claim that SIEM misses over 99% of APT's! The claim itself was quoted from verizons 2015 DBIR. Part of the claim was that traditional perimeter defences are not enough and we are losing the arms race to the bad guys...and although there is undoubtedly a lot of truth in this, my question is, what can we do to make SIEM better?

I believe that part of making SIEM better is allowing the analysts time to fully understand the environment, to know its norms and nuances. Above and beyond that the SIEM itself must have an excellent asset and network model that is clearly defined and kept up to to date. Also as has already been said, samples must be regularly taken and tested to ensure that everything is as it should be. Processes muse be defined, tested, refined and improved.

Another issue is, if you have too many rules the analysts can be overwhelmed, ddos'ed if you like. The rules need to be well defined and noise and false positives must be eradicated, but above all the analysts must fully understand the environment and the traffic flowing over it.

A framework for reaching operational maturity must also be standardised and worked on openly by a group of experienced and engaged professionals.

Finally SIEM must become part of the standard curricular for Security course in universities and colleges.
I think that hunting is unique to human beings since the beginning ;)
I call this "active defense". As said Yinette, I'm also investigating a lot, keeping an eye on my logs and running honeypots... Paste sites are also a nice source of juicy content
Xme, what are "Paste sites"? Are you referring to sites like Pastebin?
Yes, love the challenge of hunt. I do have a question though and was going to start a new thread around it. How long do the readers/members of this forum keep their logs to chart to progression of "the hunt"?

Regards,
ICI2I
Yes, pastebin.com is the most known but they are plenty of others (and some much more obscure).
Examples:
pastie.org
codepad.org
nopaste.net
pasteguru.com
postits4tga4cqts.onion
Longer is better but it has a cost (in terms of storage)
IMHO, it's important to make a difference between events and incidents.
- An event is "an observable change to the normal behaviour of a system, environment, process, workflow or person".
- A security incident is "a series of events that adversely affects the information assets of an organization".
I'm keeping 3 months of events (to have time to investigate and rollback to them)
Incidents (read: alerts based on correlation rules / filters) are kept forever... (until I've enough storage)
Of course, when you drop oldest events, you also drop potential evidences or interesting stuff... Keep in mind that, for compliance reasons, you can be forced to keep them x months.
Hunter for sure! I like to log into the SIEM on a daily basis and start with a view of all logs for the last 5 mins. At this point I start removing the common events. Once I have it really narrowed down I start to expand the time frame and boom all sorts of new easter eggs start to show up... sometimes... ;) Sitting and waiting for an event to trigger or happen from any security tool can be a disastrous mistake. Being a Hunter requires a very active imagination, and a mindset of thinking outside the box.
@Xme:

Fortunately my SW emails me 2X daily in text, crushing them down is not an issue for size. I try to follow trends posted here and other sites and tag the ones that show up >5X in a week. So far all has been quiet. Fingers X!

Thanks
Combat Patrols - I love that and I'm gonna shamelessly steal it. :-)

I wholeheartedly agree - it's when things are suddenly quiet that we should be paying extra attention to what's going on. Is it quiet because you're being left alone for a change (unlikely) or because the bad actors are using new tools all those fancy defenses we have in place don't detect.

We recently went on a phish education campaign at my $DAYJOB$ and it's paying off. I'm often getting phish reports and can often use them to not only check if anyone fell for them (DNS query logs, snort/firewall logs, etc), but can proactively prevent them by updating DNS filters, updating firewalls, etc. Best yet, my employer lets me spend time digging further. For instance, given a piece of malware found in some phish, often a downloader, I'll obtain a copy of what it's trying to download and run and then run some malware analysis tools on THAT (I really like www.hybrid-analysis.com for instance). Then I'll see what THAT malware does - who it talks to, what DNS queries it makes, etc. That gives me a whole 'nother batch of indicators that I can make snort rules for. That way the next round of phish that uses some new file-dropper that fetches the same secondary malware, I've already got either blocked and/or being watched for.

And don't forget the logs! When I go to the trouble of blocking hostnames that resolve to a particular IP or network, I also have a job that tells me every morning what hostnames were blocked because of one of these filters. That has occasionally led to "interesting" (tm) - stuff that nobody is detecting yet.

Diary Archives