As the number of successful cyber-attacks continues to soar, it's time to take a proactive stance to detect them. You can’t simply sit back and wait for an automated alert to let you know you’ve been breached. You need to actively seek out potentially malicious behavior on your network. Hunting down indicators of attack, so you can detect and contain an incident as quickly as possible.
Before you get started cyber threat hunting, it’s important to understand the environment you’ll be hunting in. Create a baseline of your network traffic. Document what is authorized and expected. This helps you zero in on the anomalies that require further investigation.
As a threat hunter, you also have to know where to search for the indicators that an attack is in process. Let’s take a look at a few of the places where you should be looking – and what you are hunting for.
Firewalls are a mandatory security control because they regulate the flow of traffic between your network and the outside world. If your firewall isn’t properly configured, your network could be completely exposed to the Internet with the potential for compromise within minutes, if not seconds. You should analyze your firewall logs to ensure it is denying unauthorized traffic from coming in.
But you should also look at what’s been allowed. Unexpected traffic to a dubious URL could signal communication with a command and control (C&C) server. A high number of file transfers, even if it’s expected traffic, can be a warning of malware or of a user violating company policy.
Network Authentication Server Logs
Authentication server logs document account activity. You should review administrative and user activity for anything out of the ordinary including:
- Account lockouts / invalid account logons;
- Invalid passwords / password changes;
- User management changes including new accounts / changed accounts;
- Computer management events including when audit logs are cleared or computer account names are changed;
- Group management events such as the addition of users to high security groups;
- Server reboots; and
- Attempted user activity during restricted logon times.
Once an attacker gets into your network, their goal is to find your assets. To do this they move laterally to other systems and look for opportunities to collect additional credentials, upgrade privileges, or just use the privileges that they have already compromised to gain access. Analysis of your Network Logs allows you to detect this lateral movement.
Web Server Logs
Web server logs are another rich source of data to identify and thwart malicious activity. Here are a few examples of what to look for:
- Look for entries that result in errors: users requesting pages that don’t exist – 404 Page Not Found Errors – or users trying to access directory files for which they don’t have authorization, such as 403 Forbidden Errors.
- Monitor 500 Internal Server Errors, and 501 Header Value errors, both can indicate malicious activity and bad HTML code or malfunctioning applications.
- Check the logs for Null Referrers to identify hackers who are scanning the website with automated tools that don’t follow proper protocols.
- Monitor any access to pages that are used to update website content to ensure that only authorized users are attempting to get at this data.
Indicators of attack include:
- When traffic to IIS servers is attempting to access database information via SQL injection.
- When attempts are made to access folders on the server that aren’t linked to the HTML within the pages of the web server.
- When execution of operating system commands is attempted.
Most cyber-attacks start at an endpoint – many breaches are the result of a phishing attack – so analyzing endpoint data enables fast incident detection.
To be successful, all malware must persist. Hackers need their malware to survive a reboot, so they can stay in the system undetected as long as possible and maximize their reward, whether it’s personal information, credit card numbers, or company secrets. Investigating suspicious persistence mechanisms is an effective threat hunting technique.
There are many different ways malware can persist on a Windows device. The most common are:
- Scheduling tasks,
- Installing as a service, and
- Using the run key.
But there are more than 50 different places that malware can hide, including:
- Logon (Startup Menu, Microsoft Active Setup),
- Explorer (Context Menu Handlers, Drag/Drop Handlers),
- Internet Explorer (Browser Helpers, Extensions),
- Drivers, Codecs, Boot Execute, Image Hijacks, AppInit DLLs, WinLogon, WinSock Providers, Print Monitors, LSA Providers, Network Providers, Sidebar Gadgets, and more!
Using threat hunting techniques, analysts can find and analyze all unique or suspicious persistence mechanisms on a device. Then using context and the latest threat intelligence, determine whether an attack was successfully deployed.
This is not an inclusive list of what you need to look at as a threat hunter. As threat hunter David Bianco stated in DarkReading, “A savvy hunter understands that the attackers can accomplish their goals in many ways and examines the data from several viewpoints to compensate. Hunting consists of spending a lot of time searching for something that is elusive by nature. To locate entrenched threats, your hunt needs to be dynamic and adaptable.”
Learn more about cyber threat hunting in our Guide to Cyber Threat Hunting.