A Network Threat Hunting Playbook for Advanced Attacks
The breaches of the last few weeks have taught us there is simply no silver bullet within security defenses that can prevent every single attack. A determined threat actor simply has too many avenues and too much time to make their way into any organization once they have picked a target. That however does not mean security teams should simply throw in the towel and resign themselves to the seemingly inevitable. Instead, the main lesson to take away is that while prevention is futile, organizations should embrace a threat hunting discipline, that is focused on detecting even the most sophisticated threats as early as possible so that impact can be minimized. While we do not know this for sure, it would appear this is essentially how FireEye detected their own breach through the trojanized SolarWinds Orion platform. As a follow up to our blog last week, we continue with the theme of detecting the “next” threat. In this post we present a network threat hunting playbook to uncover advanced threats. Using the SolarWinds / Sunburst / Solorigate campaign as an example, we explore ten key techniques to hunt down the adversary.
Before we dive into the details, a quick note on how this post is organized. As we documented our methodology, we realized this quickly turned into a very detailed post. In the interest of improved readability, we are splitting it into four posts that are linked below. In doing this, we also organized the techniques in our methodology into levels of complexity. Our intention in doing that was for the reader to read the posts in the order that made the most sense given their own skill levels.
- Summary: This is the post you are reading right now. It presents a quick introduction and is an index of sorts into the other posts.
- Part 1 – The Obvious: This post explains what you might think of as table stakes: hunting using available threat intelligence including leveraging publicly available threat signatures and indicators of compromise.
- Part 2 – The Ambitious: In many ways, this is really where we get into threat hunting. The goal here is to identify the attack surface (including third party systems like SolarWinds), while also understanding the known good—how and where do these systems communicate, both internally and to the Internet. Once you understand the “known good”, spotting, triaging and investigating the outliers is a lot more manageable.
- Part 3 – The BHAGs (Big Hairy Audacious Goals or in this context perhaps the “Bleeding edge of Hunts for the Adversary, Goals”): This is where we see the most sophisticated threat hunters operate. These experts are diving into SMB and other internal traffic to sniff out communications that are suspect. They are digging into threat attacker tactics, techniques and procedures (TTPs) and then building hunts for those TTPs.
If this stacking seems familiar, it is because we tried to align this to David Bianco’s Pyramid of Pain. The objective must be to always cause the most pain to the attacker’s operations. This is best done by understanding and then disrupting their TTPs. However, doing that is not easy.
That is why this threat hunting playbook begins with techniques that are lower in the pyramid. Yes, they may not detect or disrupt every attack, but they will certainly set you up for more success in detecting more threats than you are today and faster than you are today.
Using the SolarWinds campaign as an example, here is how we organize the rest of this Network Threat Hunting Playbook.
Part 1: Check for domains, IP addresses, file hashes associated with the campaign. You definitely should be doing this and frankly tens if not hundreds of security providers have documented the indicators of compromise associated with this threat. This part includes the first two of the threat hunting techniques.
- Technique #1 – Search for Known Indicators of Compromise (IoCs)
- Technique #2 – Hunt using Network Signatures
Part 2: In the realm of network threat hunting, many organizations will depend on tools such as Bro / Zeek. The goal here is to understand what devices, applications etc. exist within the environment and then using threat intelligence and perhaps some basic unsupervised machine learning to spot the outliers. For the Sunburst campaign, we include the next four techniques in our playbook.
- Technique #3 – Search for SolarWinds Applications
- Technique #4 – Detection based on Non-Application Layer Protocols
- Technique #5 – Audit External / North-South Traffic
- Technique #6 – Audit for Anomalous Geolocation or ASN traffic
Part 3: At this level, as you may imagine you are hunting for the specific attacker TTPs e.g., the way they perform lateral movement or their usage of domain generation algorithms (DGAs) for command and control / data exfiltration. These kinds of hunts are hard to execute with just metadata. Instead, they need deeper analysis of network communications but also a historical forensic perspective to convict based on context. Given the volume of data involved, analysis requires not only security experience but also an underlying data science platform. Our final four techniques required hunting at this level.
- Technique #7 – East-West / Lateral Movement Detection
- Technique #8 – SMB Traffic Analysis
- Technique #9 – Automated Domain Generation Algorithm (DGA) Detection & Analysis
- Technique #10 – Predictive Intelligence-based Detection
We hope the playbook we present in this series of posts is useful to your analysis not just for the currently in-the news breaches but also to protect your organization from those that are not yet known. Are there other techniques that you have seen work? We would love to hear from you and intend to keep these posts as a living document that is updated as our collective knowledge and experience grows.
If you liked what you just read, subscribe to hear about our threat research and security analysis.
VP, Threat Research
Dig Deeper with These Resources
Awake Security 2 Minute Explainer Video
What if security could think? What if it could sense danger, calculate risk, and react quickly based…
The Internet’s New Arms Dealers: Malicious Domain Registrars
This report dives into the results of a multi-month investigation that uncovered a massive global surveillance campaign…