Network Threat Hunting for Adversary Tactics, Techniques and Procedures
Network Threat Hunting for Adversary Tactics, Techniques and Procedures
After working through the first two parts of our blog series, we are now at the bleeding edge of the threat hunting process. This is where we see the most sophisticated threat hunters operate. At this level, as you may imagine you are hunting for the specific attacker TTPs e.g., the way they perform lateral movement or their usage of domain generation algorithms (DGAs) for command and control / data exfiltration.
As you will see below, these kinds of hunts are hard to execute with just meta data such as Bro / Zeek logs or NetFlow. Instead, they need deeper analysis of network communications as well as a historical forensic perspective to convict based on context. Moreover, given the volume of data involved, these kinds of analyses require not only security experience but also an underlying data science platform. Our final four techniques required hunting at this level.
Lateral movement is a critical aspect to identify for any attack, as it directly identifies the scope of what has occurred in the environment. Some of the techniques observed in SolarWinds and other supply chain attacks are not unique to this campaign. In other words, detecting lateral movement like the exploitation of remote services and / or exploiting remote services like SMB using valid accounts is an effective way to detect even the most sophisticated threats.
While Awake has many models that automatically look for signs of lateral movement, the platform offers considerable opportunity to proactively hunt for new attacks. For instance, one of the TTPs observed in the SolarWinds attack was the use of many compromised but legitimate accounts. Awake automatically identifies when devices suddenly have many usernames associated with them. In fact, the platform will draw this information from a variety of protocols including Kerberos, NTLM, SMB, LDAP, etc. This is illustrated in Figure 1 where we see a device associated with multiple usernames and the threat hunter is easily able to pivot to those usernames to further the investigation.
Figure 1: Identifying Devices with Potentially Compromised User Accounts
Much like we did with IP addresses and ASNs in part 2 of this series, it is possible to identify the usage of uncommon usernames. This is significant since many threats including ransomware operate with this technique. MITRE provides a good breakdown on the variety of techniques for instance used to steal or forge Kerberos tickets e.g. Kerberoasting [MITRE] which is one of the most common techniques in this category along with Golden Ticket and Silver Ticket.
As we see in Figure 1, the platform highlights on the right the list of users that gained access to the device. This gives hunters the ability to catch adversaries that are slowly making their way through the network using compromised credentials. Awake also allows the hunter to quickly pivot from a username to a list of all devices where it successfully logged onto (Figure 2). This is often another indicator of a compromised account.
Figure 2: Pivoting off a Username to Identify Devices Where the User was Logged Onto
Figure 3 illustrates a hunt for a device with a considerable number of anomalous Kerberos logins. In this case we look for workstation and servers with multiple Kerberos login names.
Interestingly, in this case, Awake also noted that none of these accounts were flagged as the primary user of the device (Awake automatically highlights the primary user with the device name). This points to a scenario like that discovered in the SolarWinds campaign where the usernames used to connect to a device were not the same ones used to move laterally. It is also worth mentioning that this kind of adversarial model can easily be converted into an ongoing detection model within Awake. In fact, Awake lets the hunter convert any of their hunts during the process into a model at the click of a button. This is possible since both the hunting and detection use cases leverage the same adversarial modeling language. This has a key advantage: it feeds every hunt into the standard security operations workflow rather than leaving it as some sophisticated art form only accessible to the threat hunter.
Figure 3: Hunting for Anomalous Kerberos Logins and Other Credential Abuses
Server Message Block (SMB) is the most commonly used protocol for lateral movement, remote command execution, and tool transfer. More specifically, PSExec is one of the most used tools to execute some of these commands. What makes it particularly interesting is that PSExec is not malware. It is a legitimate tool from Microsoft that can be used by both IT and system administrators as well as attackers. The challenge in hunting for the usage of this tool and SMB in general is therefore distinguishing between the legitimate usage and the attacker’s activity.
The FireEye SolarWinds breach blog mentioned an untypical SMB session pattern used by the adversary where they accessed legitimate directories and followed a delete-create-execute-delete-create pattern in a short period of time. As Figure 4 shows, this pattern of behavior can be easily detected using an Awake adversarial model. In this case the model looks for a particular chain of SMB activities within a 5-minute period.
Figure 4: Hunting for Anomalous SMB Activity Observed in the Sunburst Campaign
The Awake Security Platform also presents the security relevant machine learning features to the analyst so that these can be easily composed into a hunt. The Feature Summaries view provides easily searchable and sortable access to the relevant attributes allowing point and click model building without the need for data science expertise. For instance, as Figure 5 illustrates the analyst can query any particular protocol (SMB in this case) and look at protocol-specific feature summaries (filenames in this case) with the objective of finding malicious or anomalous traffic patterns. In our example, the hunter used feature summaries to narrow down to Mimikatz files that are commonly used by the red team and adversaries to steal credentials transferred over SMB. Understandably the filename is a weak indicator that can be easily changed and Awake provides many other SMB features such as file size and hashes to uncover the lateral movement of attack tools. In fact, the file name is just one of more than 65 different SMB-related features that can be used to focus the hunt.
Figure 5: Hunting based on SMB Filenames
Despite being a well-known tactic, DGA behavior is still regularly used by adversaries at all levels of sophistication. Adversaries use DGAs to dynamically generate domains (or subdomains) for command and control (C2) traffic rather than using static IP addresses or domains, which can be blocked through threat intelligence feeds and devices like firewalls and proxies easily. Constantly changing domains (e.g., a DGA) and IP addresses (e.g., fast-flux) on the other hand make it harder for administrators to detect and block.
As Figure 6 shows, Awake automatically detects DGA domains regardless of the underlying protocol and will bring these to your attention.
Figure 6: Automatic DGA Detection
Given Awake detections are built as reusable and composable adversarial models, this capability is also available to analysts to use as part of a network threat hunt, as Figure 7 illustrates.
Figure 7: Hunting for DGA Domains
Awake supports the use of regular expressions to also detect campaign specific DGAs based on an understanding of the attacker TTPs. For instance, as Figure 8 shows we are hunting for anomalous DGA behavior over HTTP and TLS. In the case of the Sunburst campaign, the TLD stays the same but a DGA is used to generate the sub-domain name. Awake can detect this using the regular expression approach.
Figure 8: Hunting for DGA Domains with Regular Expressions
Ultimately with attacks like SolarWinds, there will not always be a priori knowledge on how to detect it. Security teams therefore need to focus on a zero-trust based mindset, where anything outside the “known good” is considered suspect until proven innocent. Awake has worked on automating this analysis, normally performed by the most experienced of threat hunters. Ava, Awake’s virtual security analyst uses a variety of data sources such as open-source intelligence (OSINT) and threat intelligence and data science techniques such as natural language processing (NLP) and topic modeling to surface potential early warning signs of a breach.
For instance, prior to being public disclosed the domain avsvmcloud[.]com had very little publicly available information, as you would expect. Ava therefore labels this as a potential unknown threat due to the low prevalence and usage of the domain across the internet. Ava looks for and flags activity to these kinds of suspect destinations, especially when originating from critical assets or those that simply should not have this kind of communication e.g., critical infrastructure devices such as Active Directory, database servers, industrial control systems, executive workstations etc. As destinations like this become more popular, Ava’s analysis evolves to either proclaim innocence or to convict the domain in questions. For instance, as can be seen in Figure 9, the Ava API now flags avsvmcloud[.]com as a “known threat” in the category “advanced malware command and control”. This information is derived from NLP analysis of the news, information and articles on the internet after the public disclosure of SolarWinds campaign.
Figure 9: Ava API Provides Context on the SolarWinds C2 Domain
In continuing our research and development with Ava, we recognize and acknowledge that it is simply impossible to develop a security platform that detects every threat. However, given enough time and data, top tier threat hunters and SOC analysts can uncover these threats. Ava therefore attempts to take some of the skills and expertise we find in these individuals and uses technology to automate the discovery of the early warnings. This ultimately enables customers to speed up response and mitigate impact.
VP, Threat Research
Dig Deeper with These Resources
Awake Security 2 Minute Explainer Video
What if security could think? What if it could sense danger, calculate risk, and react quickly based…
The Internet’s New Arms Dealers: Malicious Domain Registrars
This report dives into the results of a multi-month investigation that uncovered a massive global surveillance campaign…