Blog Post

Network Threat Hunting for the Known Indicators of an Advanced Threat

Network Threat Hunting for the Known Indicators of an Advanced Threat

When news of any threat breaks, organizations must hunt using available threat intelligence including leveraging publicly available threat signatures and indicators of compromise. This includes searching for domains, IP addresses, file hashes associated with the attack campaign. Let us examine some techniques to do this.

Technique #1 – Search for Known Indicators of Compromise (IoCs)

This is clearly the easiest of all the techniques we lay out in the series and simply requires network logs from a firewall or perhaps the switching infrastructure. Of course, as our discussion of the Pyramid of Pain in the original post would indicate, this ease comes at the cost of efficacy. The bottom line is these kinds of hunting techniques often provide low value as adversaries can and do change their domain / C2 infrastructure easily and there may be other domains in a campaign that are not yet made public. Similar searches can also be done with IP addresses; however, they provide even lower value especially if the domain is hosted in a shared hosting environment or in one of the many cloud service providers. Both commonly experience IP address rotation, and thus the IP address itself is not an indicator of compromise.

The Awake Security Platform not only lets you hunt for indicators in real time, but you can also perform retrospective detection for 6 months or more. This is useful since even if the attacker changes domain information in the future, security teams can at least determine if the organization was in fact compromised in the past and immediately kick off the incident response process if so. Any device using these domain names are likely infected and should be patched as soon as possible. Figure 1 illustrates an Awake adversarial model that:

  1. Performs a regular expression-based search for the domain(s) known to be associated with SolarWinds / Sunburst campaign.
  2. Analyze the results to understand the devices communicating with the attack infrastructure, the domains being used and the actual network activity that occurred (including full PCAPs). The orange dots indicate a match with an IoC list already imported into the platform.
  3. Pivot deeper into individual results to gather further information about network and domain activity such as identifying other systems involved etc.

network threat hunting 3- screenshot of a computer Description automatically generated with medium confidence

Figure 1: Awake Adversarial Model for SolarWinds / Sunburst IoCs – Domains

Awake also can integrate with your threat intelligence sources and ingest a list of IoCs (Figure 2). As discussed above, this can be used both to match streaming traffic and escalating in real-time as well as to perform retrospective threat hunting.

Graphical user interface Description automatically generated-network threat hunting 2 Figure 2: Sunburst Domain and IP Address Indicator of Compromise Imports

Technique #2 – Hunt using Network Signatures

Along with basic IoCs, many network security vendors have provided, or support network signatures based on engines such as Snort, Zeek or Suricata. These signatures (e.g., https://github.com/fireeye/sunburst_countermeasures/blob/main/all-snort.rules) while slightly more robust than a pure domain match suffer from many of the same shortcomings we discussed in Technique #1.

Awake is unique in offering the Adversarial Modeling Language (AML) that easily allows for the conversion of Snort or other rules and additionally supports a much more robust filtering system to reduce false positives based on context, data science and threat intelligence. These are capabilities simply not available in traditional IDS systems. Figure 3 shows how multiple Snort signatures released to detect the SolarWinds threat are easily converted into a single, compact and explainable adversarial model.

Text Description automatically generated-network threat hunting

Figure 3: Multiple Snort Rules Converted and Merged into a Single Adversarial Model

To wrap up Part 1, the techniques we described here are primarily useful to determine if you have been breached or not based on knowledge of a known threat. While that is useful, the proverbial horse has already bolted. In other words, this does not really help us detect threats that are not yet widely known in the community. Read on for parts 2 and 3 of this series for more robust techniques to do that.

 

Subscribe!

If you liked what you just read, subscribe to hear about our threat research and security analysis.

Param Singh
Param Singh

VP, Threat Research