Blog Post

Network Threat Hunting to Detect Covid-19 Cyber Attacks

While society comes to grips with the spread of the Coronavirus and its impact on people’s health and financial stability; there is a select group of adversaries actively looking at ways to exploit the associated fear, panic or simply the need for information. As security analysts are asked to use network threat hunting to uncover these actors, we are seeing some roadblocks our customer’s run into and will share how we eliminate these while hunting in on behalf of our customers.

The Landscape

The trends created from this epidemic are significant and much more profound than the regional disasters we’ve seen in the past. We can identify from looking at Google Search Trends in the chart below that there is a major pickup in search terms like Corona, Covid, and Coronavirus. We can visually see that on January 20, 2020 interest started to pick-up and you see the growth that seems to mimic the spread of the virus itself.

A screenshot of a cell phone Description automatically generated

In parallel, we have seen attackers weaponizing domains and emails to leverage everyone’s interest in the topic. To date we know there are several thousand domains out there with terms long like “corona” in the name and a lot of them were registered during the month of March. Some of them are malicious, but they blend in with legitimate Coronavirus related traffic, making it more difficult to find the adversary.

Security analysts are challenged with both a sudden and new remote workforce while combating those taking advantage of the situation. At some point, analysts are going to; or may have already been faced with, the following questions from their executives.

  • Are we getting hit by any of these Coronavirus or Covid-19 themed malware and phishing campaigns? I keep seeing vendors releasing all kinds of reports!
  • How are we covering our recently transitioned remote workforce against these new threats?
  • What are we doing to be proactive?

As a security team, you want to respond with more than “we haven’t seen any specific “Coronavirus” based alerts” or “we have no way to cover our remote staff against these threats.”

Unfortunately, answering the questions for most analysts is a burdensome effort with numerous tasks since existing tools and processes for network threat hunting are not set up to address this adequately, especially considering the challenges of the remote workforce.

Traditional Security Workflow

Most security teams are not fortunate enough to have full-time threat intelligence staff to sort through and operationalize newly received intelligence, so most typically operationalize the intelligence in one of the following ways.

  • Perform searches within their Security Information and Event Management (SIEM) solution against multiple log sources; few of which use consistent field names and time normalization
  • Login to multiple platforms and perform the search locally on a network appliance
  • Write a Snort-like IDS rules for detection

Too much threat intelligence coming in from every security technology and service company in existence can hinder the team because it can be time consuming to vet and operationalize the intelligence.

Mature security teams have various layers of automation for the above items, but they are still left with ingesting multiple network log sources into their SIEM but performing transformation and correlation of the data will fall to the engineering and analysts respectively.

Unfortunately, when something as large as the Covid-19 outbreak occurs; these traditional methods of operationalizing intel and searching your logs for indicators breaks down.

Network Threat Hunting: A Better Approach

Here at Awake Labs, we are network threat hunting every day across a myriad of customer environments to help protect them via Awake’s Managed Network Detection and Response (MNDR) offering. So how do we go about hunting for network IOCs?

Leveling Up – The Power of the Platform

To hunt using the public intelligence from the Covid cyber threat, initially, we may want to cast a rather wide net using some loose search terms and see what’s returned. Using this approach helps us by figuring out how to best structure our network threat hunting searches moving forward.

For example, within the search query represented below, it is possible to compare all our example search terms obtained such as “corona, virus, covid, etc.” listed as a regular expression against the following three fields within the Awake platform.

  • activity.tls.handshake.client.server_name
  • activity.quic.client.server_name
  • activity.http.request.host

In the query, the platform knows to check all three of the fields because each is represented within a skill called, recipes.destinations.domains.all_unstemmed_domains. More on the skills below.

Skills can be thought of as “recipes of security team’s knowledge” that are written down to make repetitive tasks and elaborate searches much easier. For instance, unless you are an advanced cook, cooking without a recipe can be difficult and time consuming; and typically it does not achieve the results that were originally set out to accomplish you don’t want to make sauces and spices from scratch every time.

Within the Awake platform, the same applies, you can create skills for the rest of your team to use, or you can use the skills provided to everyone by Awake. And much like recipe ingredients, skills can be used in multiple models or used to create more complex skills. This approach allows a lot of the complexity to be wrapped under the hood while delivering an elegant interface to even relatively junior analysts.

From 2020-03-01 – 2020-03-19 we see over 498+ domains returned from our wide net search.

From our query results, it is easy to see the number returned is too large to manually triage, therefore, using Awake’s built-in capabilities we cut this down into a manageable number of domains.

Some of the areas we can use to filter include:

  • Domains created after 2020-01-20
  • If no domain creation date is identified, include it in the results
  • Domains first seen in the network after 2020-01-20
  • Domains that match suspect domain risk categories
  • Domains that do not have any domain categories
  • After the above is applied, we filter by domains that match our regular expression

Adding all the above bulleted filters to our search would produce the 5 domain results associated with the following query:

A screenshot of a computer screen Description automatically generated

Let’s break this down and quickly cover what each of the fields in the query means.

domain.created = This is when the domain was registered. This can be a date, or it may also be unknown, therefore, we specify the || (OR) and include a date and unknown.

domain.first_seen = This is when the domain was first seen within the network being monitored.

recipes.destinations.domains.potentialRiskCategories = This is the site categories assigned to domains, for example “Malicious Site,” “Hacking Site,” “Adult Content” etc. We also specify an OR condition here as well because we also want to return domains that have zero categories.

recipes.destinations.domains.all_unstemmed_domains = This includes searching the domain name against the following Awake fields; activity.tls.handshake.client.server_name, activity.quic.client.server_name, activity.http.request.host

(\x -> x like r//) = This takes our domains from above and checks them against our list of search terms. The “like” and r// indicate that a regular expression is being passed. The regular expression goes between the r/<insert regex>/

With a new list of items used for filtering, we can start by making the search a bit cleaner and easier to scale and manage. We do this by making it into a skill.

Let’s first start by cleaning up our regular expression. Its most likely to change, and it can also be reused by other skills as well. For example, you could use those same terms to search for malicious URIs. Thus, we make the regular expression itself a skill pulling all the regex details together as shown in the figure below.

A screenshot of a cell phone Description automatically generated

Now that we have created this regular expression skill, we can add it to our search.

Old: (\x -> x like r/(corona|virus|covid|health|cdc|gov|flu|sick|well|pandem|chaos|clos)/)

New: (\x -> x like recipes.regexes.corona_virus)

And here is how that skill makes it into a larger query.

A screenshot of a cell phone Description automatically generated
Our last clean-up is to turn the entire search into its own skill. This is accomplished the same way as the regex skill above. We define the expression, give it a title, and set the optional reference identifier.

So now when we want to perform a search using our constructed search query, we only need to type the following.

Leveling-up a Bit More… Ok a Lot More

We can also elevate this query further by leveraging the full power of our built-in Adversarial Modeling Language (AML), a functional programming language for expressing our queries. We accomplish this by adding two variables, creation date (cDate) and first seen date (fsDate) as shown below.

Now our search is four words, an underscore, and two partial dates.

From a Skill to Model

You’re busy, so why keep searching each day? As explained above, the platform can perform autonomous network threat hunting for you. We do this by constructing a model.

Before doing this though we made a couple changes to the expression. We changed the domain.created date to 2020-01-20 and added a new term called, modifyTime.

The modifyTime function allows us to instruct the model to only identify domains that were first seen within 7-days of now.

Now the model will run in the background and notify you when it matches our expression.

Summary

All the above was accomplished within a single platform and no SIEM. Prior to Awake, this process would have required at a minimum, multiple log sources, a SIEM, some type of caching engine, multiple experienced security staff, and the development of software code to interface with multiple APIs; and after all those items it still wouldn’t have been this streamlined or repeatable.

By Jason Bevis and Patrick Olsen (Awake Labs)
Jason Bevis
Jason Bevis

VP, Labs