Proactive Hunting for Adversaries (A Hunting We Will Go)

Being in the IR space, I’ve essentially given up my end of year holidays for the past 5+ years. Adversaries don’t work 9-5 Monday through Friday, and they most definitely know that US companies tend to be minimally staffed during the holidays- let alone stuffed full of turkey loaded with tryptophan. Rather than let the calendar year end on a sour note, I suggest your organization be proactive this year and spend a minimum of one week hunting for adversaries rather than sitting back and hoping your threat feed, MSSP or other mechanisms will lead to you catching something. As the godfather of hunting once said, “Hope is not a course of action.”

Before we get going, if you think your company isn’t a target this holiday season, think again. I’ve seen the oddest cross section of companies being attacked by APT to include food, waste management, aluminum manufacturing, and non-profits to name a few outside of the normal defense, energy, critical infrastructure, and other well-known targeted verticals; nation state attackers are not discriminating in their targets. On the cyber criminal side of the house, the old thinking that small and medium sized businesses are targets still holds true- but as the industry has seen this past year, large corporations are under continual attack with Target, eBay, Home Depot, and Staples announcing breaches one after another.

Ground Rules

I’m unsure if there is an official definition of hunting for adversaries, but to me it is defined as looking for adversaries on your network outside of your normal day-to-day processes. Let’s first establish three ground rules:

Rule 1. Executive Buy-in is required: Hunting can be invasive and a bit noisy and will require the full attention of those involved- let alone assistance from outside of the hunting party (e.g. networking). Having Executive-level support to both put aside all day-to-day work for a week (don’t ignore your high fidelity alerts), let alone leverage relationships to get the needed assistance from other organizations is paramount to success. Additionally, if done properly, this is a great story to tell to the C-suite.

Rule 2. Failure is an Option: If you are simply taking your known bad domains, IP’s, etc… and running them through tools… that’s not hunting. Hunting should involve unique ideas and approaches that haven’t been operationalized and as such, these approaches may not net any findings at the end of the exercise. However, don’t consider this a loss- perhaps you’ll discover new detection methods or ways of approaching a problem differently; perhaps the team will gel more since they had a week of working on a blitz of a project; or perhaps an adversary simply isn’t in your network.

Rule 3. Keep it Fun: Last, but most importantly not least, the hunt should be a lot of fun for the team- leading to a more successful hunt and people wanting to do it again. I recall the first hunt I was part of and it happened around “Shark Week”… so we went with a Shark theme. We gave the hunt a cool name (e.g. Marketing), changed PowerPoints to have Shark logos, and I hunted at stores for Shark candies and paraphernalia to bring in. And yes, at the end, those Shark-infested slides went in front of our CIO; as long as its professionally done and well explained, it was a welcome break from the monotony of normal IT/business slides.

Logistics

Logistically, the hunting should be a simple exercise as you want to limit administrivia and maximize hunting. I recommend setting aside one entire week for the hunt (Mon-Fri) and [leveraging the Executive buy-in] ensure all meetings are cancelled or moved so the team can focus 100% on the hunt. As for team make-up, it should be a good mix of junior, mid-level and senior IR/Intel folks, as well as individuals from outside the organization (e.g. Red Team, Networking, etc…).

2 weeks prior: Pull the team together for a 1hr brainstorming session and as with any brainstorming session, any idea is valid and the crazier the better. This will also allow time for individuals to think through the ideas in more detail and generate some buzz ahead of the next step.

1 week prior: Bring the team back together and rack and stack the ideas. Once complete, begin assigning folks to ensure there is coverage. You may very well not have all ideas assigned out and that is fine- the focus is on quality, not quantity- and you can table those for your next hunt. At the end of this meeting, everyone should know what their focus will be for the hunt and it will allow them time to begin laying the foundation to execute.

Friday AM before the Hunt Week: One quick call to ensure everyone is set. There may also be roadblocks or issues that need to be dealt with and communicated up to the Executive level for assistance. Handling this the Friday before allows the team to hopefully hit the ground running on Monday. There should be no need for a kick-off meeting on Monday.

Every PM during Hunt: A 15 minute “stand-up” to bring the team together and focus on anything of concern from an adversary perspective, as well as any logistical/political concerns that need to be raised to the Executive champion.

Monday after the Hunt: A quick call to discuss what worked and what didn’t work. This is the time to also lay the foundation for your next hunt, as well as to identify items that the team may want to operationalize on an ongoing day-to-day basis.

Communications: Not to be forgotten, the Executive can both kick-off and close-out the event via e-mail, communicating to key stakeholders across the organization to bring visibility and excitement to the effort. After the event, I would recommend bringing the results and next steps up to the C-suite for awareness and input. Outside of this, there is really little need for other communications (less administrivia, more hunting), though everything should be documented along the way.

Where to Start

While there are a variety of avenues to take, I’ve provided a couple of ideas to get you started thinking about hunting:

  • Pull “proactive LR’s” (forensic evidence) of previously compromised machines.
  • Pull proactive LR’s of previously compromised machines in the same family. For example, if you have webserver01, pull webserver02 and webserver03 (ProTip: You should be doing this during any incident as well.)
  • Can you pull back a certain artifact (e.g. registry key, file, etc…) from all machines and perform frequency analysis on them to look for outliers?
  • Are there areas of your network you don’t have awareness of? Shadow IT is a huge problem in most organizations and identifying rouge infrastructure you have zero or limited visibility to can be useful.
  • Contact your local FBI field office (you have a relationship already, right?) and ask if there is anything they can share that you should be concerned about.
  • Look into IT or IT security projects that aren’t finished deploying yet, or were abandoned but still in production, and consider leveraging them for a unique view of your network.
  • Do you have something that you can easily deploy in the environment to perform some searching or scanning?
  • Does your organization have tools mainly used for something else, like DLP? Perhaps looking at the data would provide some interesting data points to explore.
  • Have you looked at the activity of previously compromised accounts recently?
  • Do you generally ignore certain types of data day-to-day? Begin looking through that for interesting patterns.
  • Last Words

    Finally, the Penetration Testing business is doing extremely well, but where I believe most companies should really be focusing their spend is on understanding if they have been breached- not the fact they can be penetrated (ProTip: The answer is Yes). Penetration Testing is fantastic if your organization is able to learn from the tests and adjust detection and response activities accordingly to up your capabilities, but most companies using pen testing services are still in the break-fix mode of using the tests- looking at a report and patching holes, nothing more. This said, if your organization can’t execute the hunting activity mentioned above due to lack of people or expertise- or frankly, simply wants an independent perspective- don’t hesitate to hire an outside services company to perform the hunting for you; just be sure that they don’t focus solely on using threat intel feeds or your existing day-to-day alerts to drive their hunt.

    This blog post is the longer version of my post at Resolution1 Security

    4 thoughts on “Proactive Hunting for Adversaries (A Hunting We Will Go)

    1. Hi Sean, Love this blog. Any chance you’d be interested in writing a guest blog around hunting for the AlienVault blog? I think our readership would appreciate it. If so, please let me know. I’m also the speaker coordinator for OWASP Austin, and we’re looking for speakers for 2015.

    2. Pingback: Defeat The Casual Attacker First!!

    3. Hi Sean. Just found this post! You really provide a great and thorough strategy for “hunting” weaknesses in the infrastructure and taking your cybersecurity to the next level. You really know what you’re talking about! Thanks!

    4. Pingback: threathunt

    Leave a Comment

    Your email address will not be published. Required fields are marked *