Skip to main content Skip to Footer

BLOG


September 18, 2019
Threat hunting: Disrupting advanced adversaries
By: Jeff Beley and Ryan Leininger

In our previous blog post, we provided an overview of how organizations can leverage an intelligence-driven, hypothesis-based approach to threat hunting for improving overall cyber resilience. Now, we’ll dive deeper into Accenture’s approach, exploring the phases of our threat hunting cycle and sharing a recent case study from our Cyber Investigation and Forensics Response (CIFR) team.


The Hunting Cycle: A Closed-Loop
Accenture follows a phased and iterative threat hunting life cycle. Underpinned by threat intelligence and situational awareness, this closed-loop life cycle is intended to promote the proactive, analytical, and creative nature of threat hunting missions while simultaneously feeding hunt outputs back to inform and enrich an organization’s entire Cyber Defense Program.

Exhibit 1: Accenture’s Intelligence-Driven, Hypothesis-Based Hunting Cycle. Copyright © 2019 Accenture. All rights reserved.

Exhibit 1: Accenture’s Intelligence-Driven, Hypothesis-Based Hunting Cycle. Copyright © 2019 Accenture. All rights reserved.


Setting the Stage – Visibility and Situational Awareness

Leveraging a recent threat hunting mission executed by Accenture at a global Financial Institution (FI), we’ll illustrate how to apply our approach in practice. For this particular case, Accenture leveraged an Endpoint Detection and Response (EDR) solution for primary endpoint visibility, as well as network sensors for bespoke network metadata capture with visibility at the primary egress/ingress points and the core network. Additionally, our tooling ingested contextualized asset data and threat intelligence for further telemetry and enrichment across data sets.

Now, let’s go hunting.


Phase 1: Hypothesize

All hunt missions begin with a good hypothesis. Given a suspected attacker’s tactics, techniques, and procedures (TTPs), threat hunters draw on threat intelligence, environmental knowledge, and their own experience and creativity to construct a plausible path to detection. The goal is to determine what threat may be targeting a company, where or what may be targeted within the environment, and how a threat may take advantage of an existing user or process to bypass security controls and achieve a given objective while remaining well-hidden.

For example, if hunters know that malicious use of native tools, such as PowerShell or PsExec, and publicly available tools, such as Mimikatz and CobaltStrike, can be difficult to detect via passive monitoring, they may hypothesize that an attacker may be taking this approach to conduct internal reconnaissance, execute a payload or scheduled task, move laterally, or escalate privileges. At Accenture, our hypothesis-driven hunting methodology is aligned with the MITRE ATT&CK frameworki and enriched with our team’s deep understanding of the adversary mindset: “If I were a bad guy, how would I do it?”

FI Case Study: Our hypothesis-driven approach, combined with situational awareness of the FI’s technology environment, strategic threat intelligence from iDefense, as well as tactical intelligence from various sources, drove Accenture to hunt for abnormal patterns in Domain Name System (DNS) traffic, specifically leveraging TTPs employed by a particular threat group observed in the wild.


Exhibit 2: MITRE TTPs Observed.


Phase 2: Research

Threat hunters research the feasibility of their hypotheses by applying threat intelligence, existing knowledge of the organization, and hunting use cases. On occasion, a use case may provide enough threat data to design a plan of attack. However, if no use case exists, hunters will research the threat to develop searchable indicators or patterns.

For example, a company’s current monitoring capabilities may not be able to detect a threat that employs identifiable DNS patterns for command and control (C2). Hunters can conduct technology and asset environment calibrations, as necessary and in an iterative fashion, to gain a baseline understanding of data sources, tools, and other contextual information that could help with the hunt mission.

FI Case Study: Accenture considered a few important fundamentals:

  1. What is DNS and how does it work ?
    • At a very high level, DNS is the protocol that converts human readable hostnames like www.accenture.com to an IP 143.204.158.14.
  2. As hunters, why do we watch DNS so closely?
    • Because of the ubiquity of the DNS protocol, it is an ideal location and transport for threat actors to “hide in plain sight.” It also lets threat actors change their back-end infrastructure without having to update their tooling.

Our extensive experience working with global companies across multiple industries has shown that while DNS is prevalent in corporate environments, more often than not, it’s not well understood or controlled from a technology hygiene and infrastructure perspective. In other words, it’s the perfect place for attackers to “hide in plain sight” because it can be tough for organizations to secure something they don’t fully understand or have control of.


Phase 3: Investigate

Once hunters have refined a hypothesis into an actionable hunt plan, the investigation begins. The investigation draws on the sources and approach specified in the plan to yield analysis results that could indicate anomalous, suspicious, and/or malicious activity.

FI Case Study: Leveraging network and endpoint data telemetry, Accenture observed an abnormal volume of DNS queries from a single machine — which was soon identified as “weird,” but could it be considered threat?

Continuing with iterative analysis, Accenture determined that the endpoint was utilized by an employee with access to sensitive financial data, which aligned with our threat intelligence — the “situational awareness factor.” Further examination of the requests showed DNS requests to several top-level domains (TLDs) that generally are purveyors of malware and spam.


Hunting Tips: In many cases, less experienced hunting teams are spending more time on the mechanics of security. It’s what we like to call “chasing shiny objects syndrome” and it can hinder the quick identification and differentiation between “weird” and “threat” or “risk.”

Want to hunt for similar TTPs in your organization? Consider the following as a starting point:

  • What visibility do you have into your organization’s DNS traffic from a logging and monitoring perspective?
  • Do you have a good understanding of your DNS infrastructure and authorized servers?
  • How are DNS queries from corporate workstations resolved?
  • Do you have a baseline established for peak and average DNS communication size for your organization (e.g., > 300 bytes)?
  • What are potential indicators of suspicious DNS traffic?
  • What datasets and tooling can you leverage for analysis of DNS traffic to identify said potential indicators of suspicious DNS traffic?
  • Do you have access to applicable threat intelligence, such as passive DNS records, that can help with hunting and investigations around DNS traffic and/or potential attacker C2 infrastructure?

Phase 4: Detect and Analyze

Iterative analysis of available datasets does not always yield actionable results. Consequently, in this phase, the hunter interprets the results of various analysis techniques to determine if they indicate anomalous or malicious activity, which may drive hunters to pivot, or yield false positives. At times, the results may show that hunters need to alter the approach to improve effectiveness. If hunters identify malicious activity, they will also try to determine where it took place in the attack life cycle, which can greatly inform response and remediation activities; it’s an iterative problem-solving and validation exercise.

FI Case Study: After investigating and validating the abnormal DNS queries, Accenture confirmed that the observed DNS communication was evidence of DNSMessenger, a family of malware known to be used by the threat group FIN7.

Threat Actor Profile:

FIN7 is believed to be a financially motivated threat group that has targeted restaurant chains, hotels, retailers, and financial institutions since 2015. The group has demonstrated a preference to use script-based, first-stage malware, including HALFBAKED (a.k.a. GGLDR), Bateleur, and DNSMessenger. Based on Accenture iDefense research, including the frequency of attacks and tool innovation, the group is considered highly skilled and well-resourced.


Exhibit 3: Verticals and Countries Targeted by FIN7 | Source: Accenture iDefense. Copyright © 2019 Accenture. All rights reserved.

Exhibit 3: Verticals and Countries Targeted by FIN7 | Source: Accenture iDefense. Copyright © 2019 Accenture. All rights reserved.ii


Exhibit 4: C2 Traffic Flow and Message Structure | Source: Cisco Talos Intelligence
Exhibit 4: C2 Traffic Flow and Message Structure | Source: Cisco Talos Intelligence

Exhibit 4: C2 Traffic Flow and Message Structure | Source: Cisco Talos Intelligence
The Tale of DNSMessenger.iii


Phase 5: Inform

During the inform phase, hunters escalate to appropriate stakeholders and coordinate across impacted teams. Often, the hunt team will find several items that indicate an immediate or potential risk to the technology environment and, in the event of an active cybersecurity incident, will immediately invoke Incident Response for support.

FI Case Study: At this point, Accenture had gathered and analyzed enough data to confirm the observed DNS traffic and correlated that behavior observed on the host represented an urgent threat. The team immediately escalated the issue and coordinated for tactical Incident Response for further containment and try to eradicate the threat. The next steps included providing guidance and content on a forensically sound collection process (e.g., RFC 3227):

  1. Isolate the device from the network.
  2. Capture the memory.
  3. Capture the physical disc.
  4. Power the machine down.

Upon handoff to Incident Response, our investigation efforts validated that the attackers had C2 access to the device, but had not been able to progress any further in their attack chain. Because the team was able to detect the threat in a timely manner, the highly motivated adversary could not complete their objectives, which were believed to be primarily financial gain based on the specific user and systems targeted, as well as industry threat intelligence.


Phase 6: Report and Enrich

At the end of a threat hunt life cycle, hunters typically provide a report that summarizes the process, results, and implications of each hunt. The outcomes also serve to inform and enrich future hunts, help identify needs for additional technical controls and detection content, and uncover opportunities for automation.

FI Case Study: After determining that the threat actor had not progressed any further, Accenture engaged with the FI to enable enrichment activities and recommended additional monitoring and layered control enhancements to help prevent future attacks.

While intelligence-driven, hypothesis-based threat hunting successfully identified and interrupted the attack in this scenario, some organizations have been less fortunate.iv


Want to build your own, or improve an existing, threat hunting capability?

In our next blog, we’ll explore Accenture’s approach for building a sustainable and measurable threat hunting capability, including alternative strategies for closing the industry skill and resource gap for your organization.


iMITRE ATT&CK Framework

iiAccenture iDefense

iiiCisco Talos

ivFireEye Threat Research

More blogs on this topic

    Popular Tags

      Archive