In our previous blog post, we provided an overview of how organizations can leverage an intelligence-driven, hypothesis-based approach to threat hunting for improving overall cyber resilience. Now, we’ll dive deeper into Accenture’s approach, exploring the phases of our threat hunting cycle and sharing a recent case study from our Cyber Investigation and Forensics Response (CIFR) team.
The hunting cycle: A closed-loop
Accenture follows a phased and iterative threat hunting life cycle. Underpinned by threat intelligence and situational awareness, this closed-loop life cycle is intended to promote the proactive, analytical, and creative nature of threat hunting missions while simultaneously feeding hunt outputs back to inform and enrich an organization’s entire Cyber Defense Program.
<<< Start >>>
<<< End >>>
Setting the stage – Visibility and situational awareness
Leveraging a recent threat hunting mission executed by Accenture at a global Financial Institution (FI), we’ll illustrate how to apply our approach in practice. For this particular case, Accenture leveraged an Endpoint Detection and Response (EDR) solution for primary endpoint visibility, as well as network sensors for bespoke network metadata capture with visibility at the primary egress/ingress points and the core network. Additionally, our tooling ingested contextualized asset data and threat intelligence for further telemetry and enrichment across data sets.
Now, let’s go hunting.
Phase 1: Hypothesize
All hunt missions begin with a good hypothesis. Given a suspected attacker’s tactics, techniques, and procedures (TTPs), threat hunters draw on threat intelligence, environmental knowledge, and their own experience and creativity to construct a plausible path to detection. The goal is to determine what threat may be targeting a company, where or what may be targeted within the environment, and how a threat may take advantage of an existing user or process to bypass security controls and achieve a given objective while remaining well-hidden.
For example, if hunters know that malicious use of native tools, such as PowerShell or PsExec, and publicly available tools, such as Mimikatz and CobaltStrike, can be difficult to detect via passive monitoring, they may hypothesize that an attacker may be taking this approach to conduct internal reconnaissance, execute a payload or scheduled task, move laterally, or escalate privileges. At Accenture, our hypothesis-driven hunting methodology is aligned with the MITRE ATT&CK frameworki and enriched with our team’s deep understanding of the adversary mindset: “If I were a bad guy, how would I do it?”
FI Case Study: Our hypothesis-driven approach, combined with situational awareness of the FI’s technology environment, strategic threat intelligence from iDefense, as well as tactical intelligence from various sources, drove Accenture to hunt for abnormal patterns in Domain Name System (DNS) traffic, specifically leveraging TTPs employed by a particular threat group observed in the wild.
Exhibit 2: MITRE TTPs observed.
Phase 2: Research
Threat hunters research the feasibility of their hypotheses by applying threat intelligence, existing knowledge of the organization, and hunting use cases. On occasion, a use case may provide enough threat data to design a plan of attack. However, if no use case exists, hunters will research the threat to develop searchable indicators or patterns.
For example, a company’s current monitoring capabilities may not be able to detect a threat that employs identifiable DNS patterns for command and control (C2). Hunters can conduct technology and asset environment calibrations, as necessary and in an iterative fashion, to gain a baseline understanding of data sources, tools, and other contextual information that could help with the hunt mission.
FI Case Study: Accenture considered a few important fundamentals:
- What is DNS and how does it work ?
- At a very high level, DNS is the protocol that converts human readable hostnames like www.accenture.com to an IP 22.214.171.124.
- As hunters, why do we watch DNS so closely?
- Because of the ubiquity of the DNS protocol, it is an ideal location and transport for threat actors to “hide in plain sight.” It also lets threat actors change their back-end infrastructure without having to update their tooling.
Our extensive experience working with global companies across multiple industries has shown that while DNS is prevalent in corporate environments, more often than not, it’s not well understood or controlled from a technology hygiene and infrastructure perspective. In other words, it’s the perfect place for attackers to “hide in plain sight” because it can be tough for organizations to secure something they don’t fully understand or have control of.
Phase 3: Investigate
Once hunters have refined a hypothesis into an actionable hunt plan, the investigation begins. The investigation draws on the sources and approach specified in the plan to yield analysis results that could indicate anomalous, suspicious, and/or malicious activity.
FI Case Study: Leveraging network and endpoint data telemetry, Accenture observed an abnormal volume of DNS queries from a single machine — which was soon identified as “weird,” but could it be considered threat?
Continuing with iterative analysis, Accenture determined that the endpoint was utilized by an employee with access to sensitive financial data, which aligned with our threat intelligence — the “situational awareness factor.” Further examination of the requests showed DNS requests to several top-level domains (TLDs) that generally are purveyors of malware and spam.
In many cases, less experienced hunting teams are spending more time on the mechanics of security. It’s what we like to call “chasing shiny objects syndrome” and it can hinder the quick identification and differentiation between “weird” and “threat” or “risk.”
Want to hunt for similar TTPs in your organization? Consider the following as a starting point:
Phase 4: Detect and analyze
Iterative analysis of available datasets does not always yield actionable results. Consequently, in this phase, the hunter interprets the results of various analysis techniques to determine if they indicate anomalous or malicious activity, which may drive hunters to pivot, or yield false positives. At times, the results may show that hunters need to alter the approach to improve effectiveness. If hunters identify malicious activity, they will also try to determine where it took place in the attack life cycle, which can greatly inform response and remediation activities; it’s an iterative problem-solving and validation exercise.
FI Case Study: After investigating and validating the abnormal DNS queries, Accenture confirmed that the observed DNS communication was evidence of DNSMessenger, a family of malware known to be used by the threat group FIN7.
Threat Actor Profile:
FIN7 is believed to be a financially motivated threat group that has targeted restaurant chains, hotels, retailers, and financial institutions since 2015. The group has demonstrated a preference to use script-based, first-stage malware, including HALFBAKED (a.k.a. GGLDR), Bateleur, and DNSMessenger. Based on Accenture iDefense research, including the frequency of attacks and tool innovation, the group is considered highly skilled and well-resourced.
<<< Start >>>
<<< End >>>
<<< Start >>>
<<< End >>>
Phase 5: Inform
During the inform phase, hunters escalate to appropriate stakeholders and coordinate across impacted teams. Often, the hunt team will find several items that indicate an immediate or potential risk to the technology environment and, in the event of an active cybersecurity incident, will immediately invoke Incident Response for support.
FI Case Study:At this point, Accenture had gathered and analyzed enough data to confirm the observed DNS traffic and correlated that behavior observed on the host represented an urgent threat. The team immediately escalated the issue and coordinated for tactical Incident Response for further containment and try to eradicate the threat. The next steps included providing guidance and content on a forensically sound collection process (e.g.,RFC 3227):
- Isolate the device from the network.
- Capture the memory.
- Capture the physical disc.
- Power the machine down.
Upon handoff to Incident Response, our investigation efforts validated that the attackers had C2 access to the device, but had not been able to progress any further in their attack chain. Because the team was able to detect the threat in a timely manner, the highly motivated adversary could not complete their objectives, which were believed to be primarily financial gain based on the specific user and systems targeted, as well as industry threat intelligence.
Phase 6: Report and enrich
At the end of a threat hunt life cycle, hunters typically provide a report that summarizes the process, results, and implications of each hunt. The outcomes also serve to inform and enrich future hunts, help identify needs for additional technical controls and detection content, and uncover opportunities for automation.
FI Case Study:After determining that the threat actor had not progressed any further, Accenture engaged with the FI to enable enrichment activities and recommended additional monitoring and layered control enhancements to help prevent future attacks.
While intelligence-driven, hypothesis-based threat hunting successfully identified and interrupted the attack in this scenario, some organizations have been less fortunate.iv
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
Copyright © 2020 Accenture. All rights reserved. Accenture, its logo, and High Performance Delivered are trademarks