So, You Want to Build a Hunt Team (Part 2)

Picking up where we left off in Part 1; preparing to hunt after justifying the buy in.  Our perspective is from a budget-conscious SOC or MSSP and needing to get started quickly.  There are many things to consider but here are the essentials.

Inputs (Threat Intel)

Determining intel ingestion is the key in identifying threats that affect your environment.  For example, if you are a healthcare organization, subscribing to ISAC’s Health Care feeds can provide indicators and reports specific to your industry.  Your threat intel feed and services are going to be an essential extension for your hunt team, SIEM and SOAR platform.  Additionally, subscribing to reports from agencies such as the US-CERT, DHS and vendor-specific companies provide details into vulnerabilities, APT activities along with indicators.  We strongly recommend identifying sources that will provide the best insights to threats your organization faces.

Outputs (reporting)

A critical factor for hunt activity is ensuring that there is an appetite for the information derived from hunting; this means understanding the inputs and outputs.  Being able to ingest data and repurpose it (retrospective searches, building content for detection, reports for your team or customers) into current processes is vital.

An effective hunt team should be able to (at a minimum) process known indicators to perform retrospective search, create logic for detection from threat intel, develop intel based on analyst’s own research/collections and create reports for internal teams to build awareness.  You'll want to focus on creating awareness for the internal IT team because this function can easily fall under a Fusion team’s responsibility.  However, most organizations may not have both a Fusion and Hunt team.  If this is true, the hunt team should create weekly (minimum bi-weekly) reports of threats and IOCs. This can be as simple as a “threat card” with actor/threat details to focus on.

Log Analysis

Deciding what logs to aggregate and monitor should be established from the start with the hunt team ready to build automated hunts and perform retrospective analysis.  However, if you are wondering where to get the best bang for your buck, you cannot beat firewall (FW) logs, window events and endpoint (EDR) logs.  Of the three, I would say endpoint and connections (FW logs) are going to provide the best insight for successful exploitation.  This is because the end-user is the weakest link and their network activity to external entities will be captured in network transactions.  Additionally, EDR telemetry data provides insight into registry and file changes, process injections, application behavior, local utilizations of resources, PowerShell commands and connection related transaction.  Windows Security logs related to authentication (success and failures) and audit related changes are also very useful. I would like to make an honorable mention to web and proxy logs.

Automating Hunts and Data Visualization:

Relying on manual hunts to identify past compromises and even current gaps is a futile effort.  This is because log events vs. analyst ratio is severely disproportionate; thus, automating and building reports is necessary.  A single analyst combing through logs on a hunch or even running known IOCs can be overwhelming and tedious.  Identifying activity of interest and building queries to grab data on an hourly, daily, or weekly bases for review to a dashboard/report can not only save time but build a visual picture for review.  Dashboards and automated reports provide the ability to quickly identify patterns that tool can miss and faster response.  

Specialized tools/capabilities the basics

Full packet capture(PCAP) can be a touchy subject and rightfully so, but the benefits are undeniable; especially when working latency issues, troubleshooting network problems and working a declared incident.  Working from a SIEM and logs exports alone can be limiting.

For example:

  1. Querying SIEM for related activity is timely, analyst must know how to properly query SIEM for desired result. Simply choosing the wrong display columns can limit result.
  2. Viewing logs in Excel is archaic and difficult to analyze properly. Excel Kung Fu must be strong.
  3. Lacks the ability to capture malware samples, identify network exploits and determining data exfiltration(rebuilding TCP Streams and artifacts)

 

Pros of having full packet capture:

  • End to end traffic visibility
  • Easily reassemble traffic to include files (great for ransomware when files are deleted), data exfil
  • Speeds up data analysis
  • Additional layer of defense

Cons

  • STORAGE!!!! (consider cloud storage)

There are multiple open source PCAP tools available for free. The solution is not as important as the ability to perform deep packet inspection, but there is an alternative.  Maintaining NetFlow is also useful and can be maintained for longer periods of time (require less storage).  Thus, network flow is a great alternative when full packet capture is not a viable option; however, it is not a replacement.  Network flows is what we like to refer as the meta data of network activity, specifically logging connection related activity.  Basic information collected include date, time, source/destination IP, ports, protocols, and bytes.  It retains the important attributes and is much smaller packets and thus easier to store long term. You won't get the benefits of PCAP but you gain a tremendous ability to reach back and identify previous activity.

Finally, give your hunt team access to a secure and segmented Linux server and non-attributable internet access.  Working with artifacts such as attachment or being able to perform tasks such as exploding VBA coding are just a few things they need to do in a contained environment.  Additionally, keeping web presence low without drawing attention to your organization will keep you safer in the long run. Happy Hunting!