BluSapphire
  • 01_Introduction
  • 02_Unified Cyber Defense Platform
  • 03_The Stack
  • 04_Features and capabilities
  • 05_Operations
  • 06_Architecture
    • Architecture - Version 3
    • Architecture - Version 4
  • 07_Integration
    • Cisco pxGrid Integration
    • Threat Intel Sources
  • 08_Use cases
    • SIGMA Rules
      • SIGMA Detection Attributes
      • Understanding SIGMA Rule
      • Creating SIGMA Rule
  • 09_CaseHub
    • Events
    • Cases
      • Case-Templates
    • Event-Rules
    • Reflex Query Language (RQL)
    • Input Configuration
      • Credentials
      • Agents
      • Field Templates
  • 10_Active-Defense-Services
    • Services (ADS - LIADS)
      • Network Services
      • Database Services
      • Web-Apps
    • Tokens (ADS - Tokens)
  • 11_Data-Pipeline-Manager (DPM)
    • Basic Concepts
    • Getting Started
  • 12_Deployment / Log Forwarding
    • Log Forwarding (on-prem) - How To
      • Fortimanager
      • Fortinet
      • Cisco ASA with FirePOWER services
      • Cisco ASA
      • Cisco VPN 3000 Concentrator
      • Cisco IOS Switch
      • Cisco ASA using ASDM
      • Cisco Router
      • Cisco Sourcefire
      • Cisco Ironport
      • Cisco Nexus Switch
      • Cisco VPN Concentrator
      • NetScreen Firewall
        • Configure/Enable Syslog Messages for Netscreen Firewall device using CLI Console:
      • Palo Alto Firewalls
        • Configure Syslog Monitoring
        • Configure a Syslog server profile
        • Create a log forwarding profile
        • Configure security policy rule action as log forwarding
        • Configure syslog forwarding for System, Config, HIP Match, and Correlation logs
      • Juniper
        • Using J-Web
        • Using CLI
        • Using J-Web
        • Using CLI
        • Configuring to send Syslog Messages directly from Sensor
      • Sonicwall
        • Configuring SonicWALL To Direct Log Streams
        • Configuring SonicWALL Logging Level
      • Checkpoint
        • R80.20
        • R80.10
        • R77.30
      • Blue Coat Proxy Logs
        • To Forward Blue Coat Logs Using Web Interface
        • To Forward Blue Coat Proxy Logs Using CLI
      • Tipping Point
      • FireEye
        • To Forward Fireeye NX Alert Logs
      • UBUNTU
      • CENTOS-RHEL
      • Citrix Access Gateway
      • SYMANTEC AV
      • DarkTrace
      • Nutanix
      • SAP
      • Cisco Meraki Firewall
      • Zoho Vault Integration
      • Zoho Analytics Integration
      • Sophos EDR Integration
      • PowerDMARC Integration
      • Perception Point Integration
      • MS Intune Integration
      • AWS-Cloudtrail & AWS-Cloudwatch integration
      • Dell PowerEdge Log Integration
      • HPE ProLiant DX380 Gen10 Log Integration
      • Lenovo ThinkSystem SR650 Log Integration
      • Aruba-3810M-L3 Switch
      • Cisco HX220C-M5SX Log Integration
      • Aruba-6200F-48-Access Switch
      • Brocade & Ruckus Switch Log Integration
      • Cavera L2 Switch Log Integration
      • CentOS & RHEL Log Integration
      • Cisco L2 Switch Log Integration
      • Cisco L3 Switch Log Integration
      • Dell EMC Switch Log Integration
      • Dell Powervault ME4 & ME5 Series Log Integration
      • HCI_CISCO_HX 240C_M5SX_CIMS(Intersight)
      • IBM AIX Log Integration
      • IBM Storwize Log Integration
      • Lenovo L2 Switch Log Integration
      • Lenovo Think System Storage Log Integration
      • lenovo_think_system_manager_851
      • Netgear M4300 Switch Log Integration
      • Net Gear Ready NAS 314 & Net Gear Ready NAS 428
      • qnap storage log integration
      • Ruckus SmartZone 100 Wi-Fi Controller Log Integration
      • Seqrite Endpoint Security 7.6 Log Integration
      • Suse log integration
      • Ubuntu log integration
      • Vcenter log integration
      • Microsoft SQL DB integration
      • Vios log integration
      • Cisco SF/SG 200 & 300 Series Switches
      • oracle db integration
      • lenovo thinksystem storage
      • F5 BIG-IP Load Balancer (11.x - 17.x)
      • Seqrite 76
      • Seqrite 82
      • Aruba switch log integration
      • Windows FIM
        • FIM Integration with GPO
        • FIM Integration without GPO
      • Sophos Firewall
        • Sophos XG Firewalls Syslog
          • Netflow Configuration To Verify
      • SAP
      • Integrating Forcepoint Web Proxy (or) Email Security
      • MicroAgent - Winlogbeat & Sysmon
        • Deploy Micro-Agent/Sysmon via GPO
        • MicroAgent manual installation
      • Microsoft’s IIS Integration
      • vios log integration
      • aruba switch log integration
      • oracle db integration
      • Cisco SF/SG 200 & 300 Series Switches
      • microsoft sql db integration
      • seqrite 82
      • seqrite 76
      • List of Supported Log Sources
        • 17.x)
    • Cloud Log Forwarding
      • Azure Sentinel
      • AWS Cloud Logs
        • Collecting CloudWatch Logs
        • Collecting Cloudtrail Logs
      • Configuring Mimecast for Log Collection via API
      • Cisco Umbrella
      • Cisco Duo
      • Cisco AMP
      • Cisco CES
      • SOPHOS AV
      • CROWDSTRIKE
      • Microsoft Defender ATP
        • Enable SIEM integration in Microsoft Defender ATP
        • Assign permissions to the WindowsDefenderATPSiemConnector application
    • BluArmour Pre-Deployment Checklist & Roll out Process
    • Deploy BluArmour via SCCM
    • BluGenie GPO for Service Account, WinRM and WMI
    • Mirror / SPAN port configuration
    • Average LogSize by LogSource
    • Windows Package Installation
    • Linux Package Installation
  • 13_MITRE ATT&CK
    • MITRE ATT&CK Coverage by Tactic
    • MITRE ATT&CK Coverage by Technique
    • Rules mapping - MITRE ATT&CK
  • 14_BluArmour Endpoint Protection
    • BluArmour For ICS / AirGapped Networks
  • 15_BluGenie
    • Manual
    • How To Guides
      • BluGenie Intro
      • How To Run
      • How to Use Help
      • Running Localhost & Remote commands
      • Get-BluGenieChildItemList
      • Invoke-BluGenieYara
    • Enable-BluGenieWinRMoverWMI
  • 16_Best Practices
    • Windows Logging Recommendations
      • Windows Security Log recommendations
      • Windows General Log Recommendations
      • Windows Advanced Auditing Recommendations
    • Lateral Movement Logging Recommendations
    • Best Data Sources for Detection
    • Cloud Incident Readiness
  • 17_Threat Hunt
  • 18_Taxonomy
    • Categories
    • Web Security Gateway
    • Cloud AWS
    • Windows
    • Linux
    • Endpoint Detection
    • NGFW (Firewalls)
    • Email Gateway Security
    • Network Access Control
    • Auth (IDAM)
    • Alert Data
    • Web Security Gateway
    • Endpoint Protection
    • DHCP
    • Cloud AWS
    • Wireless Access Controllers
    • Windows
    • Load Balancers (LB)
    • Linux
    • Active Defence (Deception)
  • 19_Product Videos
  • 20_M-SOC_Self Service Portal
    • Registering as a Customer (Regulated Entity)
    • Digital Contract Signing Process
      • RACI Matrix
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux Package Installation
    • RPM Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Incident Management Workflow(M-SOC only)
    • Troubleshooting Installs
    • MACOS Package Installation
  • Customer Self Service Portal
    • Registering as a Customer
    • Registering as a Partner
    • Digital Contract Signing Process
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux deb Package Installation
    • Linux rpm Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Troubleshooting Installs
  • Appendix A
  • 21_Incident Response
    • Cloud Incident Readiness
Powered by GitBook
On this page
  • Background
  • Purpose
  • What is Threat Hunt?
  • Data Sources for Threat Hunting
  • Threat Intelligence
  • Data Enrichment
  • Advanced Data Analytics
  • MITRE ATT&CK Framework (MAF)
  • Automation
  • BluSapphire Complete Visibility & Capability
  • Conclusion
  • Glossary
  • Threat Intelligence
  • EDR
  • NTA, NBAD

17_Threat Hunt

BluSapphire_Threat Hunt_WhitePaper

PreviousCloud Incident ReadinessNext18_Taxonomy

Last updated 8 months ago

Background

Incident response strategy has evolved rapidly over past decade as Cyber-attacks are targeted and complex which are in general executed by extremely advanced adversaries who are no longer compromising one or two systems in an enterprise rather, moving laterally within the organization’s network in stealth and may present virtually everywhere. Hence, obsolescent Incident Response and Management methodologies shall fail in identifying compromised systems, fail to provide effective containment of the breach and eventually fail in faster response and remediation of an incident.

Purpose

Threat hunt combines a proactive methodology, innovative technology, highly skilled people, and in- depth threat intelligence to find and stop the malicious activity. These attacks are hard-to-detect and executed by stealth attackers. Existing preventive tools oaen miss these attacks before they can execute their objectives. Threat Hunting is your last line of defense against reducing Dwell Time of attackers. So, It is no surprise that Threat Hunting is seens as a consistently growing area of investments in organizations.

What is Threat Hunt?

Threat hunt is a combative procedure in uncovering hidden adversaries with a presumption that the attacker may be present inside an organization’s network for days, weeks and even months, preparing and executing attacks such as Zero Days, Advanced Persistent Threats and Unknown Threats. Threat hunt intends to uncover these malicious activities, seeking out indicators of compromise(s) (IOC’s) oaen based on the Threat Intelligence (TI) OR Hypothesis driven. Sources of tactical and strategic TI can be industry or company specific reports and/or information from previous incidents.

What is NOT Threat Hunting?

There is a lot of disinformation about Threat Hunting, so while defining Threat Hunting, it is also important to note what is not Threat Hunting:

  • It does NOT replace existing security monitoring

  • It is NOT a form of Pentest or Vulnerability Assessment

  • It is NOT Security Monitoring

  • It is NOT Incident Response – though it often triggers an Incident Response, when it uncovers

    something malicious

  • It is NOT a process that has a guaranteed result

  • It is NOT a process to check if security analysts in the monitoring team are doing their job

    well.

  • It is NOT for the faint hearted. If Security Monitoring is too challenging, then you have miles

    to go, before you are mature enough for Threat Hunting.

    Why Threat Hunt? Benefits.

  • Better ability to uncover hidden and established threats.

  • The ability to detect threats before the attacker causes damage, hence reducing incident losses.

  • A threat response process that effectively delivers "negative time" lag, and improvements beyond

    fast response.

  • Improved knowledge of the IT environment, with a focus on the hiding places frequented by

    advanced threat actors.

  • A reduced attack surface resulting from discovered and removed vulnerabilities.

  • Improved security incident response process.

  • Identification of gaps in visibility necessary to detect and respond to attackers and their TTPs.

  • Uncovering new threats and TTPs that can feed data back to Threat Intelligence.

  • The ability to ensure system hygiene before a critical mission or business transaction, M&A activity

    etc.,

  • A way to validate that the controls both preventative and detective are in proper shape and no

    threat actors have established foothold within the environment.

Data Sources for Threat Hunting

Threat Hunting is a highly data driven process and requires detailed logs, which can be divided into Network Data and Endpoint Data. You also would need Threat Intelligence Data and knowledge of the environment you operate in, for a good Threat Hunt. Typically, it is easier to get access to Network Data than Endpoint Data. The higher the quality of data, the higher likelihood of success of Threat Hunts.

Threat Intelligence

Good Actionable Threat Intelligence is very useful for Threat Hunting process. In most cases of Threat Hunt:

  • Threat Intelligence is used as a starting point for hunting

  • Threat Intelligence is also used for contextualizing and driving the hunt process

  • Threat Hunt by itself results in generating new Threat Intelligence to be fed back into

    the Threat Intelligence cycle.

Data Enrichment

You can also optionally (highly recommended) enrich the data with fields like IP reputation, Geo IP and Autonomous System Numbers (ASNs) to find evidence of potentially unwanted activity.

Advanced Data Analytics

Tools allow you to perform various data transformations and manipulations for proper analysis. Visualizations and statistics used to display the change of values of specific fields over time, like frequency or entropy values are vital for investigations. Clustering, Stacking, Aggregating, grouping and/or frequency distribution techniques are most often used to look for outliers and detect anomalies.

MITRE ATT&CK Framework (MAF)

The MITRE ATT&CK Framework can be used as input for potential attack vectors and techniques. MAF provides a wealth of technique information for hunters, guiding the hunt process with detection techniques. Though MAF is primarily used for Security Monitoring, it often acts as a great guide for Threat Hunters too.

Automation

Automation should be applied where possible to make the life of a Threat Hunter easier. This allows the team to be more productive. While it is not possible to automate all tasks completely, automation reduces the time to hunt and aides in scheduling and repeatability of Hunts.

Tools Role in Threat Hunt Example Scenario

End Point Detection and Response (EDR)

Collect endpoint data and search endpoints for evidence

of attacker activity

Find all machines where svchost.exe is running but its path is not in Windows system directory

User and En9ty Behavior Analy9cs (UEBA)

Analyze user activity data and find anomalies that may

indicate suspicious activity

Display the list of users that behave unusually regarding authenricarion activity

Network Traffic Analysis (NTA)

Analyze and capture log data based on network traffic real ?me

Large File downloads/ Uploads taking place from a specific IP

Network Behavior Anomaly Detection (NBAD)

Build Hypothesis Based on outcome of analysis of flow data via behavioral techniques such as machine learning in detecting anomalies

CnC/ Botnet communications

Threat Intelligence (TI)

Deliver a list of threat indicators and threat actor TTPs for use as initial hunting clue

Gather all common persistence mechanisms reported to be used by threat groups looking for specific corporate data

Security and Event Management Systems (SIEM)

Collect logs, enrich them and enable the analysts to search

them in context

Review rare events, rare event sequences and other log-related anomalies

Threat Hun9ng Tool

Deliver a list of threat indicators and threat actor TTPs for use as initial hunting

clue

Gather all common persistence mechanisms reported to be used by threat groups looking for specific corporate data

BluSapphire Complete Visibility & Capability

BluSapphire has brought down the dependency on people dramatically in performing a threat hunt activity within the environment by introducing ‘Threat Hunt via Agentless Framework’. In most Hun?ng exercises while network data is usually easily obtained, Endpoint Data is the most difficult to acquire.

BluSapphire’s agentless hunting capability has effectively addressed this problem allowing for Live On- Demand Threat Hunts, rather than relying on insufficient data or long deployment cycles.

Our Agentless Framework allows organizations and their security analysts to Hunt, Find, Analyze, Respond and Remediate all in one tool. This drastically reduces the Dwell Time and dramatically improves the analyst’s capabilities.

The framework supports indicators consumption via Threat Intelligence Feeds (STIX2.0) - Adapting indicators from identified threats OR as MITRE Tactics.

IOC’s identified during a Hunt can be exported On-Demand into STIX2.0 and shared with Threat Intelligence collection processes or external Threat Intel Agencies.

BluSapphire consumes Threat Intelligence from over 70 sources along with support for commercial feeds. The intelligence obtained is normalised. The normalised intelligence is utilised both on detection and in Threat Hunts.

Today, BluSapphire has the capability to hunt extensively based on the artifacts collected specific to Tactic ID of MITRE Matrix. Please read our MITRE Whitepaper for further details on our detection capability mapped against the MITRE ATT&CK Framework.

BluSapphire Hunt Capabiliries.

Observation Reason Data Potentially Hunt Coverage of Needed BluSapphire

Presence of Malicious Executable/ Document

An attacker would ship a malicious executable in having privilege escalation Etc.

Endpoint file search (EDR)

File Search with Name/ Hash

Known filenames with Non-Standard file paths

May indicate the attacker running processes masquerading as Windows system processes

Endpoint process search (EDR)

Interactive logons with service accounts

Likely indication of abuse or at least violation of policies

System log search (SIEM, log management with system logs)

Event ID, OS Event Log Etc

Traffic to sites in dynamic DNS (DDNS)

A large amount of traffic to a DDNS site may indicate exfiltration or C&C (C2) activity

Detailed DNS logs, outbound connection logs or traffic

capture (SIEM or NTA, NBAD)

Indicators via Traffic Analysis, Least/ Most Occurrence of DNS Requests

Processes in Windows AutoRun registry keys

Uncommon entries that set processes to AutoRun on Windows may indicate intruder tampering with the system

Endpoint registry search (EDR)

Registry Inputs

Activity by account previously compromised by attackers

A\acker may try to return to accounts they used in the past, thus revealing more about their activities

Authentication and other system logs (SIEM or UEBA)

Connections with Nonstandard ports, Hunt by Services, Scheduled Tasks & Processes

Unusual child processes

When a process is exploited, it may be used to spawn processes useful for the a\acker (like cmd.exe) that are not common in regular system use; especially if those processes ini?ate network ac?vity

Advanced endpoint process search (EDR)

Hunt by Processes

Processes executing out of temporary directories

An a\acker may only have write access to some directories, so may run code from them

Endpoint process search (EDR or other tools)

Hunt by Services, Scheduled Tasks & Processes

Processes that normally do not initiate or receive network activity

If a process with a familiar name starts connecting to a site in a remote country, it may indicate that it has been corrupted by the attacker

Advanced endpoint process search (EDR)

Hunt by Services, Scheduled Tasks & Processes

Conclusion

BluSapphire offers a Unified Platform that provides a great coverage for many of the TTPs in the MITRE ATT&CK Framework, representing bulk coverage in each of the attack categories. Several capabilities, including full-stream reassembly of L7 transactions at scale, real-time Endpoint Inquiry and context retrieval, Agentless On-Demand Live Threat Hunting, and guided investigations featuring direct links to the relevant MITRE TTP listings for some detections, make it unique in the Cyber Security Advance Defense space.

These capabilities enable BluSapphire to detect more MITRE ATT&CK TTPs with fewer false positives and more rapid, confident investigations using fast agentless response and remediation at your fingertips for each detection.

BluSapphire has been recognized by Gartner as cool vendor in Cyber Security space and an independent Gartner paper on innovative companies in IT, names BluSapphire as the only vendor in Cyber Space.

Looking to Step Up your game. Look no further than BluSapphire.

Glossary

Threat Intelligence

Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.

BluSapphire consumes Threat Intelligence from over 60+ sources. The intelligence obtained is further normalized. The normalized intelligence is utilized both on detection and in hunt sequences.

EDR

Endpoint Detection & Response capability is important to detect suspicious behaviors at the endpoint computing stack. This usually entails monitoring, logging of all activities at both system and user stack looking for potential malicious activity, that usually goes unnoticed by signature-based systems. The Achilles heal of EDR based systems is that it needs to be installed on every single endpoint on the network.

There is zero-visibility of an endpoint does not have EDR installed. In most Enterprises, this is always challenging due to dynamic nature of Infrastructure, sensitivity of operational systems, Industrial Control Systems, Thin Clients and varying operational requirements.

BluSapphire employs an agentless model for response and remediation that does NOT need to be installed on every endpoint in your organization.

NTA, NBAD

Network Traffic Analysis (NTA) and Network Behaviour Anomaly Detection (NBAD). To detect suspicious traffic which organizations and security leaders are looking at Behaviour based traffic analysis tools. This complement and in many cases can replace traditional signature-based network solutions. NTA and NBAD also help enterprises detect suspicious traffic that other security tools are missing. Most of these tools require a SPAN port to monitor traffic and use Behavioural techniques to detect suspicious traffic. Most solutions also heavily depend on SSL-Decryption to work, and this becomes the Achilles heel, as it impacts scalability and efficacy of detection.

BluSapphire does not rely on SSL Decryption and hence easier to deploy and scale, while offering higher detection and response capabili?es. BluSapphire while relying on network behaviour-based techniques also employs signal intelligence techniques to understand and detect malicious traffic. In most cases, SSL-Decryption is only good for compliance monitoring, and NOT effective for Threat Detection. Threat Actor(s) almost always use their own encryption for Data Ex-Filtration, Command and Control.