You've probably heard it mentioned that one of the first steps in Cybersecurity is Asset Inventory. I can tell you first hand this is so true. How can you protect things if you don't know what you have? Sadly, at everywhere I've worked, and I think this is a struggle everywhere, it's been a challenge just knowing what you have. I'm not just speaking about Workstation, Server, or user names. Another example would be Software titles, Publishers, and executable names.
I wanted to share with you something I've been doing, as a "Threat Hunter". You may think it's interesting to take a list of IOCs (indicators of compromise) like malicious IPs, file hashes, file names, urls, or domains and hunt for them on your network. If you think it's targeted and relevant IOCs, that's not a bad idea, but the odds of you getting a hit are low. Threat actors are very skilled nowadays and have simple ways to generate brand new IPs, domains, urls, file names, and file hashes per target, per victim, and even per user.
Another more advanced and potentially good threat hunt would be to find a tactic/technique that a threat actor may use, like certain parameters being passed to an executable, certain port and protocol traffic on your network, certain file extensions in emails, etc. This is cool and could be worthwhile, but is also like finding a needle in a haystack. The MITRE att&ck matrix hads 100s of techniques, and there are so many variations of each technique that a threat actor has the advantage. If they tweak their method every so slightly, your search may find nothing.
So, what's an even better method? Here I go back to asset inventory. Knowing what you have in your environment. At my current work I have massive lists built over the years of various things ...
- All executable names I've ever seen in the environment
- All software publishers I've ever seen in the environment
- All file names I've ever seen in the windows folder
- All domains I've ever seen our IoT network connect to
- All domains I've ever seen windows applications (excluding browsers) reach out to
- All Scheduled Task that have ever been created
- All Windows Services that have ever been installed
- more random ideas :-)
Hopefully you get the picture. Massive lists of things I've done at least some level of vetting on, even if it's 30 seconds with a google search, to have some comfort level that it's probably normal or expected. I have experience doing this for perhaps 15,000 or more systems and yet I'm able to build these lists and believe me, it wasn't as hard as I expected. Now of course, if you work at a larger organization than that this could get significantly more challenging. But if you're at a smaller business, I can honestly say I think it's do-able.
So, why do I have all these lists? I think in many ways, this is my best approach or chance for finding malicious activity. This is my best approach I've found so far for threat hunting. Instead of looking for malicious IOCs that have a short life and become useless quickly, instead of searching for odd tactics and techniques that may or may not have been used by my threat actors, I look for stuff that I've never seen before in our environment.
Imagine the following
- An executable just started running that has never been seen at my work before. That's a good threat hunt find to dig into.
- A program runs by a software Publisher that has never before been used at work. That's a good threat hunt find to dig into.
- A program reaches out to a domain that has never been connected to at work before. That's a good threat hunt find to dig into.
- A scheduled task just got added to a pc that has never been seen before on any pc. That's a good threat hunt find to dig into.
It's my belief that this is a great way to find anomalies and potentially malicious activity.
A threat actor can change their IOC, a threat actor can change their technique, but in the overall big picture it's going to be hard for a threat actor to generate ONLY program names, urls, domains, IPs, scheduled tasks, or windows services that have already been seen.
The odds are more likely that the threat actor will generate a few program names, urls, domains, ips, scheduled tasks, or windows services that have never been seen before at my work ... and hopefully those show up on my hunt because they don't exist in my list yet ... and hopefully I can identify that they are malicious before the threat actor does anything deterimental.