Threat Hunting: Detecting Adversaries

Introduction

Threat hunting requires that the hunter understand the mind of the adversary and seek to take out attacks before the hunters can themselves be detected. So how is that exactly done, and how can hunting methods be improved to allow hunters execute skillfully without getting detected?

In this article, we shall see that detecting the adversary is not an entirely straightforward thing. We will, however, focus on methods that hunters can take to minimize detection, and thus see how this can work to avoid a hunter’s detection.

Taking Time to Understand the Adversary Mindset

It has been said that it takes a thief to catch a thief, and this is not any different when hunting for threats in a system. The adversary will often make small mistakes that lead to the discovery of their malicious actions. Such abnormal activities serve as red flags and we need to understand them. Understanding said abnormal behavior (such as the ones discussed below) allows the hunter to target specific areas of high risk, effectively enabling the hunter to take out the adversary before detection.

The following are some common abnormal behaviors to look out for:

Misbehaving PowerShell

Many organizations make use of PowerShell daily to manage their IT infrastructure. Attackers will leverage this to execute malware within the network. Hosts responding with unusual failed PowerShell errors and program execution should serve as a warning that something is amiss. Look out for these, determine their origin and take out the attackers.

HTTP User Agents

When hunting, be sure to be on the lookout for suspicious user agents. This is because attackers will often hurriedly attempt to download extra tools and scripts to use during an active attack. Default user agents used by tools such as PowerShell and Python are often an indication that something (Read more...)