Silicon Shecky

Infosec Practitioner

Connect

Tuning up the intel

By Leave a Comment

Threat Intelligence feeds, a lot of thoughts surround these. They have a place, which in my mind is right around AV. Note I am talking about feeds. Think about it, one of the big reasons that there is a claim that AV is dead is due to it being signature based, not good at finding unknowns. Threat intel feeds are just the same.

Now you can dispute my comparison, but the truth is a bitter pill to swallow. I do not think that the feeds are useless, but I also do not think that AV is dead and useless either, both have their place. The feeds though, especially when tied in with a product, can cause more work than they should, especially if they are not kept current, and by that I do not just mean the newest threats and IOCs put into them. You have to remove the garbage.

Garbage, what do I mean garbage? Here is a scenario I deal with. Carbon Black Response uses intel feeds as part of the way to find potential threats, be they malicious software or actors on a machine. If you use it to keep an eye on you DNS machine, there is a lot of alerts that get generated from DNS, a majority of them being marked as TOR exit nodes. Of course with TOR those exit nodes can shift easily. The problem is when I start looking into these IPs, as should be done with any alert, the feed itself has the IPs put in there from years ago. I’ve found some that are 10 years old. Now a TOR feed should be updated regularly, and that should include making sure the intel is current, and marking it as such. Without that, you get too much extra work on the analysts end, which could be time spent not dealing with false positives. Up to date has to include removal of old, now unconfirmed data for all feeds.

The idea behind threat intel feeds is to help us fond the known issues out there, but without proper upkeep, they are nothing more than a time sink in seeing false positives.

What is Threat Hunting?

By Leave a Comment

Threat Hunting, yes another set of buzzwords. The world of Information Security is a smorgasbord of buzzwords. Still, threat hunting.  It sound glamorous, worthwhile, fun and interesting. The question is, just what is it?

I admit it, I am taken in by the idea of Threat Hunting. Feels like something important (which it is) and cool (depends on your point of view). I want to be a good threat hunter, and so do many people both blue and red teamers alike. The problem is, that Threat Hunting is a huge umbrella area. It is non-specific. Earlier this week the topic of what is threat hunting was asked by Dr. Anton Chuvakin on twitter.

 

The thread is a good look at how people view threat hunting, and what it is or is not. Dr. Chuvakin responded with this:

 

There are some flaws with this thinking, and it all comes down to how you define threat hunting. Let us move away from information security for a second, remove the word threat and look at wha they key word is, Hunting.

You want to get some fresh venison, and a set of antlers on your wall. Deer hunting season is here. So how does one go about hunting a deer? First you have to get to the woods with some sort of weapon (gun, bow, spear for those really wanting a challenge).  Next to have to find the deer. Track it. How do you do that? Find footprints, use some sort of sound or smell, anything to track down the deer. You become a detective, and use deception. Finally you have to actually take the shot and hope it is good for the kill. Three main phases of hunting: Location, Deception/Detection, Kill shot. Is it not hunting if you have a dog that helps automate the detective/deception phase. That dog makes it easier to find the deer.

Now let us look at how that relates to Threat Hunting in the world of infosec. Phase 1: Location. You can threat hunt in your own network (which most of us do knowingly or unknowingly), out in the Internet, on the Dark Web. You can hunt for the vulnerabilities, the compromises, zero day attacks. You can hunt for The actors, malware, lateral movement. What is the location, the area you are hunting in? Phase 2 is where you do your detective work. This can include honeypots, honeynets, deception technology, going through logs manually or using automation. To say going through large amounts of data, not using tools, or anything else that limits how you can find the threat(s) is limiting your success. In fact, Threat Detection (Incident Detection) is the first two phases of threat hunting. They are a subset of threat hunting. The kill shot is the only difference. That kill shot in our world can be plugging the hole, removing the malware, blocking a C2 IP address, anything that kills(mitigates) the immediate threat that you have found.

This is true threat hunting. It is not about the tools, any tool can be used. It is about the result. Did you find the threat and remove or mitigate it? Threat hunting is a process, and one that many things can fall under. It can only be defined in the broadest terms and then whittled down to specific areas. Trying to shrink those broadest terms and limit what can be used does nothing but hurt the hunt and puts us at a bigger disadvantage to beating the black hats we are after.