10 things threat hunters watch for

03 bounty hunter
Thinkstock

Dogged pursuit

Pursuing cyber threats is much like conventional hunting in that it requires patience, persistence and a keen eye, and when done correctly, it can be both exhilarating and rewarding. Threat actors do everything in their power to blend in and attempt to become a ghost in your network, so it is the job of the security professional to be the ghostbuster, says Tim Bandos, director of cybersecurity at Digital Guardian. In order to track and acquire an elusive target, a threat hunter needs to be well equipped with the right skills and tools. Start by loading up on cyber threat knowledge and centralizing critical logging data. He sets out the common indicators that say a threat is underway.

threat hunters

Low and slow connections

Proxy logs are a great place to start the hunt, and there are a number of telltale signs to look out for that can clue you in that something is amiss. Is traffic being sent out port 22 through proxy servers or even firewalls? Of course it’s good practice to source restrict this clear-text protocol, but if it’s not locked down, look for any exfiltration patterns in the data.

 

threat hunters

Same number of bytes in and out

Do any network connections exhibit the same pattern of bytes in and bytes out each day? This was more prevalent several years ago, but malware today still leverages this technique of beaconing out to its master to let them know they’ve implanted successfully. Monitor for the same amount of bytes up and bytes down on a frequent basis, as this could be a sign of suspicious activity.

 

threat hunters
Thinkstock

Suspicious sites

Identify a listing of all dynamic DNS sites that are visited by endpoints and look specifically at the outliers across your organization. If only three machines out of 20,000 visit one specific site, command and control infrastructure may be at fault. While there could be other explanations, it is definitely something worth examining further.

 

threat hunters
Thinkstock

Failed logon attempts

It might sound obvious, but looking for successive failed access attempts using multiple accounts could indicate a brute force. Focusing on one failed attempt per account may signify a threat actor trying to log in with passwords they’ve previously dumped from the environment in the hope that one may still work.

 

threat hunter
Thinkstock

Explicit credentials

Profile your “A logon was attempted using explicit credentials” event logs and whitelist out normal activity. This log kicks off when a user connects to a system or runs a program locally using alternate creds. Did someone say ‘Lateral Movement’? Threat actors love to move laterally!

 

threat hunters
Thinkstock

Privilege changes

Escalation of privileges will often occur once a foothold has been achieved within an environment. These logs may assist in the identification of such activity. It’s good to profile your IT administrator’s legitimate activities as well since they’ll more often than not cause a bit of noise themselves.

 

threat hunters
Ben Watts (Creative Commons BY or BY-SA)

Signs of password dumping programs

Research what your antivirus provider flags as a password dumping program and go searching. For example, one of McAfee’s password dumping detection tools is called HTool-GSECDump. There are countless examples of threat actors running a password dumper, antivirus detecting and removing it, and the attacker then successfully executing another dumper that wasn’t detected. So although they’ve achieved their initial objective, they’ve left behind a clue of evidentiary value.

 

backdoor
Hartwig HKD (Creative Commons BY or BY-SA)

Common backdoors

Know your adversary so that you can begin to profile their tactics, techniques, and procedures. You’ll know the tools they most commonly use and the types of backdoors they may leverage. Some common advanced threat backdoors include PlugX, 9002 RAT, Nettraveler, Derusbi, Winnti and Pirpi. If you come across names like these within your antivirus logs, you’ll know something untoward is taking place.

 

threat hunters
Thinkstock

Dropper programs

Identify any detections with the name ‘dropper’ in it. A dropper program is intended to download/install a backdoor or virus, only initiating the download when the ‘coast is clear’. If a dropper has been detected, it’s possible there is still something lurking in the depths of the OS it was detected on.

 

alert hacking threat detected
Thinkstock

Custom detections

Some anti-virus solutions have the ability to create custom detections for ultra-effective threat hunting. Creating an alert to log executions of binaries from a user’s APPDATA directory, for example, will generate a log and send it to your console any time a program launches from that directory. Drilling down into those binaries to identify certain traits is a great starting point for finding evil.