Published on November 30, 2018

Proactive Threat Hunting with A.I.

Proactive Threat Hunting helps in the early detection of new threats and in the discovery of weak spots that can be leveraged by an attacker to gain or maintain access to an infrastructure.  Traditional IOCs, combined with ATT&CK Mitre TTPs and Artificial Intelligence for discovery of new behaviors raises the bar for the attackers, helping responders to identify breaches at a very early stage, enabling them to contain and mitigate the attacks quickly and effectively.

Adding Artificial Intelligence to this process provides an effective boost to the assessment operations by:

  • Signalling to the analysts the presence of potential weak spots
  • Raising soft-alerts on behavioral anomalies
  • Discovering new behavioral patterns

Traditionally the job of a Threat Hunter has been that of sifting through logs, either directly or aided by a SIEM, in search of anomalies to investigate and correlating them with Threat Intelligence data coming from other sources: third parties or different teams in the organization. Such process is as effective as tedious and automation plays a fundamental role in making it more efficient, saving brain-power for when it’s needed most: when the anomaly has been isolated and identified as malicious.

Proactive Threat Hunting Breakdown

Proactive Threat Hunting approaches fall broadly into three main categories:

  • IOC (Indicators of Compromise) hunting: easy to automate, detection only of known threats
  • TTP (Tactics, Techniques and Procedures) hunting: harder to automate,  early detection of attacks given a modus operandi
  • Behavioral hunting: should be completely automated, early detection of new and still unknown threats

Each category has its advantages and each addresses a different scope but they all work in concert to raise the bar for the attackers.

IOC (Indicators of Compromise) Hunting

IOCs (hashes, IP addresses, domains etc) are obtained from teams internal to the organization, or more often from third-party providers of intelligence data. This kind of search is hardly proactive but it brings value to the hunting process: if the attackers reuse their infrastructure or their malware, it becomes easy to spot the malicious activity right from the beginning, this is especially true on widespread campaigns, while it’s seldom the case with Advanced Persistent Threats and targeted attacks.

This is the baseline (in fact IOCs are brittle indicators, especially after receiving public coverage) for an organization that wishes to implement a proper proactive threat hunting pipeline, though the quality of the output depends strictly on the type and reliability of the intelligence data provided by the IOC feeds. If the organization is equipped with proper endpoint visibility, this process becomes extremely easy to automate.

TTP (Tactics, Techniques and Procedures) Hunting

TTPs are again part of a threat intelligence feed and they describe the way attackers operate, instead of relying on crude indicators that are easy to modify. Proactive threat hunting requires the analysis of TTPs related to various actors and since such data reflects the way a threat actor operates, it is also flexible enough to offer predictive value on new type of attacks coming from the same threat actor. A sophisticated attacker will seldom reuse its infrastructure or tools on different high-level targets, but the way it operates can be similar: for instance the type of malware adopted or the techniques used to perform lateral movement and to harvest credentials can be the same.
TTPs follow a hierarchical structure which specializes more and more toward practical aspects of the attack:
Proactive Threat Hunting TTPs
ATT&CK Mitre offers a summary of all the documented tactics, each encompasses a variety of techniques and each technique is executed through a procedure. The example below shows an example of tactics used by attackers starting from the initial access:

Proactive Threat Hunting Tactics
List of tactics from ATT&CK Mitre

A set of techniques describes the modus operandi of an attacker, in this case we are looking at the techniques adopted by MuddyWater a threat actor ReaQta covered extensively in the past:

Proactive Threat Hunting MuddyWater
Techniques used by MuddyWater, an Iranian threat group

A real-life example is reported below, in this case we observe an attacker copying and renaming a system binary to a different folder to evade path/filename based rules:

Proactive Threat Hunting TTPs Commandline
Proactive Threat Hunting TTP – CMD used to copy and rename a system binary (click to expand)

The anomaly is detected by ReaQta-Hive and marked in red, showing that the system binary has been copied elsewhere:

Certutil is copied in a temporary folder and renamed as control1.cpl
Certutil is copied in a temporary folder and renamed as control1.cpl(click to expand)

Copying a system binary has no direct impact on security and it can hardly be classified as a security breach, but a single operation doesn’t tell the whole story, in fact the attacker later used this binary to download malicious content from a remote server. Visibility over the entire process ensures an early detection and, to some extent, if can help in the identification of the threat actor involved.

certutil.exe used as a tool to download a remote and malicious PowerShell script
certutil.exe used as a tool to download a remote malicious PowerShell script (click to expand)

Manual hunting can still be valuable to identify sets of behaviors that we deem interesting. In the case below an attacker renamed a malicious binary to mimic a system’s component, this technique is defined as TA1036 (Defense Evasion) and the binary was used to exfiltrate screenshots, defined as technique T1113 (Collection).
The hunting platform is being used to extract all binaries with a certain name (svchost.exe in this case) not signed by Microsoft and performing any activity among: dropping executable binaries, acquiring screenshots, acquiring keystrokes or harvesting credentials. Once we have all these techniques grouped together, we can start looking for signs of malicious activity.

Proactive Threat Hunting Behavioral
Hunting for a specific set of techniques (click to expand)

Automating TTPs hunting is a more complex task that requires a platform capable of encoding TTP information and hunting for it, it’s still possible to run the process manually with no loss of precision, of course at the price of more time invested in the hunting stage. On the other hand it’s very difficult to maintain real-time monitoring over TTPs without proper automation, and that might lead to a delayed detection of a breach.

Behavioral (A.I. aided) Hunting

The third category that’s part of the Proactive Threat Hunting process requires behavioral monitoring capabilities through a platform capable of extracting and analysing behavioral information at the endpoint level. There are no guidelines or starting points to help the initial research (aka a defined set of TTPs), most of the work is usually led by a field expert, sifting through logs and identifying unusual patterns.
This concept can be extended and simplified via Artificial Intelligence, looking for traces of the latest LOLbins can be fruitful but it won’t provide value against attacks that are still unpublished. Algorithms are getting better and better at detecting anomalies in the cybersecurity domain, we can leverage on these new techniques to proactively identify new types of threats without prior knowledge, like in the example below:

Proactive Threat Hunting Anomaly
Behavioral anomaly detected via Artificial Intelligence (click to expand)

An A.I. model creates usage profiles of each and every application found inside the organization, detecting anomalies and raising flags or soft-alerts when that happens. This process helps the analyst to identify novel techniques, without requiring tedious manual work that can be better invested to study new behaviors. Many times the chain of events leading to a certain action is long and noisy, extracting such information manually is a daunting task and automated data mining will help in finding correlations that are hidden to the human eye.
Behavioral data is of course produced in high volumes by the endpoints and it’s hard to process manually, but there’s value in using Artificial Intelligence as new discoveries can often signal the presence of a new attack in progress and reduce the dwell time.

Managed Proactive Threat Hunting

ReaQta provides a Managed Proactive Threat Hunting service through our MSS partners, if your organization is looking to get better hunting capabilities our partners will be able to help by running this process transparently and alerting your teams when anything suspicious is detected. As endpoint monitoring becomes more widespread, new possibilities open up as a richer type of data become available to the analysts, offering hunting capabilities that were unimaginable just a few years back.
As we have just seen a thorough IOC search must be combined with an automated search for known TTPs, the last step of the chain is represented by data mining and anomaly detection that help secure the infrastructure against emerging threats, where no public information is yet available. Combining all these techniques helps the organization remain alert, detect attacks early and reduce the dwell time in the event of a breach.
Get in touch with us for a demonstration showing how proactive threat hunting can help you to obtain better visibility over new kinds of threats.