Threat Hunting: How to Detect the Top Attack Vectors
As hackers continue to step up their game, analysts in the SOC must constantly utilize new threat hunting methods to address the ever-changing landscape. Some general tenants remain constant such as introduction of malware, social engineering, and malicious use of badly engineered code. However, as hackers become more and more advanced, these tried and true techniques become more and more difficult to detect. This article addresses new ways to detect the top traditional attack techniques.
Phishing Attacks
The first technique is the phishing attack. Although this is a classic, it now accounts for 90 percent of attacks according to several studies. Gone are the days of the obvious Nigerian prince. Now users are left wondering, “Do I really owe the IRS money?”, “Is this really my electric bill?”. It becomes more and more difficult to distinguish fraud from reality. To help get after this attack vector, a new indicator of compromise (IOC) has arisen, phishing intelligence. Just like a traditional IOC, this threat intelligence can be absorbed in to your SIEM product of choice. Several choices exist for feeds, both open source and commercial including the LogRythm PIE framework or the PhishMe Intelligence App. A list of open source threat feeds is available at this site: https://github.com/hslatman/awesome-threat-intelligence. When investigating a phishing attack, identify the following items: threat type and threat actor, domain whois information, timestamps, and items associated with the indicator such as URLs and files. Attempt to display all hosts infected on an infections map depicting the number of times the event occurred.
Malware Attacks
Another classic, malware, still infects networks on a regular basis. Luckily, detection and defensive techniques have advanced as well. Although the traditional antivirus still exists, it has morphed into the more effective cloud reputation. Almost every vendor has some sort of reputation-based threat intelligence to identify the latest and greatest malware to assist the tenacious threat hunter in his or her quest. But intelligence alone is not enough. To address disk-based attacks, one of the best defenses is hash based application whitelisting. But what about file-less attacks? New hooks in to the operating system such as the Windows 10 AMSI API allow third party vendors to catch scripts in action. Tools such as Microsoft EMET protect applications from themselves by identifying attempts to bypass memory protections such as ALSR, and DEP.
DDoS Attacks
Distributed Denial of Service (DDoS) attacks continue to overwhelm sites, servers, and networks. With each passing year, botnets and zombie computers on the network continue to increase. As the volume of Internet traffic increases, the current DDoS detection technologies need to be augmented to efficiently handle the huge amount of traffic within an allocated response time. Big data analytics attempts to meet these challenges with algorithms such as the “HTTP GET” detection algorithm in Hadoop. Certain logs may also tip the analyst off that a server may be under a DDoS attack, such as the IIS 503 “Service Unavailable” error. Within an operating system, simply monitoring netstat may be an easy indicator. Large volumes of established connections are an easy indicator of a DDoS attack.
The Modern Hacker Attacks
“The more things change, the more they stay the same”. This statement in no less true in the world of cyber-crime, as evidenced by the enduring attack vectors. While threat hunting, analysts should keep their arsenal of tools handy, as new attack variants are re-inventions of traditional methods.