Augmenting Threat Hunting Using Threat Intelligence

By Lindsay Kaye

April 18, 2023

Lindsay Kaye will be speaking more about Threat Hunting at HammerCon 2023 on Thursday, May 18, 2023 - get your tickets today!

Introduction

Almost any organization can benefit from threat hunting - whether as part of a full-fledged adversary emulation exercise to determine how implemented security controls hold up against actor-specific TTPs or simply in order to ensure organizational systems are configured as expected. This becomes even more critical for entities that are frequently targeted by both ransomware and state-sponsored threat actors including government organizations, public utilities, hospitals, and schools. As seen in Figure 1, ransomware attacks against these entities may be slowing somewhat, but are very likely to continue. Threat hunting does not require a large team of experts to be effective, and can be augmented by effectively applying threat intelligence.

Figure 1: Ransomware attacks on state and local governments over the past 2 years (Source: Recorded Future)

Since adversaries are consistently evolving their technical capabilities and how they employ them, a comprehensive threat hunting strategy needs to take into account both tried-and-true and novel techniques. In order to frame this discussion, we will look at how threat intelligence can be incorporated at each level of an attack as an adversary moves from identification of a target of interest to gaining initial access, escalating the attack with post-exploitation tools, potentially identifying and exfiltrating data of interest, and finally to dropping any end-stage tools.

Figure 2: Lifecycle of a cyber attack from opportunity assessment to dropping of end-stage tools

Opportunity Assessment

In order to identify infrastructure that is vulnerable, many threat actors will use openly available tools like Shodan or Censys to identify open ports or specific software installed on the system. This may be done to look for potential targets or for opportunities to access a particular target. A threat actor likely wants to know what an organization’s attack surface looks like - such as what versions of software are on internet-facing systems, or what types of infrastructure they use - and whether any could present a potential point of initial access. Recently, the ESXiArgs ransomware attacks demonstrated the potential for damage caused by misconfigurations and unpatched vulnerabilities [1] in internet-facing devices. However, trying to detect malicious scanning and differentiate it from benign activity is not effective. 

Attack surface intelligence provides a view of what an adversary sees from outside the network and gives defenders perspective on which assets could be at risk. Using attack surface intelligence as part of a defensive strategy makes it possible to identify and inventory infrastructure, prioritize remediation efforts like vulnerability patching, and ultimately automate the identification of any high-risk internet-accessible assets in the organization. Knowing which vulnerabilities have been exploited in the wild, and how they can affect the organization’s infrastructure in particular and to what degree, is critical to prioritizing where resources are focused. Recorded Future provides recommended mitigations and detections along with this contextualized data allowing organizations to take action to remediate it.

Prescriptive guidance on existing high-risk vulnerabilities to infrastructure and how to remediate them is also accompanied by intelligence on emerging vulnerabilities that could allow a threat actor to compromise the organization’s assets. Rather than needing to monitor for every newly released vulnerability to the organization’s infrastructure, resources can focus on specific ones that present a high-potential threat. From the threat hunting perspective, employing threat intelligence in this way creates a more realistic scenario of how your infrastructure is most likely to be attacked, again allowing for better prioritization of resources.

Gaining and Escalating Access

Initial access is often gained by targeting vulnerabilities in externally-facing infrastructure, but can also be done through phishing emails or links, or purchases of credential access from Initial Access Brokers on the dark web. However, gaining access through supply chain compromise of third party software or libraries, as was the case with the SolarWinds and 3CXDesktop compromises or the exploitation of the Log4Shell vulnerability, remains successful, especially for APT actors. Ultimately, these tools are part of an organization’s attack surface and the same threat intelligence perspective can also be applied to them. This permits not only the identification of vulnerabilities affecting third party tools in the organization’s supply chain, but which are being exploited in the wild, both existing and newly emerging, accompanied by prescriptive guidance for remediation.

Similarly, credential access and use of third party tools can be used to escalate access or move laterally through the organization. Once inside the network, threat actors may identify credentials for services such as SSH, RDP or VNC in private key files, bash history, internal software code, system administrator notes or through the use of input capture tools like keyloggers. Third party tools used by the organization such as administration software or Managed Service Providers (MSPs) can also provide a way to spread malware or gain access to other devices. These tools often have high privileges, and detecting malicious versus benign use is challenging. As a result, using threat intelligence in combination with threat hunting is important. The two used in tandem makes it possible first to identify tools that present the greatest risk as well as to assess gaps in detection and security of their malicious use.

Post-Exploitation Activity

Recorded Future has observed a variety of TTPs - both emerging and well-known - associated with post-exploitation activity. Both cybercriminal and state-sponsored [2] threat actors make use of openly available, commodity [3] tools. As part of the “2022 Adversary Infrastructure Trends” report [4], Recorded Future looked at the top trends associated with command and control servers and other malicious infrastructure, including tools and hosting provider data. 

Figure 3: Excerpt from “2022 Adversary Infrastructure Trends” report (Source: Recorded Future).

Aggregating post-exploitation tool usage metrics makes it possible to create a data-driven strategy around what TTPs are most commonly used and confirm or refute assumptions on threat actor behavior. As seen in Figure 3, well-known tools remain popular with threat actors - Cobalt Strike, PlugX, commodity RATs and other openly available tools. As a result, for smaller teams looking to pursue threat hunting within their organizations, threat intelligence helps prioritize efforts to hunt for the most popular tools that threat actors are using and which ones are most relevant. For mature teams looking to emulate a particular adversary, using finished intelligence reporting in conjunction with tools like C2 lists, Sigma rules and YARA rules provides a more complete picture of the specific TTPs employed by the threat actor as well as MITRE ATT&CK-aligned detections that can be used to hunt for them. 

Threat intelligence combines contextual data and insight into specific TTP usage both historically and at present to help organizations approach threat hunting from an iterative perspective. While existing tools remain popular, threat actors make use of emerging tools such as C2 frameworks, red team tools and commodity malware published in open source or openly available on the dark web; use of these tools versus custom lowers the risk of attribution to a particular threat actor. However, it is not possible to incorporate every new tool into a detection or threat hunting strategy; using threat intelligence surfaces the tools most likely to affect your organization now and in the future. The “2022 Adversary Infrastructure Trends” report concluded that while Cobalt Strike is popular now, it’s likely that its use will be cannibalized by newer, niche tools such as Brute Ratel C4, Sliver, and DeimosC2 [5] based on quantitative data around the number of C2s observed and qualitative trends in threat actor behavior. Finally, as organizations seek to mature their threat hunting strategy and identify detection and hunting gaps, using threat intelligence makes it possible to close these gaps using the additional context provided including finished intelligence reporting and MITRE ATT&CK tags.

Data Exfiltration and End-Stage Malware

Finally, often the last step of a cyberattack is exfiltrating victim data and dropping an end-stage malware payload. This stage often uses actor-specific tooling that can be detected by the use of YARA, Sigma and Snort rules specifically targeting these TTPs in conjunction with technical links between IOCs. As an example, after identifying a suspicious or malicious hash associated with a particular malware family, using technical links makes it possible to pivot to and hunt for related IOCs such as IPs, other malicious files or other TTPs that are associated with that malware. Threat intelligence provides this context around suspicious and malicious IOCs both to provide more insight into a particular threat as well as to help identify detection and hunting gaps. As threat actors evolve their tooling, the same principles of using threat intelligence to incorporate new TTPs apply here as well and can be employed to track particular threat actors of interest over time.

Threat actor-specific tooling can also offer opportunities for correlation across versions, especially if anomalies or other tool hallmarks are carried over between versions. For example, Insikt Group’s research [6] on SOLARDEFLECTION identified unusual features in the threat actor infrastructure that can provide tracking opportunities, including consistent use of specifically customized SSL certificates and a mismatch between the SSL certificate Subject CN (Common Name) and the 302 redirection location. On the cybercriminal side, BlackMatter’s reuse [7] of the same unusual combination of cryptographic routines as DarkSide or commonalities in ransom note language that Insikt Group has used to surface new versions of a group’s ransomware.

Summary

Threat intelligence data allows organizations to make more effective use of their resources, especially in regards to the execution of threat hunting at every level. Using a data-driven approach to identifying risks to the organization’s attack surface, threat actors and TTPs most likely to target the organization and mitigations to implement allows resources to move away from monitoring and a reactive defensive strategy. Instead, these resources can be focused on looking to the future, both in how the organization can implement new threat hunting practices as well as using threat intelligence to better understand how threat actors will evolve their TTPs and how this can and will affect the organization

References

[1] “ESXiArgs Ransomware Virtual Machine Recovery Guidance.” 2023. CISA. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-039a.

[2] Insikt Group, Recorded Future. 2022. “SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse.” Recorded Future. https://www.recordedfuture.com/solardeflection-c2-infrastructure-used-by-nobelium-in-company-brand-misuse.

[3] Insikt Group, Recorded Future. 2022. “Russia-Nexus UAC-0113 Emulating Telecommunication Providers in Ukraine.” Recorded Future. https://www.recordedfuture.com/russia-nexus-uac-0113-emulating-telecommunication-providers-in-ukraine.

[4] Insikt Group, Recorded Future. 2022. “2022 Adversary Infrastructure Report.” Recorded Future. https://www.recordedfuture.com/2022-adversary-infrastructure-report.

[5]  Ibid. 

[6] Insikt Group, Recorded Future. 2022. “SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse.” Recorded Future. https://www.recordedfuture.com/solardeflection-c2-infrastructure-used-by-nobelium-in-company-brand-misuse.

[7] Emsisoft. 2021. “Ransomware Profile: BlackMatter.” Emsisoft. https://www.emsisoft.com/en/blog/39121/ransomware-profile-blackmatter/.

About the Author

Lindsay Kaye is the Senior Director of Advanced Reversing, Malware, Operations and Reconnaissance (ARMOR) for Insikt Group at Recorded Future.  Her primary focus is driving the creation of actionable technical intelligence - providing endpoint, network and other detections that can be used to detect technical threats to organizational systems.  Lindsay’s technical specialty and passion is malware analysis and reverse engineering.  She received a BS in Engineering with a Concentration in Computing from Olin College of Engineering and an MBA from Babson College.