Traditional detection methods are failing. Breach after breach, incident after incident, it is becoming clearer that attackers have a firm understanding of the industry-standard detection methods such as AV and IDS deployed by many organizations. Because attackers know, or at least can guess, what common strategies these traditional technologies use, it is trivial for them to invest the time and money into attack bypasses for mainstream security defenses.
Black Hills Information Security (BHIS) believes that it is in the best interest of organizations to assume that they have already suffered a compromise. Using that assumption, it is increasingly necessary for us to start hunting for attackers who have successfully flown under the radar. With HTOC, Black Hills Information Security experts take this activity off the shoulders of your company’s staff and monitors your traffic for you.
As a pentesting firm, we are in tune with the cutting-edge bypass techniques that attackers use today. This makes us uniquely positioned to effectively detect these techniques in your environment.
For example, the chart below is from the Verizon Data Breach Investigations Report:
The main point to understand from this graph is that log review and HIDS were each responsible for detecting ~1% of breaches. This result means that there is a strong need to employ different tactics for detecting advanced attackers.
Hunt Teaming is an activity where we search for attackers who successfully use evasion techniques to bypass traditional detection methods.
Continual Hunt Team Operations Center (HTOC)
For our HTOC service, Customers send us their egress pre-network address translation network logs for regular analysis and alerting on beaconing and/or possible malicious activity. This can be done in a number of different ways to accommodate almost any environment. Either our customers can send properly formatted Netflow9/IPFIX logs directly to BHIS cloud services, or BHIS can build a Bro/Zeek system to be delivered onsite to send network traffic metadata to the BHIS HTOC.
Due to today’s compliance/privacy-driven environments, only network metadata will be sent to the HTOC for analysis by the BHIS HTOC team. This data we collect includes TCP/IP/UDP header information, HTTP(s) session information DNS queries, and other network traffic statistics. The header and statistical information we collect is important because, with regulations like GDPR and HIPAA, personally identifiable information stays private. We do not need nor want full content data.
Below are just a few examples of what the BHIS HTOC can monitor for your organization.
Beaconing: We perform a search for persistent and continuous outbound connections in the hopes of identifying attacker command and control (C2) sessions. When a system is compromised and a backdoor is installed, it is very common for the backdoor to have a persistent and/or routinely scheduled connection, such as a “beacon,” at regular intervals or have other patterns in which we can find beaconing activity. Beaconing, of any kind, is in stark contrast with how standard systems and user traffic manifest themselves. For example, if a user accesses a site or a server downloads a patch, it will be a short-lived connection. Normal user activity is not associated with solid and persistent or routine connection over a 24-hour period.
Duration: We do a statistical analysis of the duration of sessions that have been made with your systems, looking for sessions that are of unusual lengths.
Threat Intelligence: Some IP addresses and domains consist of internet locations that have been reported as being malicious due to sending spam mail, hosting malware, or acting as a portal for attackers. This is what many refer to as threat intelligence feeds. Oftentimes, when a machine is compromised it will either attempt to connect to a blacklisted address or will have become infected from communicating with such a location.
User-Agent Strings: With a sufficient quantity of logs, we count the HTTP user-agents by frequency and possibly source address. Then we can sort the frequencies and look for the most infrequent requests that will likely be highly unusual user-agent strings. Assuming that we retain the internal source address that the request is transmitted from, the unusual infrequent requests can be traced back to specific devices for further analysis.
- DNS Analysis: We look at DNS queries and run them through a statistical analysis. We look at where the query was sent, how many different machines made a query for that address, and the total number of times the query was sent. We look at the attributes of the queries themselves: The size of the response packet may be unusually large, uncommon DNS record types may have been used, or the number of NXDomain responses might be abnormally high.
- Cross Referencing Modules: At the end, each module is cross-referenced with the other modules to find the highest likelihood of possible intrusion. The goal of the cross-analysis phase is to find machines exhibiting multiple indicators of a potential compromise. When looking at individual modules, it might not be clear that anything out of the ordinary is happening. However, when taken as a whole, a pattern might arise associated with compromise and, more importantly, where in your organization the intruder might reside.
BHIS Background with Hunt Teaming
Black Hills Information Security testers routinely bypass detection and prevention technologies during our assessments using cutting-edge techniques that are gleaned from security conferences as well as our own internal training. Using that knowledge, we employ detection techniques and custom log analysis to recognize these intrusions for our customers. Below are some additional presentations on the research BHIS has performed in this area:
With every purchase of our HTOC services, all customers get 5 complimentary licenses to our Cyber Range and our Expert Support Team services.
Interested in learning more?