By Vicente Diaz, Security Specialist, VirusTotal
Monday, August 2nd, 2021
During a recent podcast I was asked “is threat hunting useful anymore?” which is a legitimate question, followed by “should we care about APT activity at all?”. This made me think that it would be interesting to provide some insights into the role of threat hunting today.
Threat hunting is traditionally related to APT (Advanced Persistent Threat) activity. I´m not going to discuss its origins here, only to say that researchers became familiar with this discipline and started obtaining brilliant results around 10 years ago. This helped to uncover advanced cyberespionage operations that had flown under the radar for many years. The APT term might now be outdated with cybercriminal groups adopting the same techniques APT groups had previously shown to be effective, and many state-sponsored actors either adopting publicly available malware or hiring private companies to obtain the tooling they need.
I believe that this relationship between threat hunting and APT attacks (which are no longer a top priority for defenders, in most cases) might have hurt threat hunting’s reputation as a useful resource for defenders. But here is where I disagree. Threat hunting can be leveraged to become a tactical advantage.
The short answer would be to get as much visibility as possible from known malicious activity. Maybe we have a number of indicators of compromise from a third-party publication, or an alert in our SIEM we want to explore, or perhaps we are involved in a forensic/IR investigation. In all cases we want to know as much as possible. We want all the related artefacts and infrastructure to the activity in order to have a complete vision that, ultimately, will provide us with context.
Now, threat hunting can be used in a proactive way to monitor any suspicious activity as it evolves so we can implement the proper protection strategy. Obviously, we should do this in a smart way to prioritize monitoring relevant activity for our organization.
For example, let’s say a company is highly concerned about a crimeware group specialized in targeting the same business sector they are in, and they find a number of related indicators of compromise submitted by a reputable company a few months previous. After deploying these IOCs into perimetral defenses many security teams would stop. What about doing some hunting around them, getting new fresh indicators and monitoring any further future activity from this group? Let’s be proactive.
Finding new undetected threats is both a discipline and an art, but technology is moving fast and incorporating tools to make our life easier.
Where to start? A first step could be dropping all the indicators into a VTGraph and putting on the table all the infrastructure and artefacts to see how everything is related. Visual investigations are very useful to get a first idea of what these indicators are and how they group together. A typical step at this stage would be to expand all infrastructure-related information we can get to find any other artefacts communicating with the same malicious C&Cs or downloaded from the same ITW URLs. At this stage we can also find distribution methods used by attackers, for instance through a parent relationship showing malware was dropped from some attachment.
We also can hope for a best-case scenario where we find external references for the additional elements we found, for instance from OSINT publications, crowdsourced YARA rules, or comments from the community.
Let’s assume this is not the case. Here we want to analyze the artefacts we have to find something unique we can use to get more samples potentially related. We can start with some string-based searches, the trick being identifying a relevant one. PDBs are a traditional good example, but also encryption keys, unique commands, etc. These strings can be used to create YARA rules that we can use to check against a historical malware repository and keep running against fresh new samples we ingest in the future (live hunting).
This string-based approach is not always valid, especially when attackers create unique artefacts per victim. It is still unlikely that attackers created something totally from scratch for every target. And here is where similarity can help to find related samples.
Similarity is quite self-explanatory: it finds similar samples. This can lead to finding clusters and families the malware belongs to, allowing for further context and pivoting to find more artefacts from the current or past campaigns.
We have many different methods and algorithms to calculate similarity. An interesting one is Visual Similarity, which allows us to find similarities between different Office documents, PDFs and Icons used for Windows Executables. This method works surprisingly well for finding slightly different malicious documents sent as attachments in a mass campaign, for example.
This is just a brief overview of part of the process of threat hunting and some tools that can help analysts to save valuable time and improve their results. What is important is to get familiar with all the different tools and resources we can leverage for threat hunting to speed up obtaining relevant results. This will not only allow us to understand what we are facing, but also to prevent being hit in the first place. The very same techniques we use for response, we can use for prevention by extending our knowledge of ongoing malicious activity and monitoring how it develops. Modern tooling allows us to do this in a semi-automatic and efficient manner.
Vicente Diaz, Security Specialist, VirusTotal
Vicente holds a degree in Computer Science and an MsC in Artificial Intelligence. He was e-crime manager in S21sec for 5 years and deputy director for EU in Kaspersky's Global Research and Analysis team for almost 10 years, where he was co-creator and responsible for the APT Intelligence Reporting service. Since joining VirusTotal, Vicente helps businesses achieve more with threat intelligence.