What is the primary difference between threat detection and threat hunting?

Threat detection is the act of detecting malicious activity on the network. This may occur through a number of different means, like an alert being triggered or during a forensic analysis. Threat detection is a very generic term and the process can be passive or active.

Threat hunting is specific to actively searching through network and host data, looking for indicators of compromise. This activity is performed regardless of whether any alerts have been triggered.

What’s required to start threat hunting?

Process-wise: The first step is to identify what checks you wish to perform and what data is needed to perform that check. For example, if you want to hunt for C2 communications, you need a way to analyze all traffic passing between the internal network and the internet. This is usually accomplished by capturing traffic at the internal interface of the firewall. This may be done with a network tap or by leveraging a switch SPAN port. Once the data is collected, you need tools and processes to distinguish between C2 communications and normal traffic patterns. C2 can be pretty stealthy, so you may need the ability to analyze the traffic in 12-hour(+) “chunks” of time in order to be able to distinguish it from normal patterns.

Knowledge-wise: For network threat hunting, it’s extremely helpful to have a good knowledge of networking and protocol communications. For example, HTTPS communications typically use the SSL/TLS protocols over TCP port 443. Many C2 tools pass their traffic over TCP/443, but simply obfuscate it (they don’t use SSL/TLS). So if you are network savvy and see traffic using TCP/443 that does not include the SSL/TLS handshake, you know that’s something that needs to be investigated further.

If you plan to do your hunts on the endpoints, you need to have a strong knowledge of every operating system and the applications they are using. For example, PowerShell is a powerful scripting language built into the Windows operating system. It is rare that anyone outside of the IT or security teams would have a legitimate reason for using it. So as a threat hunter, you would need to know that Nancy-in-accounting running PowerShell is extremely suspicious behavior.

What does C2 over DNS mean?

C2 over DNS is the practice of an attacker embedding the C2 traffic inside legitimate DNS queries. This causes your DNS forwarders to happily send the C2 traffic out to the internet. The attackers will then register a remote domain and set up their C2 servers as the authoritative DNS servers for the domain. This means that your DNS servers will send the C2 traffic to the remote C2 server. What makes this C2 activity so stealthy is that the compromised system does not generate any new traffic headed to the internet. Instead, you simply see an increase in the number of DNS queries.

There are so many tools out there… How do I know which to use for what?

Try them out! See which works best in your environment and matches your workflow. Also, don’t expect one tool to always be a perfect fit for every need. For example, if I’m analyzing overall traffic flow, I’ll use a tool like Zeek. If I’m looking for specific patterns, I’ll use Suricata. For specific traffic flows, I’ll use TShark. For a deep analysis on a single session, I’ll turn to Wireshark. My best advice: pick one tool and stick with it. When it doesn’t help with a specific challenge, check out other tools.

I suspect a system has been compromised, what is the best/easiest way to detect lateral movement?

Identify the command and control (C2) server being used and see if any other internal systems are communicating with that server. Be patient, as it’s not uncommon for secondary systems to only call home every 4-8 hours. A packet capture running for 24 hours should be sufficient in most cases.

Acronyms To Remember?

C2 – Command and Control

DNS – Domain Name System

FQDN – Fully Qualified Domain Name

SIEM – Security Information and Event Management