Hunting in the Age of Cyber Warfare

Disclaimer: The sole purpose of this article is to share my own thoughts about cybersecurity detection approaches with my LinkedIn cyber community. There is no political or business motivation behind it whatsoever.

These past few days we have witnessed unprecedented statements from World leaders about how cyber attacks are being strategically used in military campaigns. Now more than ever, the world is in the grip of a new age of conflict, cyber warfare. In order to gain superiority, these nations are using cyber attacks to target critical infrastructure, financial markets, and governmental systems of their rivals, all with potential digital and physical impact. And we cannot dismiss the fact that, while the conflict might directly involve specific nations (e.g. Russia - Ukraine), organizations in other countries should also be prepared for cyber collateral damage provoked via proxies/diplomacy or even accidentally due to the ubiquitous nature of the internet connectivity.

Since Nation-sponsored threats are highly sophisticated and prevention is not always "achievable", preparation should heavily rely in advanced detection and threat hunting mechanisms

The Mindset of a Threat Hunter

Practically speaking, threat hunting usually involves the generation of hypothesis and leveraging specific security datasets (e.g. endpoint telemetry) within a network in order to find related evidences.

SANS defines threat hunting as?"a process using new information on previously collected data to find signs of compromise evading detection"

The Threat Hunter takes a more proactive approach to detection, which is based on adversary techniques rather than signatures. This convinces me that it is a suitable role within an organization's Cyber Operating Model to positively contribute to its own Nation Cyber Warfare maturity.

While threat hunting professionals are passionately driven by understanding and detecting specific techniques/details (WHAT, WHEN) related to Cyber Threats, which is fantastic, my personal experience tells me that sometimes they tend to “lose the forest to the trees” when it comes to WHY the attacks are happening as well as to which adversaries / threat groups (WHO) are behind it. Organizations employing an adversary-driven threat detection approach and coordinating those activities with national CIRT/CERTs (e.g. sharing the intel using a common taxonomy) can really make a positive difference for their nation in the age of cyber warfare.

Sometimes Threat Hunters tend to “lose the forest to the trees”

Adversary-Driven Threat Detection Approach

Thankfully, with all the incredible R&D that cyber professionals have been doing for the past few years, the community has access to remarkable frameworks that can help in leveraging that approach, my favorite being the MITRE ATT&CK. How?

After a quick research about the Russian-Ukraine conflict, I easily found out that sophisticated tactics, techniques and procedures (TTPs) have been used such as data-wiper malware (aka "HermeticWipper"), web shells or even actors using the DarkWeb for reconnaissance / data sharing. I also found out that apparently some known State-sponsored Threat Groups are involved in these activities such as Wizard Spider and Sandworm Team. This information by itself is enough to start building Adversary-driven hunting hypothesis and increase the chances of staying "ahead of the game". The reason being that that MITRE ATT&CK already contains actionable information about the TTPs that these Threat Groups typically use.

To be more specific, that information will enable you to start answering important questions while generating the hunting hypothesis:

[Q1]. What Industry / Geolocation does my organization belong to? This will help you in narrowing down and focus on threats specifically targeted to your industry or geolocation (not necessarily to your org)

[Q2]. What Threat Groups are targeting my organization and/or the Industry and/or Geolocation we belong to? MITRE ATT&CK helps you answer that together with other sources of information in your constituency such as a National CIRT

[Q3]. What kind of TTPs is the Threat Group usually leveraging? Prioritize the MITRE TTPs and select a specific technique considering what you actually believe it might be harmful to your operations. Organizational context and critical thinking is paramount to be successful in this stage !

[Q4]. Based on that selected technique, what digital assets desirable from an attacker's perspective? Here is where you really need to understand your network, your assets and put yourself in the attackers' shoes to define the specific asset that might be vulnerable to the selected technique. This will be your vantage point for detection

[Q5]. Last but not least, considering the specific technique and digital asset combination, what is the telemetry source(s) that will help you collect potentially malicious activity evidences? This is where it gets granular and interesting since it opens the door to many more planning questions such as "where should I centralize and correlate all my telemetry? What kind of events should I be looking for? How do I operationalize my hypothesis (e.g. alerting logic, dashboarding) ..."

Let's look at the example below that represents one of the Threat Groups involved in the Russian-Ukraine conflict. If we apply the above-mentioned methodology at the "Organization Level", our hypothesis could be something like:

[A1]. Industry: Government, Geolocation: Ukraine

[A2]. According to MITRE ATT&CK, one of the well-known Threat Groups that apparently targeted Ukrainian governmental institutions is the Russian "Sandworm Team"

[A3]. "Sandworm Team" Threat Group is known for using Web Shell as one of the techniques to maintain access to victim network (Tactic: Persistence)

[A4]. For the Web Shell technique, the digital assets of concern could be Web Servers. The reason being that Web Shells are used to allow adversaries to backdoor Web Servers. Since I am in the realm of imagination, I will assume that the well-known Microsoft IIS is our vantage point

[A5]. Employing Microsoft IIS behavior-based detection could provide us with some insights related with scenarios where attackers are running commands via Web Shells. Once attackers gain access to a web server, one of their initial goals is to understand the privilege and the environment they have access to by using built-in reconnaissance commands that are not usually used by web apps. For example, an IIS instance (w3wp.exe) running commands like?‘net’,?‘whoami’,?‘dir’,?‘cmd.exe’, or?‘query’, to name a few, is usually a compelling indicator of web shell activity. Using Microsoft Sysmon Event ID 1 we can capture the telemetry of full command line related with both current and parent processes, which in turn gives us the chance to find the suspicious behavior. (I am planning to do a Part 2 of this article where I explain in deep technical / practical detail how you could operationalize similar hunts. e.g. leveraging a SIEM platform like Splunk. Stay tuned)

Last but not least, in case you find something suspicious, make sure you share your hunting results / feeds with your Incident Response team (for containment & eradication) and, consequently, with your National CIRT - therefore contributing to an increased National Cyber Defense maturity.

Some Final Remarks...

• Russian-Ukraine Conflict - Related IOCs During my quick research about the Russia-Ukraine conflict, I realized there are various publicly available Indicators of Compromise (IOCs) related to the conflict. I suggest that those are imported into your SOC technologies (e.g. SIEM, TIP) for threat intelligence correlation & detection quick wins. Some useful sources: Cyclops Blink, Data Wiper
• Hunting Stealthiness during war times During an open cyber war adversaries might be more obvious and direct in their approaches. Since threat hunting usually focus in finding the less obvious (and more sophisticated) techniques, one might claim that it is not that relevant during war times. I do agree, to a certain degree, with that statement . Nevertheless, I do believe that, during a cyber war, adversaries will employ a mix of obvious techniques (e.g. DDoS, web defacement) together with more sophisticated techniques for particular objectives (for example using stealth techniques to do some form of espionage with the final objective of getting War intelligence). Thus, in my humble opinion, hunting is relevant ALL the time
• ICS/OT Cybersecurity Considering that critical infrastructure is a desirable target during Cyber Warfare campaigns, it is important to also consider hypothesis for the Industrial Control Systems / Operational Technology (ICS/OT) domain. MITRE released a specific ICS/OT framework that can be leveraged for hunting purposes in this domain
• Critical thinking and Intuition is paramount to any effective threat hunting methodology
• Red-team / Blue-team exercises will help simulate attackers behavior and understand your visibility gaps (e.g. what telemetry is missing and why?)
• Special thanks to my wonderful (ex) colleagues @Denver Spitz & @Bernardo Rodrigues for their review & collaboration

The time where organizations invest in cybersecurity people, processes and technology just for Compliance is gone! Not only organizations have to protect their own business with advanced detection mechanisms, but also they have a very important role to play in Cyber Warfare. Having Individual responsibility is key these days!

Thanks for reading and please share your thoughts via DM :)

?