NotPetya, WannaCry: Specific Instances of Unknown Threats
Pernicious and persistent threats are affecting millions of people worldwide. Small treasures will be spent to restore data from the clutches of cyber-terrorists – if restored at all.
One month ago (today is June 29, 2017), we were just learning about something called WannaCry. Today, NotPetya is snatching headlines; in three weeks, it will be something else. These are only specific instances of what security faces every day – the unknown. We’ve been sitting around waiting for the alarms to trigger and finely tuning models for the known variables that disturb sleep. However, it is what we do not know that hurts the most.
The evolving tactics, techniques and procedures (TTPs) of advanced attacks will continue to flank us, unless we turn security around; from defense to offense.
Threat hunting is the answer. The iterative process of proactively seeking and discovering the tactics, techniques and procedures (TTPs) of sophisticated attacks. These changing tactics requires a human to engage with data to uncover adversaries traversing our networks. Hidden within all that data is behavior, behavior that can be assessed using the threat hunting method.
The method is a 4-part process: Assembling Data, Clustering Data, Applying Threat Intelligence, and Open-ended Search.
Assemble Data
Though this may seem obvious, it is the leading impediment to world-class hunting – not because of a lack of data, but the data’s assembly. Often, hunters are awash with data with little guidance on how to assemble it all in meaningful ways. Good hunting begins with assembling data so that it can be adequately interrogated.
Assembling data is like learning a language. It is a discrete and combinatorial exercise where open-ended results can be achieved. If you understand, “This is the cat that ate the mouse” there is nothing preventing you from understanding, “This is the mouse that ate the cheese”. By following a grammar – a code for assembly – the combinations are endless.
Once we have assembled the data, we can move to seeing its connections.
Clustering Data
This is a simple statistical technique of taking the assembled data and applying attributive details to each data element – data enrichment. This gives raw data the opportunity to cluster to other data elements consisting of similar attributes. For example, an IP address as a standalone data element does not reveal much. However, once the data is enriched with greater attributes, it can have “n” number of combinatorial connections. It is through clustering that seemingly benign events become indications of compromise (IOC).
Often, organizations use machine learning to handle the rapid enrichment needed for large datasets. We can allow computers to do the work of assembling and attributing our data, freeing up the time for hunters to, well…hunt.
Applying Threat Intelligence
Hunting teams must cross-reference what is presently happening internally (as revealed by the assembled data) to what is known externally. Using external sources such as Palo Alto Autofocus, VirusTotal, Symantec DeepSight, hunters can take their unknown and discover what is known about their own IOCs.
As an example, a hunter may notice a sign of persistence with a given attack associated with a URL (now that everything has been clustered). The hunter can then look up the URL to determine what else is known about it, then pivot back to their own environment to locate the user, machine or service presently connected to the compromised site.
Open-ended Search
Methodologically speaking, hunters can find much more when investigating data with open-ended questions instead of base queries. Why is that?
Consider how anyone searches for information on the Internet for training their new puppy. What if a user began by opening a browser and wrote if/then statements filled with filters to find the pages of greatest relevance to dog-training? That would require a full understanding of the structure of each potential page, its content, and countless other variable. In short, our search would be infeasible. If the user did find something, she could be missing critical information that didn’t match the query.
Now, consider what would happen if our intrepid user searched using Google. She simply types away a few phrases and Google uncannily delivers the pages with the greatest relevance. This is open-ended search. Our user does not need to know what the destination will be in advance, its content or structure. Google uses a tokenizing technique to cluster what’s most relevant (even when only the gist is similar) to give the user boundless results, ranked by likelihood.
Let’s apply this same method to security. Hunters need the opportunity to have an open-ended dialogue with data – assembled, clustered, and externally informed data. Once we this in place, we are on our way to hunting excellence.
Threat Hunting for Everyone
Threat hunting is scientific – in the broad sense of SEEKING EXPLANATIONS OF WHY THINGS HAPPEN. Now, we have two distinct pathways: known and unknown.
With our “knowns” we tend to have a set of indications of compromise and use case libraries. We model and monitor these known variables – blacklisting/whitelisting, ACLs, threat indicators, etc.
With “unknowns” we deploy our threat hunting method – a method anyone can perform (see the image below). It begins with theorizing about what an adversary may do. Assembling data to begin seeing if these tactics, techniques and procedures are present in my environment.
This is precisely what the 4-part data assembly process strives to do – to allow organizations to be data-driven. Again, the method being scientific in the broad sense of seeking explanations for why things happen. In the hunting paradigm, data reigns supreme. What the data says should change our beliefs, biases and best guesses.
Once assembled, we analyze with the adversary in mind. When we find something, we kick off our standard IR process, we debrief to document what we’ve learned, and add that new learning to our library. Often, hunting programs and the hunting platform feed the SIEM with new material.
That’s it. Anyone can hunt, because anyone can follow the method. Cyber-terrorism is far from its peak. We have to think differently. We have to start hunting.
#FireMon #threathunting #NotPetya #WannaCry #ransomware