Our head of Threat Intelligence, Paul Laudanski, takes us through a typical threat hunting exercise and takes up the story…
Threat hunting is the act of looking for the unknown; for an attack vector we don’t know anything about, for a new campaign, or changes to tactics, techniques and procedures. And there are always new types of attacks to contend with. When I find one type of threat, oftentimes that can snowball into finding other types of threats, so I keep hunting and pivoting and enriching the information that I find. Here’s a recent example…
At Tessian, we’re interested in attacks delivered via email and so I started off with a query looking for URL duplicates that have been sent in emails at least five times during September. I’m specifically targeting the “low and slow” type of attack, where the offenders do not want to alarm security tools and teams. They might be targeting a certain type of function or role for instance.
Breaking this SQL query down, I search for URLs and the email subjects they are associated with, and how many times they were seen. I don’t want to see singletons but my gut tells me I don’t want to see anything less than 3 hits. Will I search for those as well? Yes, that is another type of search I run in another stream. But for now, my interest is in 5 or more hits.
This approach revealed some interesting recurring URL path and filename values. This match, k7OIMyJhEU/page1.php after the domain, was seen hundreds of times across many domains and their subdomains. Very much a low type of attack because it was spread across different domains. Tools don’t normally pick up on this type of occurrence, and it takes an intel analyst to find such behavior
There were several full URLs with that exact pattern, and as I sampled some, Chrome was telling me they were bad. But I couldn’t get the ones I was sampling to actually load anything.
So I updated my query to this:
This query now focuses on giving me all the URLs that match that directory pattern, because I want to see what this actually is. Here is a sample, with a subject containing Visa or Mastercard in it. We know from Chrome that some of these that I sampled are malicious.
The subject is detected by Google Translate as Japanese. Taking a sample subject from the above, I’m advised it translates to: “Visa card information on estimated payment amount”. Now I continue to pivot, and take a domain for further analysis: anl7ya[.]icu.
An open source investigation into said domain showed it is heavily involved in phishing and malware activity. Researching Passive DNS data for that domain, there are 191 records. Many of the subdomains were first seen on the 14th of September. None of this is good based on the threat signals around the domain and its activity.
The IP address associated with the domain, searching spam deny listed services reveals UCEPROTECT and Barracuda have it listed as being involved in spam campaigns.
So I started off with JST with an open mind and a theory, hunting and pivoting, trying to see what I could find. I found something for sure, and then started to enrich and dive deeper and go broader. Doing so gave me a lot more information we can use to build our own threat intel. This is called derivative data, and it helps to spot the attacks on a broader scale, otherwise we might miss additional attack vectors
Ultimately, in my open source queries I found a snapshot reported by a Twitter user:
As a threat intelligence team, we work hard to ensure customers are protected against this and other types of behavior by leaning in and being engaged with the intelligence. We want to focus on what is called the Pyramid of Pain.
Here we have indicators we can use to detect and protect against, and we can also move up the pyramid and look at the patterns, in this case, it doesn’t matter what the domain is, so long as we see “k7OIMyJhEU/page1.php”, we can detect it and look to protect against it. Hence our coverage is broad, and we add another query into our playbook that we can automate and spot any changes or new patterns of threats.
This is fun and exciting work, I enjoy working with the unknown and making actionable sense of intelligence. If you’d like to join me, check out our open roles here.