Open Source Threat Hunting

Imagine: You are the new CISO of a company. You have been given a multi-million-dollar dream budget and invested in the latest firewalls, intrusion prevention systems, and other security countermeasures. You have a fully staffed 24/7 security operations center (SOC) that monitors your network and reacts to the alerts identified by your security incident event monitoring (SIEM) system. You sit back in your chair, interlace your hands behind your head, breathe deeply, and congratulate yourself on a job well done, content in the knowledge that you’re as protected as possible from any cybersecurity threats.

Unfortunately, this is a pipe dream that in no way aligns with reality. While some of these technologies do a fantastic job at protecting from known threats, security appliances are always playing catchup. If your SOC isn’t actively hunting for attackers and the latest attack vectors, then you will always lag woefully behind.

FINDING THE LATEST ATTACKS

There are several free sites online that are great at finding the latest attack methods. The first one we will look at is VirusTotal Intelligence. After creating an account you can search with a wide variety of parameters including keywords, file type, and first/last submission date.

As always, when you’re working with malware, take extra care. It’s a good idea to do this from a virtual machine not connected to the corporate network.

 

 

Another great site, especially for finding the latest phishing campaigns, is My Online Security.

 

 

This site publishes details of phishing emails, including sender, subject, and full email headers. My Online Security also provides a breakdown of the malware included in phishing messages. It gives links to various online sandboxes showing how the payload operates and the detection ratios for many antivirus products.

 

 

The blog by Dynamoo is another great resource for discovering the latest phishing emails.

 

 

Dynamoo’s blog provides the sender, subject, and dates of emails along with analysis of the malicious attachments. Their breakdown includes domains that the malware contacted and links to the VirusTotal scores for the malicious files.

 

 

THE HUNT

Now that we have a few sites to gather intelligence from, we can start hunting for new attack vectors. In our example, we begin with the VirusTotal intelligence site and search for any new Word documents with the keyword of “invoice.”

 

 

After entering our parameters, the search results yielded several interesting files that matched our criteria. We’ll proceed by downloading a sample of this malware to analyze it further.

 

 

In our example, I submitted the file to the online sandbox site malwr.com. Malwr runs on the open source Cuckoo sandbox and will run the file on their server in an enclosed, safe environment.

 

 

After analysis is complete, Malwr will show you what processes the file created and any network communications that took place. In our example, we can see that the original .doc file called out to the internet and downloaded an executable named st3(1).exe.

 

 

Next, we can copy the MD5 hash value and use VirusTotal to search for the hash. Our results show that it is a known malicious binary with a detection ratio of 7/56.

 

 

Now that we know the file st3.exe is malicious, we can submit the executable to a sandbox to perform dynamic analysis. In this example, we used the analysis tool from Payload Security. This site is similar to malwr.com where you can submit a file and have it dynamically analyzed in a safe environment.

 

 

 

 

With just a short amount of hunting, we discovered a relatively new Word document that contains a malicious payload that makes several network callouts. These findings make great indicators for the next phase of our threat hunting—developing an indicator of compromise (IOC).

Simply stated, an IOC is any forensic data that you can use to identify potentially malicious activity in your organization. From our example, we can develop an IOC from the first-stage .doc file and the second-stage .exe file. We also discovered that the st3.exe file makes an additional callout to the eyesoffaith domain and downloads another executable called inst.exe. Next, we can manually pull down the inst.exe from a sandboxed machine using the WGET command and then submit the new executable to VirusTotal and malwr.com or hybrid-analysis.com for analysis.

 

 

We can see that this third executable, inst.exe is a known malicious file and should be added to our indicators of compromise.

Example IOC

Filename: invoice_66308124.doc

MD5: f14ae4263db319bc090d478a83408568

Filename: st3.exe

MD5: 81288dbbba1a2dcb3c3b2dbbbfbb3bb7

URLs: hxxp://hg-metals.net/wp-admin/includes/st3.exe 
         hxxp://dokkan.fi/wp-content/themes/mydokkan/st3.exe 
         hxxp://adrently.com/wp-content/themes/twentytwelve/st3.exe 
         hxxp://gasdetektor.com/wp-content/themes/twentyfourteen/st3.exe

Domains: eyesoffaith.com

             nastygirl.com

             csimag.hu

IP: 91.217.90.134

    217.173.42.41

    74.114.249.10

Filename: inst.exe

MD5: 87b533d4c59b3fa540c9a2b580f14eff

With these file names, MD5 hashes, and network indicators, we can start searching our enterprise for any related network traffic as well as taking the preventive step of blocking the known malicious IP addresses and domains in our firewall.

Threat hunting is an excellent way for your security staff to find new attacks and threats that face your organization. With these sites and the threat hunting methodology, you will be on your way to a more secure organization.

If you’re interested in this topic and applying it to your enterprise, or if you have other questions about Nuix’s Security & Intelligence expertise, be sure to come find us at RSA 2017 in San Francisco next week. We’ll have booths in both exhibit halls staffed with our experienced cybersecurity practitioners to answer your questions.