Attack Beasts and How to Find Them

In a popular movie,”’Fantastic Beasts and Where to Find Them”, a character named Newt Scalamander said, “Worrying means you suffer twice.” Newt may have been an IT security guru in another life; there’s no point lying awake worrying, guessing what the next cyberattack is going to be. All you can be certain of is that it will come, and you want to be ready for it.

We are used to blaming failures and incidents on insufficient patching or not staying up to date with software and libraries, and then there’s “that guy in sales that clicked on a malicious website.” Some have monetized the great fear of zero-days and exploits for sale on the dark web (a romantic name for non-indexed websites). Honestly, the vast majority of current attacks are based on existing public vulnerabilities and publicly posted exploit codes rather than secret zero-days sold on some evil villain’s .Onion or Tor site. This doesn’t make them any less deadly, but for the beast hunter — I mean security guru — knowledge, preparation, and having the right tools in your proverbial satchel can help you stop the beasts in their tracks. 

In this article:

• Using frameworks to cage the beasts
• Stalking and detecting the beasts in action
• Finding the footprints of the beasts

Using frameworks to cage the beasts

Knowledge starts with an understanding of attack frameworks. Hacker beasts all employ similar methods described by multiple threat modeling frameworks — my favorite way of discussing their attack patterns is from the MITRE ATT&CK framework. These are the very top-level descriptions, with multiple “how” it happens beneath. Beasts tend to follow these patterns:

• Stalking their prey (reconnaissance)
• Insinuation into the new lair (resource development/initial compromise)
• That first attack (execution)
• Laying eggs or spawning (persistence)
• All the cunning moves (privilege escalation, defense evasion)
• Faking it phasmids (credential access, discovery)
• Spinning webs (lateral movement)
• Collection (collection)
• Hive queen mentality (command and control)
• Stealing the goods (exfiltration)
• Destruction (impact)

For illustration, let’s look at MITRE’s summary of Mimikatz, which is frequently part of ransomware attacks but starts with the Windows Security Identifier (SID). There are tons of instructions on the web for how to add SID filtering to inter-forest trusts on the domain, but until you’ve had the hack and been forced to read the summary pages, your domain administrators may not know how to take the steps. 

The truth of it is that many very capable network and system administrators have never been trained or educated on how to secure every single process, entity, or feature effectively — basic security is always covered in new SysAdmin education sure, but really advanced workarounds are often learned as beasts attack, episode by episode. (And honestly, when SysAdmins become experts in all forms of network, entity, and domain attacks, they hunger for new careers and challenges and tend to move on to development or other roles.) 

The answer lies within the security stack — having the right protections at the right levels of the OSI stack — and then applying security frameworks and cross-tool visibility with an emphasis on anomaly detection combined with the ability to do historic log data searches.

Stalking and detecting the beasts in action

Beastly behavior is known — even if the size, shape, and wrappers of the beasts is not. Even doppelgangers (polymorphic attacks) have consistent methodologies that adhere to the MITRE frameworks and patterns of reconnaissance, land and compromise, expand, and cause havoc. This means that a clever beast hunter can be prepared both with knowledge of the beastly behavior and the tools of detection to follow their tracks and find where they’re attempting to nest — especially when they come in from the wild to the business district.

Standard investigative tools:

Identity provider and identity store (e.g., Active Directory) logs

• Credential behavior changes in over 80% of all attacks, according to the 2020 Verizon DBIR.
• Strange authentication behavior — machine to machine or network to cloud (or vice versa) — can mean beasts are taking flight. 
• Escalation of privileges — an attack step that gives a beast new permissions
• New activity in identity stores or SSO and other identity provider services — from new ports used or new accounts created — are always interesting to a beast hunter as well as detecting exfiltration and command and control behavior.

Network logs and IDS

• Intrusion detection systems and firewall logs represent some of the first monitoring and discovery of beastly activities. Back when SOCs were first forming, they were often the sole logs looked at to determine if a beast was sniffing around or attempting to break into a network environment. 
• Network firewall and other such logs remain useful for historic search purposes; though they can miss many non-signature-based attacks, they remain a body of evidence a beast hunter may use to determine proliferation and recognize tracks left on previously unknown attacks.
• Network logs can help detect exfiltration of files, and clearly identify trojan and command, and control traffic.

Server and endpoint logs

• Host-based intrusion detection systems (HIDS) were some of the first mechanisms for seeing (and monitoring in a SOC) what happened inside the network to a server or database. 
• Antivirus started as a way to protect user systems, and then gradually melded with many functions of HIDS to create the Endpoint Detection and Response (EDR) that both dynamically scanned for malware and process or file system tampering. EDR also contained some of the first communications from the endpoint to monitoring systems or network permission objects.

Finding the footprints of the beasts

So let’s run a scenario for a beast hunter. Let’s say some VERY unkind beast hunter publicizes a new proof of concept (POC) for an exploit of a known vulnerability on a Friday afternoon. Immediately, the “powers that be” will expect their beast hunters to come up with key answers fast to questions like:

• Do we use this tool/program/thing that is announced as vulnerable in our environment? 
• Is there any evidence that we’re already compromised? 
• When did it happen? 
• What systems were affected? 
• Do we have a breach that may need public disclosure? 
• What’s the schedule for getting it patched?

This is where good beast hunters look to their XDR and SIEM capabilities, because spotting anomalies, particularly in user credential behavior, are some of the fastest ways of getting meaningful answers to those questions. Cyber analytics allow the beast hunter to compare normal profiles of entity (user or machine) behavior and quickly identify new activity. The first time a credential or entity does anything is interesting to a beast hunter. Without knowing normal, it is much harder to see anomalies and track beasts across the various steps of their MITRE-illustrated path. 

Credential attacks and lateral movement are present in at least 80% of breaches, and many of the same brute force, browser/man-in-the-middle, and authentication attacks are used as add-ons to the latest exploit codes. Seeing anomalies in behavior, from new accounts to new processes running, are key to spotting infiltrations fast. 

Running queries against your data lakes should be easy with the right tools. Querying for strings include packet captures, processes running or stopped, or even components in your data lakes should be facilitated by your security operations tools — SIEM or XDR. Changes in state, in process, in credentials — all of these are evidence of beastly attacks, and only by seeing and understanding normal can beast hunters of any seniority determine whether a beast is loose and attacking their territory. 

We’re starting to see attacks and Trojans like TrickBot and Emotet that disabled endpoint protections, the same way we used to see attacks that disabled antivirus. Sudden silence is just as telling in an attack as a lot of noise — and that goes for networks as well as movies!

Finally, threat intelligence services are magnificent ways of getting a full list of beastly source IPs and domains, and embedding that kind of security intelligence into your XDR or SIEM (if they don’t come standard with regularly-updated feeds) is an easy way to stay abreast of beast watchers in the wild. 

Conclusion

The denouement of any beast hunt is where you can proudly present your conclusions and trophies to your superiors, stakeholders, or (when necessary) customers. Having a full timeline of any attack, clear tracks and paths to know the scope of damage, and advice on how to proceed will win all the accolades and appreciation any beast hunter could desire. 

Exabeam Fusion SIEM is a solution on the cloud-delivered Exabeam Security Operations Platform combining enterprise-scale SIEM logging and search with an outcome-based entity and event analytics approach to threat detection and incident response (TDIR). It offers prescriptive workflows and timelines, embedded threat intelligence, advanced case management with response automation, and enriched threat intelligence context with pre-built integrations and thousands of correlation rules and behavioral analytics that combine weak signals and alerts to create the understanding of normal entity behavior and pinpoint anomalies.

Exabeam Fusion XDR is another option on the cloud-delivered Exabeam Security Operations Platform offering an outcome-based approach to threat detection and incident response (TDIR), again with embedded threat detection. For beast hunters with existing legacy SIEM solutions or data lakes, Fusion XDR offers a laser-like focus on anomaly detection and overlaid investigation simplicity to search events, build timelines, and report on your findings. 

Want to learn more? Read our white paper on Exabeam Smart Timelines.

Join the Webcast

For more insights on tracking down the beasts, please register for the webinar, Fantastic Attack Types and How to Find Them:

Americas – April 12th, 2022 | 10:00am (PST) / 1:00pm (EST)
EMEA – April 15th | 10am (BST) / 11am (CEST) / 1pm (GST)