Threat hunting and traffic anomaly investigation

29 October, 2022

Using a range of threat hunting techniques, the CyberOps team can find and analyse all unique or suspicious persistence mechanisms on a device or within a network environment. Then using business operational context and the latest threat intelligence, we are able to determine whether an attack within your environment was successfully.

Typical areas of valuable information can be discovered throughout the review of the operating environment, including:

Firewall Logs

                  Firewalls establish a mandatory security control between different security zones such as the corporate networks and internet. As they regulate the flow of traffic between these networks, firewall and proxy logs provide a rich source of traffic and user activity information. If your firewall is reconfigured,  sensitive traffic, confidential data and user activity may be exposed to the Internet with the potential for compromise. You should analyse your firewall logs to ensure it is denying unauthorized traffic from coming in.
          ·        Identification of dubious URL’s often signal communication with a command and control (C&C) server. A high number of file transfers, even if it’s expected traffic, can be a warning of malware or of a user violating company policy.

Network and Application Authentication Server Logs
         -        Account lockouts and invalid account logons
                Invalid passwords and password changes
         -        User management changes, including new accounts and changed accounts
                Computer management events, including when audit logs are cleared or computer account names are changed
         -        Group management events, such as the addition of users to high security or administrator groups
         -        Unscheduled Server reboots
         -        Attempted user activity during restricted or unusual logon times

Web Server Logs
          -        Web server logs are another rich source of data to identify malicious activity.
          -        Entries that result in errors: users requesting pages that don’t exist – 404 Page Not Found Errors – or users trying to access directory files for which they don’t have authorization, such as 403Forbidden Errors.
          -        Internal Server Errors (500 errors) and Header Value errors (501 errors) can indicate malicious activity and bad HTML code or malfunctioning applications.
          -       Null Referrers or bad requests often indicates malicious individuals are scanning the website with automated tools.
          -        Monitor any access to pages that are used to update website content to ensure that only authorised users are attempting to login.
          -        Indicators of attack include:
                   ·        When traffic to web servers is attempting to access database information via known attack methods such as SQL injection.
                   ·        When attempts are made to access folders on the server that are not linked to web pages on the website or server.
                   ·        When execution of operating system commands are attempted.

Endpoint and Device Activity
          -        May cyber-attacks are seen at the client endpoint as a result of an email phishing attack, infected files located on USB sticks and malicious pages accessed via a browser from the internet. By analysing endpoint data enables fast incident detection. For a malware attack to be successful it must persist on a system whilst the computer remains logged on or is executed based on a trigger even, such as a system reboot. In many cases hackers require their malware to survive a reboot, so they can stay on the system undetected as long as possible. Investigating suspicious persistence mechanisms or applications assists to identify issues.
          -        There are many different ways malware can persist on a Windows device. The most common are:
                     ·        Scheduling tasks,
                     ·        Installing malicious applications as a service, and
                     ·        Using run on startup functions.
         -        There are greater than 50 different places that malware can hide, including: Logon (Startup Menu, Microsoft Active Setup), Explorer (Context Menu Handlers, Drag/Drop Handlers), Internet Explorer (Browser Helpers, Extensions), Drivers, Codecs, Boot Execute, Image Hijacks, AppInit DLLs, WinLogon, WinSock Providers, Print Monitors, LSAProviders, Network Providers, Sidebar Gadgets, and more!
        -        Using threat hunting techniques, CyberOps can detect and analyse unique or suspicious persistence mechanisms on a device. Then using context and the latest threat intelligence, determine whether an attack was successfully deployed and/or active in your environment.