Automating the Hunt

Automating the Hunt

27.06.2019
10:44
alphasoc

Chris McNab

Chris McNab is an author, computer hacker, and founder of AlphaSOC (https://www.alphasoc.com). McNab is best known for his Network Security Assessment books, which detail practical penetration testing tactics that can be adopted to evaluate the security of networks.

Through Network Behavior Analytics for Splunk and our native integrations for Demisto and Graylog, we instantly enrich network indicators (FQDNs, URLs, and IP addresses) to provide security teams with hunting material.

In this post, I describe some of the key classifiers within the AlphaSOC Analytics Engine, the public API we operate, and how teams consume our context data to uncover emerging threats that don’t have signatures.

Imposter Detection

Lookalike imposter domains are being increasingly registered on a campaign-by-campaign basis and used to target enterprises by both red teams and state-sponsored actors. Brian Krebs published a list of spear phishing domains used to target Wipro and other enterprises earlier this year, as listed below.

At AlphaSOC we maintain a database of common B2B brands and phishing targets, along with a list of domains used by our customers. If a permutation of a domain is seen (e.g. a Punycode homoglyph, transposition, omission, or a similar strange adjustment) or the respective domain is nested within a longer FQDN, the Analytics Engine will generate an imposter flag, as below.

We expose an API called Wisdom that can be programmatically consumed to retrieve flags for FQDNs and IPs on-the-fly. In the example below, we process the Punycode dropbơx.com domain to reveal that it is an imposter.

To drop any non-starters (e.g. user typos) the engine verifies that:

The domain exists via DNS / WHOIS lookup
The domain isn’t owned by the respective company (e.g. Dropbox)
The infrastructure isn’t operated by a phishing simulation provider

Highlighting Unique and Young Domains

A second particularly useful flag is unique. We track destination FQDNs and IPs seen across hundreds of enterprise environments, and in-turn highlight those which are unique to a given customer. By looking for combinations of these signals (e.g. an imposter domain that is unique or young), security teams can instantly uncover targeted campaigns within a large nebulous dataset.

Active Scoring and Fingerprinting

Through layered processing we also correlate telemetry with third party services (e.g. WHOIS, Google Safe Browsing, and sandboxing engines) and fingerprint destinations to provide additional context, as below.

In this example, the destination domain is a known phishing site that also triggers on Google Safe Browsing and sandboxing engines (e.g. VirusTotal). The opendir flag indicates that the web server has an open directory listing:

The analytics stack can also flag WordPress, Drupal, and other CMS instances. Actors are increasingly leveraging compromised content management systems to serve malware and operate C2 infrastructure.

In closing — by seeking particular combinations of flags (e.g. unique, imposter, young_domain, opendir, and wordpress) you can quickly identify unknown threats that don’t have known indicators or signatures.

Uncovering Emerging Threats in Practice

A dropper domain serving a malicious HTA file was recently uncovered within a customer environment via the Analytics Engine, as below. Antivirus vendor coverage was low at 20/58 for the HTA file itself.

AlphaSOC

Instantly identify infected hosts Uncover data exfiltration channels Threat hunt with high fidelity alerts Accurately identify security threats Hundreds of security teams around the world

alphasoc

Uncover Detection Blindspots with Network Flight Simulator

Today at AlphaSOC we released Network Flight Simulator (flightsim) 2.2.1, which is our free, open source adversary simulation tool. This latest release includes a number of new modules that security teams can use to instantly evaluate detection and response coverage within SIEM and SOAR tools.

Chris McNab 19.11.2021