10 things threat hunters watch for

Dogged pursuit Pursuing cyber threats is much like conventional hunting in that it requires patience, persistence and a keen eye, and when done correctly, it can be both exhilarating and rewarding. Threat actors do everything in their power to blend in and attempt to become a ghost in your network, so it is the job of the security professional to be the ghostbuster, says Tim Bandos, director of cybersecurity at Digital Guardian. In order to track and acquire an elusive target, a threat hunter needs to be well equipped with the right skills and tools. Start by loading up on cyber threat knowledge and centralizing critical logging data. He sets out the common indicators that say a threat is underway.

Low and slow connections Proxy logs are a great place to start the hunt, and there are a number of telltale signs to look out for that can clue you in that something is amiss. Is traffic being sent out port 22 through proxy servers or even firewalls? Of course it’s good practice to source restrict this clear-text protocol, but if it’s not locked down, look for any exfiltration patterns in the data.

Same number of bytes in and out Do any network connections exhibit the same pattern of bytes in and bytes out each day? This was more prevalent several years ago, but malware today still leverages this technique of beaconing out to its master to let them know they’ve implanted successfully. Monitor for the same amount of bytes up and bytes down on a frequent basis, as this could be a sign of suspicious activity.

Suspicious sites Identify a listing of all dynamic DNS sites that are visited by endpoints and look specifically at the outliers across your organization. If only three machines out of 20,000 visit one specific site, command and control infrastructure may be at fault. While there could be other explanations, it is definitely something worth examining further.

Failed logon attempts It might sound obvious, but looking for successive failed access attempts using multiple accounts could indicate a brute force. Focusing on one failed attempt per account may signify a threat actor trying to log in with passwords they’ve previously dumped from the environment in the hope that one may still work.

Explicit credentials Profile your “A logon was attempted using explicit credentials” event logs and whitelist out normal activity. This log kicks off when a user connects to a system or runs a program locally using alternate creds. Did someone say ‘Lateral Movement’? Threat actors love to move laterally!

Privilege changes Escalation of privileges will often occur once a foothold has been achieved within an environment. These logs may assist in the identification of such activity. It’s good to profile your IT administrator’s legitimate activities as well since they’ll more often than not cause a bit of noise themselves.

Signs of password dumping programs Research what your antivirus provider flags as a password dumping program and go searching. For example, one of McAfee’s password dumping detection tools is called HTool-GSECDump. There are countless examples of threat actors running a password dumper, antivirus detecting and removing it, and the attacker then successfully executing another dumper that wasn’t detected. So although they’ve achieved their initial objective, they’ve left behind a clue of evidentiary value.

Common backdoors Know your adversary so that you can begin to profile their tactics, techniques, and procedures. You’ll know the tools they most commonly use and the types of backdoors they may leverage. Some common advanced threat backdoors include PlugX, 9002 RAT, Nettraveler, Derusbi, Winnti and Pirpi. If you come across names like these within your antivirus logs, you’ll know something untoward is taking place.

Dropper programs Identify any detections with the name ‘dropper’ in it. A dropper program is intended to download/install a backdoor or virus, only initiating the download when the ‘coast is clear’. If a dropper has been detected, it’s possible there is still something lurking in the depths of the OS it was detected on.

Custom detections Some anti-virus solutions have the ability to create custom detections for ultra-effective threat hunting. Creating an alert to log executions of binaries from a user’s APPDATA directory, for example, will generate a log and send it to your console any time a program launches from that directory. Drilling down into those binaries to identify certain traits is a great starting point for finding evil.