(Ed: title sounds like a bad movie, huh!? Anyhow…)
We have all heard the news at this point about WannaCry ransomware and how it continues its spread and people are constantly surprised by it. However, as I mentioned in one of my last posts, skilled hackers are typically more interested in persistence than a mere smash ‘n grab action where some files get encrypted and they hope to squeeze a few hundred dollars out of each infected endpoint. As we are currently seeing, the EternalBlue SMB exploit (MS017-010) was originally used by WannaCry ransomware AND the Adylkuzz Bitcoin Miner. But now, in typical fashion, the exploit is being used for a more persistent game: exploit, pivot and persist.
Most recently, RATs (Remote Access Trojans) are being deployed in combination with the EternalBlue exploit. The danger of RATs, unlike the nuisance that is ransomware, they can stay inside the network undetected for months and they can stealthily creep through the systems, establishing beachheads that can be activated at any time using command and control techniques.
Ransomware CAN be stopped. Not only can you patch the EternalBlue SMB security flaw which allows the delivery to happen in the first place (see MS017-010 Patch Info) but you can usually stop ransomware in its tracks because it is heuristically detectable. In other words, when ransomware starts encrypting files, it has essentially come out of hiding and is behaving badly. At this point in the cyber kill chain, your security software can take action to terminate the behavior. There are a couple of very inexpensive solutions out there for both Mac (don’t think you are safe) and Windows.
For Windows users, check out FoolishIT’s CryptoPrevent Premium (Link to CryptoPrevent Premium). For an annual $15 fee, you can get a copy of the newly revamped (yet original in concept) Crypto-locker prevention tool.
For the Mac users, try out RansomWhere? by Objective-See (Link to RansomWhere?) which continuously monitors the file system for the creation of encrypted files by suspicious programs (which is what ransomware does). When it sees this, the software will halt the process and ask the user to Allow or Terminate the encryption events. This is a very effective and valid way to thwart an attack. Although free to download and use, consider donating.
Ok…so that covers some simple and inexpensive defenses for the smash ‘n grab style of ransomware (i.e. exploit, get in, do damage right away and leave). But that’s not the whole story. As mentioned above, the “skilled hacker” can use these very same exploits to establish a beachhead and sit quietly for months (on average 6 to 8 months), either continuing to infiltrate other systems, or biding time for an attack that could be data exfiltration, or a data integrity attack, or something else. The point is, if things are sitting quietly, then they do not get seen very easily by endpoint defenses that are looking for heuristic behaviors. This is the home of the hard to find Persistent RAT.
Enter Cyber Threat Hunting….
Depending on HOW you conduct cyber threat hunting activities, you have a few choices for methodologies to hunt for Persistent RATs:
- Event & Data-centric Log Collection
- Network Traffic Analytics
- Forensic State Analysis of the Endpoint
My preferred method is not to rely on Event & Data-centric Log Collection as it is quite typical that there is insufficient data to analyze. This method requires a VERY mature level of centralized logging and retention for tons of devices and data sources (routers, firewalls, proxies, DNS, web servers, Active Directory, endpoint logs, etc.) for a minimum of 6 months. It is the fantasy of most SIEM deployments….collect everything and be smothered in too much data to make sense out of any of it. Typically, most SIEM installations are misconfigured and / or catch-alls for everything that logs an event. They keep event logs for compliance purposes and searching for “needle-in-mountain-sized-haystack” incident response activities. I am not saying that SIEMs are not a valid security and compliance technology, but rather, this is not an ideal technology for efficient CYBER THREAT HUNTING.
Network Traffic Analytics (NTA) can be a very useful cyber threat hunting tool if properly deployed (check out www.mantix4.com for an example of NTA done right). What I mean by this, is that you are HUNTING for things that are not normal, so you can not exclusively rely on alerts and alarms coming from your security tools. Proper network traffic analytics hunting is about the journey, not the destination. The journey lets you know your network and have full situational awareness at a glance…one where mountains of data can be picked through with speed to ensure that your IT Sec team does not NORMALIZE DEVIANCY. This is like a car alarm that goes off in a neighborhood and no one cares to investigate. The routine inspection of deviant behavior is an absolutely essential ingredient in the threat hunt. As an example, a recently discovered trojan from China used a simple callout to download instructions from http://down[.]mysking.info:8888/ok.txt” as part of its command set delivery after the EternalBlue exploit was successful. Looking at the callout, NTA technologies can see this very easily using some simple rules (e.g. http connection over non-standard port 8888). This sort of thing is deviant and requires investigation, but NTA can find it when it calls home.
Finally, on to Forensic State Analysis of the Endpoint (FSA). This technology has many benefits for RAT hunting. Primarily, if the RAT is lying dormant, then FSA is the ONLY technology that will see it since there wouldn’t be any behavior to detect (EDR would miss it), nor would it be calling home on a regular basis (NTA would not see the command & control until it starts talking). Secondly, FSA has no time dependencies. It does not require 6 months of logs. It does not require baseline understanding. It does not require a “gold image” to identify anomalies and deviancies. It is a very focused analysis of the time it is executed.
Without going into too much detail in any one technology, our recommended approach to an efficient, effective and automated cyber threat hunt is actually a combination of these three methods, but used in the following specific way:
- Use Network Traffic Analytics to identify the deviance that requires investigation (e.g. SUSPECTED BREACH DUE TO OBSERVATION XYZ)
- Use Forensic State Analysis (not human DFIR) to validate that a breach has occurred (e.g. SYSTEM BREACH CONFIRMED)
- Use Event & Data-centric Log Collection to augment the data produced during the NTA + FSA hunt.
As with most security, a layered, defense-in-depth approach is usually the best way forward. For proper Cyber Threat Hunting, the quickest, most-efficient methods would be to use focused NTA combined with automated FSA. Happy Hunting!!!