A Human-Driven Approach to Threat Hunting

Startling statistics from CrowdStrike reveal that a staggering 68% of detections in the past three months were not malware-related.

This amounts to over 65,000 potential intrusions, equivalent to approximately one potential intrusion every eight minutes, every day of the year. 

In a concerning trend, adversaries take an average of just one hour and 32 minutes to move laterally from an initially compromised host to another host within the victim's environment. Furthermore, in 36% of these intrusions, the adversary manages to expand their reach to additional hosts in under 30 minutes. 

Today, most ransomware operators engaged in big game hunting (BGH) have added data leaks to their arsenal, combining data encryption with the threat of exposing stolen information to extract payments from victims. Some adversaries have even established dedicated leak sites (DLSs) to publicly disclose victim details and release pilfered data. However, INDRIK SPIDER deviates from this trend by not utilizing data extortion methods. 

Comparing attack attempts year over year, the telecommunications and retail industries witnessed attacks more than doubling in numbers. The professional services industry experienced an increase of over 90%, while both the government and academic sectors faced attacks rising by over 80%. 

Common initial access techniques employed against the telecommunications industry include spear phishing, vulnerability exploitation, use of legitimate credentials, and supply chain compromise. Once access is gained, adversaries often exploit services or leverage system-native tools like Windows Management Instrumentation (WMI) and various command and script interpreters to advance their operations. 

WICKED PANDA, a China-nexus adversary, utilizes an array of remote access tools such as Cobalt Strike and their custom software like Winnti, ShadowPad, or RouterGod to carry out their intrusions. The LightBasin cluster employs diverse tools, including a utility known as sun4me, which serves as an encrypted payload utilizing a key derived from the victim's environment. This payload is decrypted by a tool called STEELCORGI. The versatile sun4me boasts features such as: 

  • Network enumeration tools utilizing SNMP, UDP, and various traceroute mechanisms 
  • WHOIS and DNS query tools 
  • Exploits for HeartBeat, Java over Remote Method Invocation (RMI), Apache Struts, Weblogic, Veritas Veritas NetBackup, and others 
  • Administration interface for MikroTik routers 
  • Remote configuration extraction tools for Cisco routers 
  • Password decryption tools for Cisco configuration, vncpasswd, and cvspass files 
  • Activity monitoring tools on infected hosts 
  • Remote user enumeration and credential brute-forcing via SSH 
  • Utility tools including grep, hexdump, shred, compress and uncompress, and various versions of netcat
UltraViolet Cyber's Human-Driven Threat Hunting Methodology

Our threat hunting methodology involves adopting unique methods, standards, and practices to detect and neutralize even the most sophisticated threats. Through proactive threat hunting, anomaly detection, statistical and behavioral analysis, our expert threat hunters have consistently delivered secure environments for our clients. 

Here's a glimpse into our human-led threat hunting methodology, which systematically uncovers threats at scale: 

  1. Indicator of Compromise (IOC) Search: We proactively hunt for and validate potential threats and incidents by utilizing Indicators of Attack (IOAs) and tactics, techniques, and procedures (TTPs). Instead of waiting passively for threats to strike, we take proactive action.
  2. Hypothesis-Driven Investigation: Our cyber threat hunters gather events from millions of endpoints, formulate hypotheses aligned with MITRE, and validate them through active searches within the environment. This approach is based on an in-depth understanding of threat actors' behaviors.
  3. Remote Disruption, Containment, and Neutralization: We swiftly detect and respond to threats, round the clock, ensuring adaptive containment and remediation measures. By safeguarding clients against numerous vulnerability points and highly sophisticated attacks, we enhance their protection. 

With each new threat we encounter, UltraViolet Cyber extracts valuable insights that drive continuous advancements in automated detections and human-led threat hunting. 

Security with Tangible Outcomes

Our experts specialize in identifying malicious screen capture activity, such as writing image files to disk, deploying file compression and archival utilities, and detecting anomalous traffic to unknown external hosts that may indicate potential data exfiltration. Proactive investigation of lateral movement activity, complemented by contextual system events, enriches our threat hunters' insights. 

Our mission is to expose advanced interactive threats and provide actionable contextual threat intelligence through our shared factory operations. UltraViolet Cyber collaborates with fully and co-managed security teams worldwide, delivering real-time alerts that enable security responders to swiftly and effectively combat live threats. However, finding a threat is only half the battle—defenders must rapidly contain and remediate the threat to minimize any potential damage. 

Striving for Seamless Security

Finding it challenging to detect threats, whether they come from known adversaries, insider sources, or external attackers? Our team diligently monitors the evolving threat landscape, continuously analyzing new attack types, critical vulnerabilities, and the behaviors of cybercriminals and adversaries. 

To achieve seamless security, organizations must prioritize robust patch management, implement robust user and password controls, enforce stringent privileged access management practices, and exercise caution with all externally accessible services. 

Vigilance and swift action are crucial, as adversaries persistently seek new avenues to breach organizations and can rapidly move laterally. Defenders must remain vigilant around the clock, ready to respond within minutes when threats emerge. 

Additionally, remote access should be closely monitored. The use of legitimate, non-native remote access tools like TeamViewer, AnyDesk, or VNC (and its variants) by eCrime actors has become increasingly prevalent. Defenders should implement strict restrictions and conduct regular audits on the usage of such tools, even for authorized purposes. 

Frequently Asked Questions

A human-led approach to threat hunting is essential because skilled analysts can employ their expertise, intuition, and creativity to detect sophisticated and evolving threats that automated tools might miss. Human analysts can investigate anomalies, apply context, and adapt their strategies, leading to more effective threat detection and response.

When developing a threat hunting program, the most important aspect is defining clear objectives and goals. Understanding the organization's risk profile and identifying critical assets and potential threats help in tailoring the program to address specific security challenges. Additionally, fostering a collaborative and proactive security culture and leveraging skilled analysts' expertise are crucial for a successful threat hunting initiative.

The most widely used threat hunting techniques include anomaly detection, signature-based hunting, behavioral analysis, endpoint analysis, threat intelligence utilization, sandboxing and malware analysis, red team insights, network traffic analysis, data correlation, and IOCs-based hunting.