Blumira Resources & Blog

Blumira’s Threat Hunting Playbook

Written by Nick Brigmon | May 5, 2020 2:14:45 PM

The Blumira security team was recently engaged by an existing Blumira customer to perform a general security integrity test on their newly acquired company. The Blumira platform automates the threat hunting process in order to save our clients from countless hours of security analysis.

The examples that follow discuss elements of our threat hunting playbook, crafted by our team to efficiently check all avenues of the network. We wanted to share some of these basic methodologies for threat hunting with our readers so they may take a look at their own networks!

Phase 1: Gathering Network Information (Easy to Hard)

Without knowing the network, it makes it difficult to run reconnaissance scans and know what to scan. When an attacker gets into a network or a penetration tester simulates adversary activity on a network, they have the capability of interacting with that network in order to find holes to attack. It is worth noting that our team does not carry out these types of tests, rather our goal is to find possible data exfiltration, abnormal logins, critically vulnerable servers, etc.

If you’re carrying out this threat hunting test, it is vital to have general asset management documentation at your disposal. We recommend using asset management software such as AssetPanda, Upkeep, or, if you want to go the free route, Microsoft Excel works just fine.

You want good documentation of assets to avoid missing a scan of a set of servers vulnerable to Eternal Blue (MS17-010), for example, which has shut down large corporate networks for weeks, resulting in millions of dollars lost in revenue – all due to missed Microsoft patches!

Phase 2: Network Scanning (Medium)

With the proper network documentation, you should be able to easily stand up a Nessus scanning server internally and scan your network. Nessus is a powerful scanning tool that can provide a report on vulnerable hosts on your network and how to patch those hosts. We highly recommend using Nessus or something similar as it can quickly call out critical vulnerabilities that may have been exploited already. Closing those security gaps are the most important tasks when executing a security assessment such as this.

When executing these scans, you must keep in mind that “loud” and “aggressive” scanning can impact a network’s performance. Once you have consent from your managers to do network scanning, we recommend starting with a basic scan which should not affect your network performance.

Nessus is a good choice here as they have crafted templates for basic networking scanning, as well as more specific scans such as host discovery, compliance and specific exploits you may be looking for.

Phase 3: Exploring Account Privileges (Medium)

Other than security vulnerabilities, misassigned account privileges are a very common threat we find on networks. When creating account policies, it’s best to ask questions such as “Why does an IT support person need access to the network share containing financial information?” The Blumira platform is adept at recognizing suspicious escalated privilege behavior at both the system and network level. Insider threats and external attackers alike routinely rely misconfigured account privileges to perform lateral movement.

An example we saw recently was that newly created accounts in the “Vendor” group could execute PowerShell commands and browse various internal documentation shares. These security gaps are very frequently associated with insider attacks. If you have domain administrative rights, the best way to run a test of your own is to create various users in various groups within your AD environment and click around! See what you can find!

As a general guideline for enforcing least privilege access, we recommend locking down Command Prompt, PowerShell, as many shares as possible from users who don’t require them for day to day work, and restricting local admin privileges as much as possible. With PowerShell access, attackers have full rein over a host.

Command Prompt is another powerful tool attackers can use to gain access to sensitive data. If a user in sales (no offense sales!) has access to PowerShell currently, it may be in your best interest to disable that access. Keep in mind that there is a chance of network functionality loss if these tools are disabled for the wrong people, but auditing that access need is quite easy!

Phase 4: Checking Suspicious Outbound Traffic (Medium to Hard)

Check security reports over the last 48 hours that include logins originating from abnormal locations such as out of typical countries/regions or the most visited outbound destinations. More sophisticated attackers aren’t generating a ton of data at one time; looking at the past two days of outbound data reports may allow you to easily find malicious actions. If you happen to see an internal host reaching out to a high-threat country destination thousands of times a day, you may be witnessing data exfiltration or command and control traffic.

Blumira makes this log analysis easy by first integrating with numerous next-generation firewalls and secondly, applying pre-defined threat detection criteria specifically designed to recognize this behavior as well as employing SOAR (security orchestration, automation and response) technologies to easily remediate it. We’ve seen examples in the past where we’re asked to check a server for vulnerabilities and we find very high amounts of Chinese traffic in the logs, meaning the server was owned before we could stop attacks with Blumira.

Lastly, check your geoblocking policy. Unrecognized foreign-bound traffic can be a sign of malicious activity. If your company has no business relations with a Chinese businesses or consumers for example, we recommend enacting a geoblocking policy for blocking inbound/outbound traffic from China and every other country that has no past business history with your organization. Geoblocking on the firewall is a huge defensive improvement that can stop attacks at the outer border of your network.

An example of threat source locations in Blumira’s Manager Dashboard

Takeaways

This overview is scratching the surface of everything you can do to look for potential threats on your network, but definitely a good start into your hunt! Creating a report in the style of your Nessus scan can be a good way to get started on the remediation of the security gaps you found. Please reach out to our team with any questions about strengthening your security posture with Blumira!