Detecting Compromises With AI-Hunter

Now that AI-Hunter analyzes your network continuously, just like an overly caffeinated threat hunter, we can provide new insight into identifying when your network has been compromised. In this blog entry I’m going to focus on the alerting system and show you how to identify when a system has been whacked. The best part is, the process is dead simple and can easily be done within your SIEM of choice or within Slack.

AI-Hunter Alerting – 101

AI-Hunter continuously hunts your network looking for indications of a system compromise. These clues are combined together into an overall threat score for a system. You can then set a threat score threshold and receive alerts whenever a system exceeds this setting. Alert configuration is covered in the Installation Guide, but in short you simply edit the “config.yaml” file in the “/etc/AI-Hunter/” directory of the system running AI-Hunter.

It’s All about Analyzing Huge Amounts of Data

Unlike other security tools, AI-Hunter is constantly hunting the previous 24-hours of packet data. We don’t do pattern matching, as that only works with well known attacks. We scrutinize the data, same as an analyst would, in order to identify command and control (C&C) channels.

So let’s assume an attack compromises a system, and sets up a remote access Trojan (RAT) that beacons home once every 30 minutes. So up until the moment of compromise, the system has been acting normally. Then every half hour a heartbeat signal will be sent to a C&C server across the Internet. The more the system beacons, the more data points we have telling us the system has been back-doored.

Tagging Compromises in The Alerts

Have a look at the data shown in Figure 1. We’ve set a threat score threshold of 90 and have told AI-Hunter to send alerts to a Slack channel monitored by the SOC team.

Figure 1: Over time, the threat score of a compromised system increases

Note that in the first entry the system just barely crosses the threshold. Over time however, the score continuously increases. As the beacon activity continues, AI-Hunter becomes more certain that what it is seeing is a compromised system. This is reflected in the threat score being reported. This will continue until the C&C has been in place for 24 hours. At that point the score will most likely level off. This is because AI-Hunter now has a full day of C&C activity to analyze, so each 24 hour block will always be filled with this C&C activity.

Lessons Learned

While the magnitude of the threat score is important, especially on an initial hunt, established environments should also pay attention to threat score changes over time. A dramatic increase in threat score within a 24 hour block of time could be a clear indicator that a system compromise has just taken place. The next stop should be the AI-Hunter interface to see what is causing the dramatic increase in score. The next step may very well be to trigger your incident response process.



Interested in threat hunting tools? Check out AC-Hunter

Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!

Share this:
AC-Hunter Datasheet
AC-Hunter Personal Demo
What We’re up To