Detecting Compromises With AI-Hunter
Now that AI-Hunter analyzes your network continuously, just like an overly caffeinated threat hunter, we can provide new insight into identifying when your network has been compromised. In this blog entry I’m going to focus on the alerting system and show you how to identify when a system has been whacked. The best part is, the process is dead simple and can easily be done within your SIEM of choice or within Slack.
AI-Hunter Alerting – 101
AI-Hunter continuously hunts your network looking for indications of a system compromise. These clues are combined together into an overall threat score for a system. You can then set a threat score threshold and receive alerts whenever a system exceeds this setting. Alert configuration is covered in the Installation Guide, but in short you simply edit the “config.yaml” file in the “/etc/AI-Hunter/” directory of the system running AI-Hunter.
It’s All about Analyzing Huge Amounts of Data
Unlike other security tools, AI-Hunter is constantly hunting the previous 24-hours of packet data. We don’t do pattern matching, as that only works with well known attacks. We scrutinize the data, same as an analyst would, in order to identify command and control (C&C) channels.
So let’s assume an attack compromises a system, and sets up a remote access Trojan (RAT) that beacons home once every 30 minutes. So up until the moment of compromise, the system has been acting normally. Then every half hour a heartbeat signal will be sent to a C&C server across the Internet. The more the system beacons, the more data points we have telling us the system has been back-doored.
Tagging Compromises in The Alerts
Have a look at the data shown in Figure 1. We’ve set a threat score threshold of 90 and have told AI-Hunter to send alerts to a Slack channel monitored by the SOC team.
Figure 1: Over time, the threat score of a compromised system increases
Note that in the first entry the system just barely crosses the threshold. Over time however, the score continuously increases. As the beacon activity continues, AI-Hunter becomes more certain that what it is seeing is a compromised system. This is reflected in the threat score being reported. This will continue until the C&C has been in place for 24 hours. At that point the score will most likely level off. This is because AI-Hunter now has a full day of C&C activity to analyze, so each 24 hour block will always be filled with this C&C activity.
Lessons Learned
While the magnitude of the threat score is important, especially on an initial hunt, established environments should also pay attention to threat score changes over time. A dramatic increase in threat score within a 24 hour block of time could be a clear indicator that a system compromise has just taken place. The next stop should be the AI-Hunter interface to see what is causing the dramatic increase in score. The next step may very well be to trigger your incident response process.
Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.