Questions From a Beginner Threat Hunter
How Do I Read and Interpret Packet Captures?
Packet captures, frequently referred to as “pcaps” due to the file format that is commonly used, are a recording of traffic that has been seen on the network. Most modern network communications are digital, meaning they are all ones and zeros. A packet capture tool converts these ones and zeros to hex or ASCII so they are easier for people to read. It takes a lot of practice and skill building to be good at properly interpreting packet captures.
There Are So Many Tools Out There, How Do I Know Which to Use for What?
Try them out! Also, don’t expect one tool to always be a perfect fit for every need. For example, if I’m analyzing overall traffic flow, I’ll use a tool like Zeek. If I’m looking for specific patterns, I’ll use Suricata. For specific traffic flows, I’ll use tshark. For a deep analysis on a single session, I’ll turn to Wireshark. My best advice is to pick one tool and stick with it. When it doesn’t help with a specific challenge, check out other tools.
What Does Legitimate Network Traffic Look Like? (Especially Human Behavior)
“Normal” varies with the use case and the protocols being used. For example, Web traffic tends to be opportunistic. Think about how often you launch a new tab in a Web browser, or perform a search, and you’ll get the idea. Traffic is pretty bursty. However, if you have a tab open to a weather site or an email server, you can expect to see traffic patterns that are pretty repetitive. So you need to understand the protocol as well as the use case.
Really, it comes down to “Is there a legitimate business need for the traffic?”. For example, seeing TeamViewer or similar remote control traffic to a server that is managed by an outside consultant would probably be “legitimate” as there is a business need for the traffic. Seeing TeamViewer running on your domain controller when no remote access is expected probably indicates a pretty serious security problem. Note in both cases the protocol, application, and traffic patterns are identical. What makes one legitimate versus the other is “business need”.
Where Should One Start Looking When Facing an Overwhelming Amount of Data?
Start with what you understand and move that data out of the way. For example, all of your Windows systems are calling back to Microsoft’s management network. This is expected, so remove it from the data you are analyzing and focus on what’s left. Let’s say the next thing you identify is NTP traffic going to known NTP servers. Again, remove that from the data being analyzed and go through what’s left. Repeat as needed. Once you have removed everything you understand and can identify as having a legitimate business need, you can deep dive into whatever is left.
Once I Suspect a System Has Been Compromised, What Is the Best/Easiest Way to Detect Lateral Movement?
Identify the command and control (C2) server being used and see if any other internal systems are communicating with that server. Be patient, as it’s not uncommon for secondary systems to only call home every 4-8 hours. A packet capture running for 24 hours should be sufficient in most cases.
How Does C2 Over DNS Work? How Can I Verify That a Website or Service Is Who They Say They Are?
These are two completely different questions. 🙂 C2 over DNS works by embedding the C2 traffic inside legitimate DNS queries. This causes your DNS servers to happily forward the C2 traffic out towards the Internet. The attackers will then register a remote domain and set up their C2 server as the authoritative DNS server for the domain. So your DNS servers end up sending the embedded C2 traffic to the remote C2 server.
As far as verifying that a website or service is who they claim to be, it can be challenging to run down authoritative reputational data.
How Much Attention Should I Pay to SSL Certificates or Lack Thereof?
Most legitimate Web sites only use HTTPS with TLS for communications. So if there is no certificate installed on the server, that can be a cause for concern, especially if you are sending sensitive data. To be honest, certificates can be a real rabbit hole that takes more than a single paragraph to answer completely. For example, just because a certificate is in use does not mean the session is encrypted (both SSL and TLS support authentication without encryption). Many in the security industry consider wild card digital certificates to be less secure than a certificate issued to a single system (smaller attack surface). So it can take a lot of studying to really understand the security implications of digital certificates and the various ways they can be deployed.
How Can I Find Out Which Process Spawned a Task?
It depends on the operating system. On Linux and UNIX based platforms, you can usually run something like “pstree” or “ps -aef –forest”. On Windows you will need to use a tool like Process Monitor.
What Is an Average Session Time? How Can We Look at a Protocol and Determine if the Time-Length Is Suspicious?
Most sessions tend to be relatively short-lived, lasting only a few minutes or less. However, there are plenty of exceptions. For example, an SSH session will stay active as long as the user requires access to the remote system. Various chat and message bus programs may try and leave sessions open indefinitely. So as mentioned above, you really need to look at the business case of the traffic you are analyzing.
How to Detect Suspicious DNS Queries.
“Suspicious” is a very generic term. If you are looking for C2 over DNS, there are a couple of attributes that you can focus on. First, look for domains you don’t recognize that your servers have resolved 1,000+ host names (Fully Qualified Domain Names or FQDNs) as part of that domain. This may be an indication of C2 activity. Also, you can look at domain utilization. For example, if you have looked up hundreds or thousands of FQDNs within a domain, but none of your systems ever actually communicate with these systems, that could also indicate C2 activity.
Acronyms To Remember:
C2 – Command and Control
DNS – Domain Name System
FQDN – Fully Qualified Domain Name
SIEM – Security Information and Event Management
Interested in threat hunting tools? Check out AC-Hunter
Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!
Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.