Threat Hunting – Safelisting – Video Blog
Video – Threat Hunting – Safelisting
Hey folks, I’m Chris Brenton and in today’s threat hunting short, I’m gonna talk about the importance of safe listing. Safe listing is what we use to go through and remove entries we’ve hunted in the past. So imagine I have an internal system it’s in constant communication out on the internet. I go through, I hunt that. I figure out it’s checking for patches. It’s, you know, doing something that is a known and acceptable business related function that revolves around it. I’m gonna wanna safe list that connection out so that I don’t have to see it every day. Reun it every day and say, oh yeah, that’s okay. Okay. Yeah. That’s okay. Because by doing that, so that’s gonna dramatically reduce the amount of work on each hunt. Imagine the first time I go through and do a hunt, I find 20 things that, yep. That’s okay.
There’s a business need. Well, the next time I go through and do a hunt, if I can safe list those 20 entries, however long, it took me to do those 20 entries. I don’t have to repeat that again. Right? So my hunts are gonna come faster and faster. Also, this kind of creates a nice little documentation trail of what type of acceptable traffic takes place on the network. And, you know, most networks need this cuz they don’t have it. So there’s a number of different ways I can go through and I can create my safe list entries. One is I can use a firewall on the system that sniffing packets and I can just go in and create firewall rules that filters out certain traffic patterns. It’s easy to do. Most people are familiar with firewalling. So it, it seems relatively straightforward. What I don’t like about it is when you do that, the data’s gone.
In other words, let’s say a safe list, something, but I shouldn’t have it. Wasn’t what I thought it was. Well, all the data that got generated once that filter got put in place, didn’t include that pattern anymore. It’s gone. I can’t tell if it was happening or not. So you’re blindsided, further revision history becomes hard. You know, what will we filtering 30 days ago? Well, I don’t know. I can look at what the filter is today and maybe that’s the same as it was 30 days ago. Maybe not. I’m not gonna be able to tell the difference. A better option is to do your filtering directly through Zeek supports, BP type filters. One of the nice things about doing it there versus in the operating system, it keeps an audit trail. So it’ll tell you in the packet, underscore filter log file that was generated on that specific day.
What filters were in place when Zeek. So again, if I need to go back 30 days, figure out what was being filtered out. Reference that file. I’m good to go. The only downside of it is again, once the date is gone, it’s gone because you chose not to capture it at all. My preferred method is this last bullet item display filtering. And this is what I’m gonna show you today with display filtering. It gets it outta my way. So I don’t see it. But if I figure out I did something stupid and a safe list, it’s something I shouldn’t, it’s simply a matter of removing that display filter. And now I can go back through whatever data I need to and see what the impact would’ve been of not having that safe list entering in place. Now some of our tools are gonna have safe listing built in some aren’t. So for example, with AC hunter safe listing is
Built right in. I have this nice little filter icon, so I can go up here and I can say, I want a safe list. This target IP it’s whole subnet. You know, the ASN it’s a little rough <laugh> I don’t think I’d want to do ASNs but good. If you wanted to, I could do it based on the IP address pair or the, you know, the one subnet to another. If I want to do it that way I can go in and I can look at this from a full of qualified domain name perspective. So I could say, Hey, anytime somebody’s beaconing and it’s going to anything within, you know, Microsoft edge.net business need for that, don’t worry about it. And I can go and create my safe list anyway. So this has safe listing built right into the interface, which is really nice and makes it easy to use.
But what if you don’t have that? Well, let’s take a look at Rita because Rita doesn’t have a safe listing capability built into it, but if you kind tweak it and bang it with a hammer, you can actually come up with some purely decent, safe list capability. So I’m just running my Rita command. We’re gonna look at some long connections out of this data set and I’m just pumping it through the less command. And when I go through and I run it, when I look for long connections, the ones that are important to me from for me personally, I like to investigate anything that’s about five, five and a half hours or longer. So that’s gonna be 20,000 seconds or more. Well, if I look at this data output, ouch, <laugh>, there’s a lot of entries here, but at 20,000 seconds or more, right, how do we go through and kind of whittle these down, let’s go through and kind of talk about that.
So let’s just start right up at the top. So my first long connection is going to this IP address here. I don’t see the application layer because the connection probably started previous to today. So do I have anything else? That’s part of that same subnet well, actually I do. I get a couple entries here. I got one here and I got one here. That’s part of that same class C it may be depending upon who runs this network managed by the same organization. So I can go in and I can take a look for that. Now there’s two things I may want to take a look at to kind of identify what was going on. Why did this connection take place? The first is what was the user trying to get to? So I’m gonna go through, I’m gonna say, Hey, I want a cat DNS dot log.
I’m gonna pull out queries and answers. In other words, what was the user trying to get to? What was the answer that came back, sort it, and then I’m gonna go in and I’m gonna search for one of those IP addresses. When I go through and I do that, this comes back and tells me, oh, Hey look, the user was trying to get to a windows notification server when it returned that IP address. Cool. So now what I can do is I can go in and look at what was that IP address associated with the digital certificate that had that same name. So I’m gonna go into the SSL adult log file. I’m gonna cut out and say, show me the IP address of that system, the server name associated with it, basically everything, but validating the digital certificate. And if you’ve got a new, the latest version of Zeek, you can actually do that as a can fake file change you can make, and that’ll get you a new status field.
And if that did and ZQ will check every digital certificate for you. And if the certificate’s okay, it will tell you, okay, now I know it’s all right. So if I had that feature turned on and this version of Z, I’d go through and use that too. I’m not just kind of make sure things keep going quickly, but notice that IP address is using a digital certificate and it’s the same server name as what the user was trying to get to. Cool. So that tells me that whole subnet is run by Microsoft and it’s probably windows notification servers, cuz there’s a lot of ’em. So here’s what I’m gonna do. I’m gonna use the echo command to create a file named safe list text. And I’m gonna add this entry to it just like that. So now if I cap that safe list file, you can see the only thing in it is this entry here.
Now what I’m gonna do is I’m gonna go through and I’m gonna use the grip command to turn that text file into a safe list entries, a set of safe list entries I can use. So here I’m doing Rita show long connections T hunt lab, same as I did at the very beginning, but this time, instead of pumping it through the less command, I’m saying grab dash V, show me everything, but dash F whole matches. So it’s gonna match on everything in that order, in the entire line and everything is what it says it is. It’s not a special character and load up this file to do it. And when I run that notice that goes through and that pulls out those initial entries. So I don’t have to go into worry about those anymore. That’s pretty cool. Let’s take a look at the next one on our list.
Okay. Here’s our next one. And again, we don’t have any app data, but if I search down a little bit yep. That one doesn’t have any app data either. Let’s see. Maybe I need to see a little bit more data to find one that does. So I’m gonna say head 15 this time and when I do that, oh, Hey look, we got an entry here. So this has got my SSL data in it. So I can go in and I can look to see, does that have, what was the user trying to get to via DNS that returned that IP address? And do I see a digital certificate that matches that same entry and it does. So the user was trying to get to you guessed another windows notification server when it got back that IP and that IP has a digital certificate that’s associated with that same name.
Cool. So now I can go in and I can add that subnet to my safe list. So I’m just gonna use the echo command again. I’m gonna use the double greater then sign to append that file. Now, if I go in a look at that file, it’s got two line entries in it, one for reach. And now if I go back and I run my my read a command again, Hey, notice my list is getting a little bit shorter here. Right? That’s kind of cool. All right, what can we go go after next? We get some 40 addresses here, right? 40 77, 2 29, 82. Again, no app data here, but if I go down a little bit, I can find other systems on that same subnet that do have the application data associated with it. Cool. So let’s go in and let’s see again, what was the user trying to get to when they ended up at that IP address and what was the digital certificate associated with that?
And I can say, oh, you guessed it. Another windows notification server return that IP, that IP has a digital certificate associated with that name. Great. Guess what we do next? We go in and we add this to our safe lift. So if I go in here, I can say, add that entry in. Now let me go back to my Rita command again. Notice my list is getting shorter. Pretty cool. All right. Here’s my next one. That doesn’t have any app data associated with it, but this entry does. So I can go in and I can do a search on this one to see if I can’t figure out what’s going on now. Gee, what do you think we’re gonna find right. When we go in and we look at what was the user trying to get to when they can’t got back that IP and what was the system again? It’s another windows notification server. So again, I can simply go in, add that to my safe list entries, just like that. And now let’s go back to our Rita command. We were saying we wanted to look at 20, 20,000 seconds or higher. This is only 6,000 seconds. Let’s take a look at that safe list file.
So again, just by appending things in, and you know, I’ve been talking, I’ve been doing this for what, less than 10 minutes. So in less than 10 minutes, I was able to create a safe list entry that pulled out all those top hitting entries. So now tomorrow when I do my threat hunt, if nothing comes in above 20,000 seconds still, I’m good. If something new comes in above 20,000 seconds, oh, that’s something new. That’s something worth going in and paying attention to. I’ve just expedited. You know how long it’s gonna take my threat hunt for each threat hunt after this, if this stuff is fun to you, like it is to me and you wanna learn more we have a free six hour threat hunting class. You welcome to take part in it’s about half lecture, half hands on lap time. It takes place over one day. The next one’s coming up on October 4th, that link on the bottom. You can use that to go sign up for the class. We’ve had about 20,000 people actually, well, over 20,000 people go through this class at this point and see people seem pretty happy with it. We’re updating it all the time. So yeah, please feel free to jump in, join in and have fun at the party. So with that said hopefully you found this video useful. I will see you in the next one.
Interested in threat hunting tools? Check out AC-Hunter
Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!
Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.