At the end of 2009 I made the decision to stop being a provider and become a client. An opportunity with a very important organization in the financial sector in Colombia led me to become a CISO, with the purpose of demonstrating that my knowledge as a consultant really worked in real life.
I found myself with all kinds of tools implemented: solutions for network security, endpoint security, application security, Web protection, messaging, access and user control, SOC, among others.
The board of directors was reassured that every security requirement had been addressed and the necessary resources had been provided. But incidents kept occurring and the solution was usually to look for a new tool in order to mitigate the exposure.
I came from implementing several Security Operations Centers (SOC) at a time when the SIEM was just being defined. My decision: to focus the strategy on detection and response and reduce prevention a little.
The main objective was to detect new threats that the well-known controls such as IPS or Antivirus signatures could not detect.
We started with basic elements that I want to define in order to finish with the methodology we have been applying to hunt for attacks.
Our first objective: the generation of blacklists
We collected IP address data that would generate some kind of recognition or attack towards our attack surface, including information about the services we wanted to exploit (mail, web, etc.) and we enriched it with data such as geographic location using GeoIP.
Domain search
Subsequently we tried to search for domains, because we could not detect the information because we did not have such sources of information, we performed reverse domain name resolution to find if several old and new IP addresses were related to a domain. By including content filtering we began to identify domains and URLs, thus completing our blacklisting objective.
The attack methods at the network and at the host level
Later on, we focused on identifying artifacts and attack methods at the network and host level. Sandboxing tools were beginning to appear, and we were able to identify files, registry keys and processes that were compromising our computers, servers and ports that were guiding operations across the network.
Definition of applied cases
The last phase of the project was oriented to the definition of use cases, seeking to identify the ways and methods used to attack, the techniques used and artifacts. Again relying on Sandbox solutions, we were able to have a clarity of each of the activities performed by an attack, understanding the method of attack.
To summarize and present the methodology, our attack hunting strategy was oriented to:
- IP addresses
- Domains
- Network devices and equipment
- Tactics and attack methods
I recently came across what is called the pyramid of pain in a blog by David Bianco, which summarizes which indicators are most effective in detecting attacks. It states that IoCs (indicators of compromise) are the most ephemeral thing today, because every malicious file is constantly being modified; but techniques, tactics and procedures should be the priority because we understand how groups (of cybercriminals?) carry out their attacks, which we now call IoA (indicator of attack).