Purpose
The goal with this new module is simple.
Help to hunt for suspicious activity in the network and facilitate automation throughout the process.
To that end, the Hunt module has to be built entirely using the Module Editor within CyOps™ so that it is completely configurable to meet the organizational needs.
Scope
The Hunt Module | Featuring the MITRE ATT&CK™ framework.
Hello and welcome to the beginning of the documentation for the CyberSponse CyOps™ Hunts module! In this documentation package, you will find:
- A description of the new Hunts module
- Instructions to get started
- Detailed descriptions of each of the pre-built hunts based on the MITRE ATT&CK™ framework
- Descriptions of the Post-Create playbooks that come with the Hunts package
No matter what stage of maturity your organization’s security currently resides in, we believe there is something in this module that you can use. Maybe you are just getting started with building a hunt team for your organization, or you are a member of a pre-existing hunt team, or maybe you are the sole hunter for your organization. The Hunt module was designed with you in mind.
We are excited to share this new module with you and we hope that you find it useful in organizing and improving the efficiency and effectiveness of your hunt operations.
Expectations, Requirements
TWO NOTES ABOUT PREREQUISITES
We built the MITRE ATT&CK™ hunt playbooks with Splunk and an ELK (Elastic/Logstash/Kibana) stack as SIEMs by default. If your organization does not use either of those two products, that is OK! The pre-built hunts can still work for you, but you will have to translate the Splunk or Elastic query syntax into the query syntax your SIEM uses. You may also have to map the query results to the parameter fields in the “Create and Link Alerts” playbook reference step. We would love to be able to include additional prebuilt queries for other SIEM products in the future. If you want to help with that effort, please feel free to post on the forum (https://help.cybersponse.com/support/discussions/forums/17000067184) (TODO) or in the Community Hunts Slack channel (https://cyops.slack.com/messages/CJ6JG0SSW) (TODO).
The majority of the playbooks query for Sysmon and Windows Event Logs. We have a Sysmon configuration file on Github (https://github.com/CyberSponse-Dev-Corp/CyOps-Threat-Hunting/blob/master/CyberSponse-sysmonconfig-cu...) (TODO)that is freely available. Our Sysmon configuration file is a modified version of SwiftOnSecurity’s configuration, which can be downloaded via GitHub at https://github.com/SwiftOnSecurity/sysmon-config (TODO). If your organization does not collect those logs in your SIEM, you will have to utilize a different log or tool that can detect the activity you wish to hunt for and develop your own SIEM query. Many of the playbooks that currently utilize Sysmon logs can be adapted to utilize native Windows event logging as well. However, prior to Windows 10, native Windows Event logs did not contain the same level of detail that is present using Sysmon (most notably capturing the hash of the running process).
Configuration
Structure and Usage of the Hunts Module.
The Hunts module is designed to be a place to store and organize your hunts. You can find the Hunts module under the Incident Response tab on the left-hand pane of the CyOps™ web interface.
The goal with this new module is simple.
Help to hunt for suspicious activity in the network and facilitate automation throughout the process.
To that end, the Hunt module has to be built entirely using the Module Editor within CyOps™ so that it is completely configurable to meet the organizational needs.
Scope
The Hunt Module | Featuring the MITRE ATT&CK™ framework.
Hello and welcome to the beginning of the documentation for the CyberSponse CyOps™ Hunts module! In this documentation package, you will find:
- A description of the new Hunts module
- Instructions to get started
- Detailed descriptions of each of the pre-built hunts based on the MITRE ATT&CK™ framework
- Descriptions of the Post-Create playbooks that come with the Hunts package
No matter what stage of maturity your organization’s security currently resides in, we believe there is something in this module that you can use. Maybe you are just getting started with building a hunt team for your organization, or you are a member of a pre-existing hunt team, or maybe you are the sole hunter for your organization. The Hunt module was designed with you in mind.
We are excited to share this new module with you and we hope that you find it useful in organizing and improving the efficiency and effectiveness of your hunt operations.
Expectations, Requirements
TWO NOTES ABOUT PREREQUISITES
We built the MITRE ATT&CK™ hunt playbooks with Splunk and an ELK (Elastic/Logstash/Kibana) stack as SIEMs by default. If your organization does not use either of those two products, that is OK! The pre-built hunts can still work for you, but you will have to translate the Splunk or Elastic query syntax into the query syntax your SIEM uses. You may also have to map the query results to the parameter fields in the “Create and Link Alerts” playbook reference step. We would love to be able to include additional prebuilt queries for other SIEM products in the future. If you want to help with that effort, please feel free to post on the forum (https://help.cybersponse.com/support/discussions/forums/17000067184) (TODO) or in the Community Hunts Slack channel (https://cyops.slack.com/messages/CJ6JG0SSW) (TODO).
The majority of the playbooks query for Sysmon and Windows Event Logs. We have a Sysmon configuration file on Github (https://github.com/CyberSponse-Dev-Corp/CyOps-Threat-Hunting/blob/master/CyberSponse-sysmonconfig-cu...) (TODO)that is freely available. Our Sysmon configuration file is a modified version of SwiftOnSecurity’s configuration, which can be downloaded via GitHub at https://github.com/SwiftOnSecurity/sysmon-config (TODO). If your organization does not collect those logs in your SIEM, you will have to utilize a different log or tool that can detect the activity you wish to hunt for and develop your own SIEM query. Many of the playbooks that currently utilize Sysmon logs can be adapted to utilize native Windows event logging as well. However, prior to Windows 10, native Windows Event logs did not contain the same level of detail that is present using Sysmon (most notably capturing the hash of the running process).
Configuration
Structure and Usage of the Hunts Module.
The Hunts module is designed to be a place to store and organize your hunts. You can find the Hunts module under the Incident Response tab on the left-hand pane of the CyOps™ web interface.
Click “HUNTS”, and you’ll be taken to a fairly stripped-down module page. From there you will be able to Add a Hunt.
The hunt you create here will be the central repository where all of the Alerts, Assets, Users, and other modules’ records that become associated with your hunting activity will be linked together.
Give the hunt a name and a time range, then Save. The time range will be used by the MITRE ATT&CK™ hunt playbooks we’ve provided to bound the SIEM queries being conducted. A “Hunt Start” time is required as a parameter, while a “Hunt End” time is not. We recommend you pick a somewhat constrained start time during the initial stages of a hunt, in order to gauge the number of results that may be returned and potentially tune any obvious false positives before running larger-scale hunt. Hunt Start and Hunt End times can be modified at any time in order to expand or contract the hunting window.
Now within the context of your newly created Hunt, you can execute any playbook whose Manual Trigger conditions allow execution from a Hunt record. Out of the box, we’ve provided a selection of hunts inspired by the MITRE ATT&CK™ framework, some of which you can see below:
VERY IMPORTANT NOTE
We strongly recommend that you review and evaluate the contents of any MITRE ATT&CK™ Hunt playbook before you execute it. Running a playbook is very similar to running any other kind of code. You wouldn’t run unevaluated code in your environment, and playbooks should be treated no differently. We have developed each playbook very carefully to try to maintain compatibility with different types of configurations and environments, but it is impossible to anticipate every possibility.
The MITRE ATT&CK™ hunt playbooks generally follow a common pattern:
SIEM query for logs indicative of a specific type of suspicious or malicious behavior
Additional SIEM queries for data enrichment, if needed
Reference the custom-made “Create and Link Alerts” playbook, which will create deduplicated Alerts containing the results of the previous SIEM queries and link them to the Hunt record
Follow-up Post-Create playbooks will automatically run that will attempt to create and link related Assets, Indicators, or Users to each created Alert
The resultant Alerts will all be in the Alerts module, but will also be visible from within the hunt record in the Hunts module. A contextual comment is added to the Hunt record to indicate that an Alert has been created and/or linked to the Hunt.
Post-Create Playbooks.
We have also included some post-create playbooks with the Hunts package, in a collection called “MITRE ATT&CK™ Modulars”. The goal of this collection of playbooks is to facilitate the creation and linking of various other record types, such as Assets, Users, and Indicators, to the Alerts generated by each Hunt.
Create and Link Alerts from Asset (Host-based)- Creates Alerts and Comments, then links both to the Asset record. Also de-duplicates Alerts by checking to see if an identical Alert exists before creating a new one.
Create and Link Alerts from Hunt (Host-based)- Creates Alerts and Comments, then links both to the Hunt record. Also de-duplicates Alerts by checking to see if an identical Alert exists before creating a new one.
Create and Link Indicators from Alert- Creates and/or links indicators of types URL, Filehash-*, IP Address, and FileName to the Alert
Create User from Alert
Create and Link User- Creates and/or links a user to the Alert and Asset (requires the Alert to have data in the username field)
Create Alert from Network Sensor and Link to Hunt- Creates Alerts and Comments, then links both to the Hunt record. Also de-duplicates Alerts by checking to see if an identical Alert exists before creating a new one.
Create Asset from Alert- Creates and/or links an Asset to the Alert
Deduplicate Comments- Deduplicates Hunt record comments
So I Executed a Hunt and Got Some Alerts. Now What?
Well, now you have some investigating to do! Depending on the type of Alert and your organization’s standard investigation and incident response procedures, you might want to:
Assign the Alerts to analysts for further investigation
Execute incident response playbooks to take actions such as:
Escalate from Alert to Incident
Quarantine a host
Reset a user’s password
Block an IP address, domain, or URL
Assign tasks to forensic or malware analysts for Tier 3/4 support
Email affected parties and their supervisors
Sandbox the file executing on the host
Perform additional tuning to reduce any false positives generated
Add additional steps to the playbook to further enrich the data
Any number of other things!
What Else Can I Do With the Hunts Module?
Whatever you want! Some ideas:
Build new hunt playbooks using the model and framework we have already developed
Improve or customize the existing hunt playbooks to better meet your needs or tune out false positives
Share your custom hunt playbooks with the community at https://help.cybersponse.com/support/discussions/forums/17000067184 (TODO)
Schedule a selection of the hunts to run daily/weekly/monthly
Verification
Acknowledgements.
Special thanks to the great people at MITRE who built the MITRE ATT&CK™ framework, which is a great resource for analysts, hunters, researchers, penetration testers, and security leadership. If you’re not familiar with the MITRE ATT&CK™ framework, do yourself a favor and visit https://attack.mitre.org/ to learn more.
