Security operations center analysts confront a tough paradox almost daily. In a perfect world, every SOC would have the resources to 1) proactively hunt or search for the presence of adversaries in the network, and 2) for analysts tasked with incident response activities, to profile the types of threats that they encounter on a daily basis, trying to determine attack and compromise vectors that will assist with the containment and eradication strategy.
In this role, analysts identify the nature and source of malicious artifacts found on suspect systems, scope their potential impact, and contain and eradicate the threat accordingly. They would then add the lessons learned to their ongoing security knowledge base and processes to optimize security operations. This lifecycle is what I usually describe as “Smart Incident Response”.
In practice, of course, most enterprises don’t have the luxury of doing proactive threat hunting, neither the ability to use hunting techniques to scope reported incidents. Most SOC analysts are stuck in a never-ending cycle of reacting to a deluge of threats without ever understanding their context, their scope, or how to best eliminate them.
There are, however, tools and techniques readily available for the average overburdened SOC analyst that can help them do threat hunting on IOCs while they are occurring in a faster, more effective way. Understanding the potential attack chains in your enterprise, where your crown jewels are kept, the potential for data exfiltration, triage and a little down-and-dirty forensics with open source or readily available tools can accelerate your pathway through the detection and analysis cycle (see figure 1).
Case in point: One customer we worked with recently had more than 50,000 endpoints generating 700 events per second, or about 17 million each day. They had little forensics capabilities in place and would typically run multiple antivirus scans when they saw something was infected. Often the scans would find nothing. If machines kept getting re-infected, they would just re-image them without learning anything that would help them eliminate the threat once and for all.
Tools for automating threat identification and triage can be expensive and can be difficult to integrate into existing security regimes. Fortunately, for this customer we were able to prototype a quick-and-dirty threat hunting solution in just two days that provides basic triage, forensics, collection, and response capabilities.
We didn’t need to reinvent the wheel to build our solution. There are awesome tools available, including lots of Python snippets and libraries relating to computer security and forensics. Python is ideal for quick prototyping of applications or algorithms, and it supports the design of RESTful APIs for client/server services. You can use Pyinstaller to freeze and package Python code into a standalone executable, which you can push to your endpoint devices or use in your Windows environment.
Along with Python, we used Yara, a tool that lets you create descriptions of malware families based on textual or binary patterns. There’s also a great repository of Yara rules that you may be able to use straightaway.
Our solution, called Rastrea2r, is open source code that lets you do Yara scans of files and objects on disk or processes running in memory, and report back the findings to your server. You can acquire endpoint memory dumps and analyze them later with different tools. And you can collect triage information, including host identifications and time scans, from hundreds of endpoints.
Rastrea2r can integrate with other tools so, for example, you can use an agent you already have to kick off a process or a binary. To scope an incident, once you have a sample you can go to Yaragen and generate a Yara rule to search for the malware across your full environment.
Rastrea2r shows that SOC analysts can begin to shift from their roles from reactive responders to proactive threat hunters. Making this shift will allow them to go beyond simply blocking identified threats to discovering, understanding, and eliminating new threats and infections. Our solution isn’t as cool or as fancy as some of the tools available, but it’s out there, and its open source, so anyone can use it.