I have been doing a lot of work on playbook design and automation recently, and stumbled upon some really great work by Demisto, a security automation platform. I haven’t been able to experiment with the product, so can’t say how good I feel it is. The playbook blog they run, though, is very helpful!
For example, their Command and Control Malware Detection lays out some great tips for a daily threat hunt using some simple actions. Below is the meat of the blog, laying out really great techniques for looking for some evil!
Methodology and Procedures
Query Splunk for finding traffic between our company and known C2 IPs
- Download the list of known C2 servers from http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt
- Run the following command to extract the raw IP addresses:$ cat c2-ipmasterlist.txt | grep -v ^# | cut -d , -f1 | sort -u > c2ips_20150509.csv
- Upload the CSV file to Splunk
- Run the saved query with the new CSV file
- If any result is found, jump to the next section for validation
Validating the C2 traffic
- Go to https://otx.alienvault.com
- Enter remote IP address on the top search input field
- If remote IP can be tied to malware activity, create a ticket and move to the next section. Otherwise, proceed with the next IP.
Taking the compromised host offline
- Call Helpdesk on #12345
- Tell them to collect the compromised asset from the owner
- Ask Helpdesk to rotate the user’s AD credentials
- Ask them to prioritise this request as ‘P1’
- Add the ticket number from Helpdesk to our ticket
- Move on to the next section to search for other affected devices
Pivot on the IP
- Still on https://otx.alienvault.com, open the pulse related to the C2 IP
- Scroll down to “Indicators of Compromise”
- Enter “ipv4” to the Search field
- Copy and paste all IP addresses into a new CSV file
- Upload the CSV file to the ticket
- Upload the CSV file to Splunk
- Run an ad-hoc query again to search for the listed IPs
- If any result is found, repeat the process again follow “Validating C2 traffic” and “Taking the compromised host offline“ sections. There is no need to pivot again on these IPs.
- Once finished with processing all IPs, go to the next section to find the initial compromise
Finding the initial compromise
- Go to the mailboxes of the users of the compromised assets
- Scan through the emails from the past three (3) days
- Look for emails with attachments and web links
- If you find an email with a suspicious file or link in it, validate that on VirusTotal
- If you find a dodgy email, which could have caused the compromise, export the full email and upload it to the ticket
- Engage a colleague of yours to run the Phishing playbook on the email
- If you managed to pivot on all IPs and did not find any further compromised devices, resolve incident
- Update the shift log with a brief summary of the actions taken
- If anything unusual happened during the incident, bring it up to the weekly post-mortem meeting
Of course, if the tools don’t fit your tool belt, adapt! If you don’t have Splunk, your SIEM or other log aggregate will probably help, or an open source network tap would be beneficial.