Threat Hunting Workshop: Can you find the threat?

Here is a list of questions that will help you in your investigations:

Ask the right question during your investigation

  • What is the data telling you?

Domains – Ask the right questions

  • When was the domain registered?
  • When was the last time it was seen actively resolving?
  • What IP address does it currently resolve to?
  • Is it Dynamic DNS?
  • Are there additional subdomains associated with the higher-level domain?
  • Is this domain compromised?
  • Does the domain connect to malware?

IP Addresses – Ask the right questions

  • Is the address routable?
  • What subnet is it part of?
    • Is it a larger allocation?
    • Is there an owner associated with the subnet?
  • What AS is it part of?
  • Is this a sinkhole?
  • What geolocation is there?
  • Does this IP address have malware associated with it?

WHOIS – Ask the right questions

  • How old is the domain?
  • Is the information privacy protected?
  • Does any of the data appear to be unique?
  • What name servers are used?
  • Is there any history?

SSL Certificates – Ask the right questions

  • Is there any unique data in the certificate?
  • Is it self-signed?
  • Is the certificate shared across many hosts?
  • Has the certificate been revoked?

Host Pairs – Ask the right questions

  • Have any of the connected artifacts been blacklisted?
  • What is the source of the malware on this domain?
  • Is this domain redirecting users to malicious content?
  • Are resources pulling in CSS or images to set up infringement attacks?
  • Where are users being redirected from/to?
  • What type of redirection is taking place?

Trackers – Ask the right questions

  • Are there other resources using the same analytics IDs?
  • Are these resources associated with the organization, or are they attempting to conduct an infringement attack?
  • Is there any overlap between trackers–are they shared with other websites?
  • What are the types of trackers found within the web page
  • What is the length of time for trackers
  • What is the frequency of change for tracker values– do they come, go or remain?

Hashes – Ask the right questions

  • Are the hashes collected associated with malware?
  • How recently was this suspicious activity observed?
  • Which vendors/ sources have observed malicious binaries?

DNS – Ask the right questions?

  • What other pieces of infrastructure are directly related to the indicator I am querying?
  • Is any of this infrastructure associated with suspicious or malicious behavior?

OSINT (Open Source Intelligence)?

  • What information is available about this artifact?
  • Is there any additional IOC I should be investigating?
  • Are any of the IP addresses sinkhole addresses?
  • Any new TTPs?
  • Who is this threat actor?
  • What is the age of the OSINT–published days, weeks, years ago?

Projects – Public & Private

  • Are there any public projects associated with the searched artifact?
  • Do the public projects have any other Indicators of Compromise (IOC).
  • How did the public project investigation progress over time?
  • Who are the people working on the public project investigation?

Web Components

  • What vulnerable infrastructure are you using?
  • What unique web components is the threat actor using that can track them to other domains?
  • Are any components marked as malicious?
  • What is the number of web components identified?
  • Are there any unique or strange technology not often seen?
  • Are there any fake versions of specific technologies?
  • What is the frequency of changes in web components–often or rarely done?
  • Are there any suspicious libraries known to be abused?
  • Are there any technologies with vulnerabilities associated with them?

Cookies

  • What other websites are issuing the same cookies?
  • What other websites are tracking the same cookies?
  • Does the cookie domain match your query?
  • What is the number of cookies associated with the artifact?
  • Are there unique cookie names or domains?
  • What is the time periods associated with cookies?
  • What is the frequency of new cookies or change in cookies?