Threat Hunting Workshop: Can you find the threat?

Ask the right question during your investigation

• What is the data telling you?

Domains – Ask the right questions

• When was the domain registered?
• When was the last time it was seen actively resolving?
• What IP address does it currently resolve to?
• Is it Dynamic DNS?
• Are there additional subdomains associated with the higher-level domain?
• Is this domain compromised?
• Does the domain connect to malware?

IP Addresses – Ask the right questions

• Is the address routable?
• What subnet is it part of?
  • Is it a larger allocation?
  • Is there an owner associated with the subnet?
• What AS is it part of?
• Is this a sinkhole?
• What geolocation is there?
• Does this IP address have malware associated with it?

WHOIS – Ask the right questions

• How old is the domain?
• Is the information privacy protected?
• Does any of the data appear to be unique?
• What name servers are used?
• Is there any history?

SSL Certificates – Ask the right questions

• Is there any unique data in the certificate?
• Is it self-signed?
• Is the certificate shared across many hosts?
• Has the certificate been revoked?

Host Pairs – Ask the right questions

• Have any of the connected artifacts been blacklisted?
• What is the source of the malware on this domain?
• Is this domain redirecting users to malicious content?
• Are resources pulling in CSS or images to set up infringement attacks?
• Where are users being redirected from/to?
• What type of redirection is taking place?

Trackers – Ask the right questions

• Are there other resources using the same analytics IDs?
• Are these resources associated with the organization, or are they attempting to conduct an infringement attack?
• Is there any overlap between trackers–are they shared with other websites?
• What are the types of trackers found within the web page
• What is the length of time for trackers
• What is the frequency of change for tracker values– do they come, go or remain?

Hashes – Ask the right questions

• Are the hashes collected associated with malware?
• How recently was this suspicious activity observed?
• Which vendors/ sources have observed malicious binaries?

DNS – Ask the right questions?

• What other pieces of infrastructure are directly related to the indicator I am querying?
• Is any of this infrastructure associated with suspicious or malicious behavior?

OSINT (Open Source Intelligence)?

• What information is available about this artifact?
• Is there any additional IOC I should be investigating?
• Are any of the IP addresses sinkhole addresses?
• Any new TTPs?
• Who is this threat actor?
• What is the age of the OSINT–published days, weeks, years ago?

Projects – Public & Private

• Are there any public projects associated with the searched artifact?
• Do the public projects have any other Indicators of Compromise (IOC).
• How did the public project investigation progress over time?
• Who are the people working on the public project investigation?

Web Components

• What vulnerable infrastructure are you using?
• What unique web components is the threat actor using that can track them to other domains?
• Are any components marked as malicious?
• What is the number of web components identified?
• Are there any unique or strange technology not often seen?
• Are there any fake versions of specific technologies?
• What is the frequency of changes in web components–often or rarely done?
• Are there any suspicious libraries known to be abused?
• Are there any technologies with vulnerabilities associated with them?

Cookies

• What other websites are issuing the same cookies?
• What other websites are tracking the same cookies?
• Does the cookie domain match your query?
• What is the number of cookies associated with the artifact?
• Are there unique cookie names or domains?
• What is the time periods associated with cookies?
• What is the frequency of new cookies or change in cookies?