Threat Hunting and Pyramid of Pain

The buzz word first came in 2014 and individuals who were actually performing activities such as hunting for adversaries within network interested in Threat Hunting agreed with it on all aspects. During Threat Hunting and/or intelligence gathering or incident response we are mostly concentrating on identifying indicators of compromise and normally follow these steps:

  1. Collect Indicators of Compromise – Basic/Advanced Threat intelligence platform – Yes I have collected Indicators of compromise from all over world than what ?
  2. Compare the IOCs with internal logs – SIEM – to understand the extent of infection – lateral movements as we say. One can also use specific tools for this – carbon black, palantir, dark trace etc.
  3. Detect and mitigation – most of the time by running anti-virus and/or restoring the system from backup or re-installing a fresh copy.

Most organisation perform mentioned points believing that this is their Incident Response plan and threat hunting procedure, but they actually only performed 2-3 stages – Identification, Recovery and Follow-up/lesson learned.

This is somewhat I call as Reactive approach, as the name suggests incident response – responding to an incident. However, there is another approach -pro-active approach – where team of experience Incident Responders will look through the network and identify anomalies and/or unwanted entities within a network. Threat Hunting was it called. The days of external organisations notifying you of an infection or data exfil or their own data showing up on pastebin are increasing and organisation must have Threat Hunting and IR capabilities well invested and implemented. Proper Process and procedure are important as well in understanding how to perform these duties. Consider following:

Following is the pyramid of pain

pyramid of pain

The diagram has a scale that shows relationship between the indicators of compromise a Threat Hunter or an incident responder can find and how much pain it will cause to use them to detect the adversary.

Threat hunting and Incident response goes beyond just deploying a product within the network and responding based on what it alerts. It goes beyond normal rule and/or signature based mechanisms to detect threats that one cannot detect with just plug-n-play devices. Both requires human factor to perform these actions. Deep diving into the networks and looking for adversaries (active defense and/or pro-active investigations) is a must have within the organisation and Incident Responders and IT Team must work hand in hand. And don’t forget to involve Forensics. Yes, we need forensics to gather evidence properly.

Threat Hunting phases :

  1. Create and/or define Hypotheses
  2. Investigate via tools and techniques
  3. Identify new patterns and TTP (Tools, techniques and procedure)
  4. Inform and update analytics platform and/or database
  5. Start 1

It’s my pleasure to announce that I recently got honoured to co-author a book with Don Murdoch. The book will be used as a field guide and/or playbook for Threat hunters during Threat Hunting.

Happy Hunting !!!!

Phishing SMS – A failed attempt

Just about an hour ago I received an text from one of my mentors. Excited, I read but I know him very well and knew it wasn’t him.

The phishing text :

It’s possible to do 10 k in 10 day.


I texted him directly with a new message rather than responding the message and verified that it was indeed phishing.

1. The message had no phone number associated.

2. Looking at the details of the name – the sender – they were empty. Normally, if a contact on you address book sends a message you can see their serials stored on your phone.

Possible motives :

1. By sending an text an attacker can verify that number exist or not via a delivery notification.

2. If someone responds – response in this case is not feasible as it has no return number – than attacker can continue with social engineering attack.

3. Likely I was targeted and attacker was trying to deceive me to click on the link and get the some results back to him/her.

Will be analysing the link to understand if it has any embedded and/or crafted scripts that are targeting mobile phones. This may be attempt to exploit Quadroot set of vulnerabilities on Android.

YARA rule for Dridex

Have been learning YARA from few days and below is my first YARA rule for a IOCs collected while analysing a word document. Analysis concluded with presence of Dridex malware.

rule dridex : dridex
description = “Dridex Malware Indicators”
author = “Kunal Makwana”
date = “2016/04/03”
thread_level = 4
in_the_wild = true

$domain = “” nocase
$ip = “” wide ascii
$mail = “” wide ascii

$domain or $ip or $mail

Will be writing more as days go by.

Happy Malware Analysis!!!!!