Pyramid Of Pain: A Slippery Path In Threat Intelligence/Hunting

Introduction

The pyramid of pain is a visual representation of different artifacts that can be collected during hunting or intelligence. It is a hierarchical representation such that the higher you go the more difficult it becomes to collect. This post is a continuation of Introduction to threat intelligence post. It is a pyramid because the higher you go, the more difficult it is to climb. Lets go treasury hunting!

MD5 Hashes

A hash is a numerical value used to detect the integrity of a file be it application, folder, and or document. It is a result of a mathematical function that converts a text string (no matter the length) into an encrypted string of a fixed length. It is not constant, it can be easily compromise as it is subject to a file’s modification that is, it changes with a file’s modification. Hashing is used to detect the breach of a file’s integrity. Hashing is used by Anti — virus to check if a file is dangerous or not, it does this by scanning a system, produce a hash value for each executable file on the user’s PC and compares it to its database. The popular hashing algorithms are MD5 (Message Digest version 5), SHA-1/2 (Secure Hash Algorithm), and NTLM to mention but few.

Where?

It can be found on Alienvault Open Threat Exchange platform. This platform is a must to visit to every threat hunter out there. It is easy to use. (here is a story on how to use it). You can check different pulse for different artifacts such as MD5.

How to use it?

This will serve as an indicator of compromise which can be used in FireEye’s free tool called Mandiant IOCe (IOC editor). After wards can be used to run a scan on your network system to detect if such threat is available or not, although MD5 hash is not enough and effective IOC alone . (Mandiant IOC tutorial will come up soon).

IP Addresses

The next one is IP addresses, this is another rich treasury in a threat intelligence.

Where?

It can be fetch from various platforms such as AlienVault Open Threat Exchange, VirusTotal and threatstop

How to use it?

Detected malicious IP addresses can be block through the firewall (blacklist), can also be used to run an IOC scan via Mandiant IOCe and Mandiant Redline.

Domain Names

Where?

You can as well get malicious domain names from AlienVault OTX.

How to use it?

Detected malicious domain names can be block through the firewall, run together with MD5 hashes and IP addresses on your network environment

Network/Host Artifacts

This can be found majorly on your network system. Twice in a week threat hunting won’t be a bad cyber hygiene in an enterprise. Please note, the best place to hunt threat is your Network. No where can be compare to home (smiles).

Tools and TTPs

The higher you climb in a pyramid of pain, the more difficult it becomes to get artifacts. Tools, Tactics, Technique and Procedures is a long term threat intelligence goal, although some can be mid — term goal. Why do I say so, it requires dedication of time, energy and other resources to achieve. It requires patience and ability to flow with the tide. It can be suck from different forums surface, to deep and to the dark forums, telegrams, discord and reddit are a good place to start.

Requirements

1. Understand your threat landscape: understand the threat associated to your organization before launching out into the deep. Are you in the Financial sector, what threat is peculiar to your sector?
2. Definition of scope: you can be chasing different threat actor at a go, it is not all threat actor that are into the same line of business, some are into RAT, while some into ransomware.
3. Identify the sources: you need to identify through research the different sources of your intelligence/hunting. A better understanding of this will ease rigorous intelligence journey.
4. Anonymity: for you to gain first hand information about a threat actor’s TTPs, you must anonymize yourself, behave like them, communicate like them and be ready to help their community. You can’t go into their den like a cop, you won’t get anything
5. Collect, Analyze, Report and make decision: collect as many artifacts as possible, get their tools and reverse engineer for you to understand how it works and how you can defend your network against it. Also, collect their methods, understand their procedures and match it with MITTRE CK to know how to combat them.

This is not a child’s play and that is why threat intelligence is a specialize yet interesting cybersecurity field where you learn, unlearn and relearn every single time not even day.

Conclusion

There are two major types of company in the world today, those that have been breached and those that will still be breach (Robert Mueller). Take threat intelligence/hunting serious in your organization. Don’t be caught unaware!