Compromise Assessment vs Threat Hunting

-

Many people use the terms - compromise assessment and threat hunting interchangeably.

For the same, well to clear it out both are different! How and in what sense, let's take a dig at:

A compromise assessment is a high-level review of the organization that does not rely on a limited scope to find out if they are compromised. 

Performing such assessment helps establish that if a baseline is enough apart from highlighting the risks associated with a compromise not being effectively communicated to senior/executive leadership within your organization.

Coming to threat hunting, this is a more mature assessment targeted to identify objectives such as (espionage, pivoting, data exfiltration, etc.) targeting your organization.

source- https://www.crowdstrike.com/cybersecurity-101/threat-hunting/

Where Does Threat Hunting Fit?

Threat hunting is highly complementary to the standard process of incident detection, response, and remediation. As security technologies analyze the raw data to generate alerts, threat hunting is working in parallel – using queries and automation – to extract hunting leads out of the same data.

Hunting leads are then analyzed by human threat hunters, who are skilled in identifying the signs of adversary activity, which can then be managed through the same pipeline. This process is illustrated below:

Threat Hunting Steps

Threat hunting follows a general three-phased approach:

·        Trigger- Identify TTPs

·       We start with a trigger- which essentially refers to a specific system area of the network for further investigation where unusual actions are identified. This leads to proactive hunting example looking for file-less malware that attempted to evade existing defenses.

Post analyzing triggers, the threat hunter will leverage logs from EDR (Endpoint Detection and Response) to analyze the further compromise of a system and identify the malicious behavior has been created.

      Investigation- Investigate based on known Indicators of Compromises

      Indicators of compromise (IOCs) revolve around the analysis of data found in system log entries or files, that identify potentially malicious activity on a system or network. Analysts often identify various IOCs to look for correlation and piece them together to analyze a potential threat or incident.

      Some examples include:

  •        Abnormal Network Traffic
  •        Suspicious Privileged User Account Activity
  •        Suspicious Port-Application Traffic
  •        Suspicious Registry or file level changes
  •        Unusual DNS Requests

·       Reporting

The final phase will be reporting. This includes communicating relevant malicious activities to security teams for mitigating threats.

 

 


Comments

Post a Comment

Popular posts from this blog

Arbitrary file upload and RCE in Wonder CMS - CVE-2017-14521

-
Image
By- Samrat Das Hi Readers Recently in one of my pentest research, I found a CMS " WonderCMS" hosted in github. Curious to explore its functionalities, I downloaded and set it up in my local system. After fiddling with the source code, I found that it did not have any kind of file upload security mechanism and allowed the user to upload any file type! After reporting it to them, I did not receive any security relevant response, hence decided to publish a blog on this. Title of the Vulnerability:   Arbitrary File Upload Vulnerability Class: Security Misconfiguration Technical Details & Description: The application source code is coded in a way which allows arbitrary file extensions to be uploaded. This leads to uploading of remote shells/ malicious Trojans which can lead to complete system compromise and server takeover. CVE ID allocated :  CVE-2017-14521 Product & Service Introduction: Wonder CMS 2.3.1 WonderCMS is an open source CMS (Content Ma
Read more

Cross Site Request Forgery- Intex Router N-150 | CVE-2018-12529

-
Image
By- Navina Asrani Hi Readers, Recently while tinkering with my wifi router, I was curious to find if it has possible loopholes and vulnerabilities. Curious to explore its functionalities, I started probing with the options. Title of the Vulnerability:   Cross Site Request Forgery Vulnerability Class: Code Execution/ Privilege Escalation Technical Details & Description: The firmware allows malicious request to be executed without verifying source of request. This leads to arbitrary execution with malicious request which will lead to the creation of a privileged user. CVE ID allocated: -  CVE-2018-12529 Product & Service Introduction: Intex Router Steps to Re-Produce – 1.        Visit the application 2.         Go to any router setting modification page and change the values, create a request and observe the lack of CSRF tokens. 3.        Craft an html page with all the details for the built-in admin user creation and host it on a server
Read more

Stored XSS in Wonder CMS- CVE-2017-14522

-
Image
By- Samrat Das Hi Readers Recently in one of my pentest research, I found a CMS " WonderCMS" hosted in github. Curious to explore its functionalities, I downloaded and set it up in my local system. After fiddling with the source code, I found that it did not have any kind of security mechanism to filter any user input and accepted and stored in blindly without any sort of input validation Title of the Vulnerability:   Stored XSS Common Vulnerability Scoring System:  7.0 Vulnerability Class:  Injection Technical Details & Description:  The application source code is coded in a way which allows user input values to be stored and processed by the application. CVE ID allocated :  CVE-2017-14522 Product & Service Introduction:  Wonder CMS 2.3.1 WonderCMS is an open source CMS (Content Management System) built with PHP, jQuery, HTML and CSS (Bootstrap responsive). WonderCMS doesn't require any configuration and can be simply unzipped a
Read more