Hunting, and Knowing What To Hunt For
Like many others of my generation, when I was a kid I'd go and play outside for hours and hours. Sometimes, while running through the woods, I'd see trash...but seeing it often, I wouldn't think much of it. Sometimes it was a tire in the creek, and other times it might be bottles or cigarette butts in a small cluster.
When I went through my initial military training, we spent a lot of time in the outdoors, but during the first 6 months, there was no real "this is what to look for training". It wasn't until a couple of years later, when I returned to be an instructor that the course was teaching new officers the difference between moving through the woods during the day and at night.
Much later, after my military service ended, I got engaged in horseback riding, particularly trail riding. Anyone who's ever done this knows that you become more aware of your surroundings, for a variety of reasons, but most importantly, the safety of your horse, you, and those you may be riding with. You develop an awareness of your surroundings; what's moving near you, and what's further away. Are there runners or walks with dogs (or children in strollers) down the trail? Sometimes you can be warned of the impending approach of others not so much visually, as by what you hear or smell (some riders like to smoke while they're riding). You can tell what is or might be in the area by visual observation (scat, droppings, etc.), as well as listening, and even smell. Why is this important? There's a lot that can spook a horse...horses will smell a carcass well before a human will, and as you ride up, a gaggle of vultures might suddenly take flight. Depending on your horse's temperament, a flock of turkey hens running through a field might spook them or just catch their attention.
If it's recently rained in the area where I'm riding, I'll visually sweep the ground looking for footprints and signs of animals and people. If I see what appear to be fresh impressions of running shoes with dog paw prints near by, I might be looking for a walker or runner with a dog. Most runners have a sense of courtesy to slow down to a walk and may be even say something when approaching horses from the rear. Most...not all. And not everyone who walks a dog really thinks about whether their dog is habituated to horses, or even how the dog will reach when they see horses. I'll also look for signs of deer, because they usually (albeit not always) move in groups. More than once in the springtime, I've come across a fawn coiled up in the tall grass...deer teach their fawns to remain very still, regardless of the circumstances, while they go off to forage. More than once I've seen the fawn well before the fawn has lost its nerve and suddenly bolted from its hiding place.
Now, because of this level of awareness, I had an interesting experience several years ago while hiking with friends at the base of Mount Rainier. At the park entrance, there was a small lake with signs prohibiting fishing, and a sign telling hikers what to do if they spotted a bear. We hiked about 3 1/2 miles to a small meadow with wild blueberries growing. The entire way out and back, there were NO signs of animal life...no insects, no sounds of birds or squirrels. No scat or markings of any kind. The absence of any and all fauna was very extremely evident, and more than a bit odd.
So what?
Okay...so what's my point? If you're familiar with the environment, and aware of your surroundings while performing DFIR work, and know what should be there, you know what to look for, as well as what data sources to go to if you're looking for suspicious activity. It's all about knowing what to hunt for when you're hunting. This is particularly true if you're performing hunting operations in your own environment; however, it can also be applied in cases where you're a consultant (like me), engaging with an unfamiliar infrastructure.
In a recent presentation (BrightTalk, may require registration) at InfoSecurity Europe 2015, Lee Lawson discussed some of the indicators that are very likely available to you right now, particularly if you've done nothing to modify the default audit configuration on Windows systems.
Not long ago, the folks at Rapid7 shared this video, describing four indicators you could use to detect lateral movement within your infrastructure. Unfortunately, two of them are not logged as a result of the default audit configuration of Windows systems, and the presenter doesn't mention alternate Windows Event Log source/ID pairs you can look for instead.
There are a lot of ways to hunt for indications of activity, such as lateral movement, but what needs to happen is that admins need to start looking, even if it means building their list of indicators (and hopefully automating as much of it as makes sense to do...) over time. If you don't know what to look for, ask someone.
If someone were to ask me (this is my opinion, and should not be misconstrued as a statement of my employer's opinion or business model) what was the one thing they could do to increase their odds of detecting malicious behavior, I'd say, "install Sysmon", but that's predicated on someone actually looking at the logs.
Addendum: @Cyborg_DFIR over on Twitter read the original version of this post (prior to the addendum) and felt that I talked more about explaining what you meant instead of talking about it. Fair enough. I don't dispute that. But what I will say is that I, and others, have talked about what to look for. A lot. Does that mean it should stop? No, of course not. Just because something's been talked about before doesn't mean that it doesn't bear repeating or being brought up again.
During July 2013, I wrote 12 articles whose titles started with "HowTo:" and went on to describe what to look for, if you were looking for specific things. More recently, I addressed the topic of detecting lateral movement within the last month.
So, to @Cyborg_DFIR and others who have similar thoughts, questions or comments...I'm more than willing to share what I know, but it's so much easier if you can narrow it down a bit. Is there something specific you're interested in hearing about...or better yet, discussing?
When I went through my initial military training, we spent a lot of time in the outdoors, but during the first 6 months, there was no real "this is what to look for training". It wasn't until a couple of years later, when I returned to be an instructor that the course was teaching new officers the difference between moving through the woods during the day and at night.
Much later, after my military service ended, I got engaged in horseback riding, particularly trail riding. Anyone who's ever done this knows that you become more aware of your surroundings, for a variety of reasons, but most importantly, the safety of your horse, you, and those you may be riding with. You develop an awareness of your surroundings; what's moving near you, and what's further away. Are there runners or walks with dogs (or children in strollers) down the trail? Sometimes you can be warned of the impending approach of others not so much visually, as by what you hear or smell (some riders like to smoke while they're riding). You can tell what is or might be in the area by visual observation (scat, droppings, etc.), as well as listening, and even smell. Why is this important? There's a lot that can spook a horse...horses will smell a carcass well before a human will, and as you ride up, a gaggle of vultures might suddenly take flight. Depending on your horse's temperament, a flock of turkey hens running through a field might spook them or just catch their attention.
If it's recently rained in the area where I'm riding, I'll visually sweep the ground looking for footprints and signs of animals and people. If I see what appear to be fresh impressions of running shoes with dog paw prints near by, I might be looking for a walker or runner with a dog. Most runners have a sense of courtesy to slow down to a walk and may be even say something when approaching horses from the rear. Most...not all. And not everyone who walks a dog really thinks about whether their dog is habituated to horses, or even how the dog will reach when they see horses. I'll also look for signs of deer, because they usually (albeit not always) move in groups. More than once in the springtime, I've come across a fawn coiled up in the tall grass...deer teach their fawns to remain very still, regardless of the circumstances, while they go off to forage. More than once I've seen the fawn well before the fawn has lost its nerve and suddenly bolted from its hiding place.
Now, because of this level of awareness, I had an interesting experience several years ago while hiking with friends at the base of Mount Rainier. At the park entrance, there was a small lake with signs prohibiting fishing, and a sign telling hikers what to do if they spotted a bear. We hiked about 3 1/2 miles to a small meadow with wild blueberries growing. The entire way out and back, there were NO signs of animal life...no insects, no sounds of birds or squirrels. No scat or markings of any kind. The absence of any and all fauna was very extremely evident, and more than a bit odd.
So what?
Okay...so what's my point? If you're familiar with the environment, and aware of your surroundings while performing DFIR work, and know what should be there, you know what to look for, as well as what data sources to go to if you're looking for suspicious activity. It's all about knowing what to hunt for when you're hunting. This is particularly true if you're performing hunting operations in your own environment; however, it can also be applied in cases where you're a consultant (like me), engaging with an unfamiliar infrastructure.
In a recent presentation (BrightTalk, may require registration) at InfoSecurity Europe 2015, Lee Lawson discussed some of the indicators that are very likely available to you right now, particularly if you've done nothing to modify the default audit configuration on Windows systems.
Not long ago, the folks at Rapid7 shared this video, describing four indicators you could use to detect lateral movement within your infrastructure. Unfortunately, two of them are not logged as a result of the default audit configuration of Windows systems, and the presenter doesn't mention alternate Windows Event Log source/ID pairs you can look for instead.
There are a lot of ways to hunt for indications of activity, such as lateral movement, but what needs to happen is that admins need to start looking, even if it means building their list of indicators (and hopefully automating as much of it as makes sense to do...) over time. If you don't know what to look for, ask someone.
If someone were to ask me (this is my opinion, and should not be misconstrued as a statement of my employer's opinion or business model) what was the one thing they could do to increase their odds of detecting malicious behavior, I'd say, "install Sysmon", but that's predicated on someone actually looking at the logs.
Addendum: @Cyborg_DFIR over on Twitter read the original version of this post (prior to the addendum) and felt that I talked more about explaining what you meant instead of talking about it. Fair enough. I don't dispute that. But what I will say is that I, and others, have talked about what to look for. A lot. Does that mean it should stop? No, of course not. Just because something's been talked about before doesn't mean that it doesn't bear repeating or being brought up again.
During July 2013, I wrote 12 articles whose titles started with "HowTo:" and went on to describe what to look for, if you were looking for specific things. More recently, I addressed the topic of detecting lateral movement within the last month.
So, to @Cyborg_DFIR and others who have similar thoughts, questions or comments...I'm more than willing to share what I know, but it's so much easier if you can narrow it down a bit. Is there something specific you're interested in hearing about...or better yet, discussing?