In this environment, with its rapidly changing threat landscape, a growing number of companies are becoming aware of the necessity of getting ahead of new cyberattack trends. It is for this reason that Threat Hunting has become so popular.

As we explained in a previous post, what really makes Threat Hunting stand out is that it involves an active search for threats, unlike traditional methods, which simply focus on investigations after the incident has occurred.  This approach is based on applying artificial intelligence algorithms and machine learning in order to reduce exposure time for attacks, without the need for human intervention, unless the threats are too sophisticated or the systems are not able to react to them.

This change in the way things are done in terms of hunting threats is a response to the landscape that companies are facing today: the popularization of malwareless or fileless attacks, the use of legitimate tools to attack, cryptojacking, or live hacking.

Below, we explain the Threat Hunting process in more detail, and present a real case in which this service provided by Panda Security was used to protect company computers.

Threat Hunting: the process

This service aims to get ahead of the most advanced threats, and to discover malicious behavior as quickly as possible, even when the cybercriminals use such persistent techniques as the aforementioned fileless attacks. To do so, these are the steps of the investigation:

1- Hypothesis Generation The first step when it comes to formulating an investigation is to create hypotheses. The aim of these hypotheses is to find evidence of threats before they are exploited, or even ones that are already being exploited.

2 – Validation of the hypotheses. Once a hypothesis has been defined, its validity needs to be verified. We then need to look for the existence of threats that fit this hypothesis. In this stage it is usual for some hypotheses to be discarded, while research into others is prioritized due to their likelihood or criticality.

3 – Finding evidence. From the results obtained in the previous search, we need to verify if a threat really exists. False positives and mistakes in configuration are set aside, and efforts are focused on the validated hypotheses.

4 – Discovery of new patterns. The attack is reconstructed to find any new patterns and tactics used to carry it out.

5 – Notification and enrichment. Using the knowledge generated during the Threat Hunting process, the automatic detection systems are enriched and improved. This way, the organization’s global security is improved thanks to the discoveries made during the investigation.

Bondat: analysis of a real case

Now that we’ve seen how the Threat Hunting process works, we’re going to analyze a real-life example of a threat that was discovered and neutralized by Panda’s team of experts.

Bondat – the invisible worm.  The first step of the investigation is the study phase. After having located the worm, a Threat Hunting expert analyzes this family and studies it characteristics, discovering the following:

  • It is a worm written in JavaScript or VBScript.
  • It spreads via removable devices (pen drives, hard-drives, etc.) by creating LNKs.
  • It is placed in the startup of the system, in a clear attempt to be more persistent and harder to delete.
  • The C&C server updates its code.
  • It incorporates anti-debug, anti-virtual machine, and anti-emulation measures. All of these measures are incorporated in an effort to avoid analysis of the worm.
  • Its code is highly obfuscated in the latest versions of the worm, which is yet another measure to avoid being analyzed.
  • It is very difficult to detect statically or by using signatures.
  • It spreads throughout the network very quickly.
  • It is very difficult to disinfect after spreading through the network.

The first step taken by the team of Threat Hunters is to generate several hypotheses based on possible communications with C&Cs, on the type of concealment, type of executions, and type of events. From here, the hypotheses are validated, and it is discovered that the worm downloads and executes PowerShells, something that had never been seen before in this family of worms. It is also observed that it downloads JavaScript and the PHP interpreter. It then makes a query to another website to get another PHP code to execute.

With all this information, it was possible to pose as an infected machine and thus collect the latest payloads that the attackers were using.

It was discovered what attacks this worm had carried out. They included brute force attacks against a list of WordPress sites to infect them with Trojans, downloading miners to generate cryptocurrencies, and DoS attacks against the NRS (US National Rifle Association).

With this information it was possible to generate new indicators of attack (IOA), generate new detection content, and notify the clients who had been affected. From here it was possible to take measures to remediate any problem stemming from this attack, and also to keep in from happening again.

Panda Security’s aim is for our solutions to be able to automatically classify 99.98% of threats, leaving just 0.02% of them to our analysts. This way we can focus on the really dangerous attacks.