Threat Hunting Against Security Data

SecPro#3:How to Hunt for Threats Against Terabytes of Security Data?


Whether you’re looking for help with threat hunting, trying to design a security logging platform, or just looking for new offensive security tools or resources, I’ve got something for you this week! And thank you for being a part of the SecPro Insider Program (Beta)!

I’d love to hear your thoughts and feedback on this edition. Remember to hit the feedback link below or at the bottom of this email.

Please spread the word about the newsletter! Stay tuned to get updates about complimentary Packt ebooks, exciting swag, and more!

This Week in Security

  1. ‘Have I Been Pwned’ Code Base Now Open Source: Have I Been Pwned (HIBP), the free website used by millions to check whether their credentials have been compromised, has open sourced its code base.
  2. SolarWinds Hackers Targeting Government Agencies Via Email: Threat actor Nobelium, the group behind last year’s Solarwinds hacking campaign, has launched a new attack targeting government agencies, think tanks, consultants and non-governmental organizations.
  3. Apple released an update for macOS that addresses several vulnerabilities being actively exploited: The malware uses two zero-days — one to steal cookies from the Safari browser and another to quietly install a development version of Safari, allowing the attackers to modify and snoop on virtually any website.

Threat Hunting


TL;DR: If you really want to achieve “proactive” threat hunting then focus on IORs.

IOC = Indicators of Compromise
IOA = Indicators of Attack
IOR = Indicators of Risk

Of late, a lot of focus has been on following a proactive approach to threat hunting i.e. not on identifying an attack after it has occurred. But that’s easier said than done. The average time to identify a breach is 206 days, and then an additional 73 days to contain it!

Gaurav Banga of Balbix argues that the big lie in threat hunting is that this practice (as usually implemented) is really not proactive, with the major focus being on trailing indicators vs leading indicators.

More on this..

  1. CrowdStrike: IOA vs IOC
  2. Logsign: The Importance and Difference Between Indicators of Attack and Indicators of Compromise

Threat Hunting Against Security Data: How to Hunt for Threats Against Terabytes of Security Data?

In modern organizations, data lives in a wide variety of systems and applications that attackers can exploit, due to the high adoption of cloud and SaaS applications. Security teams are tasked with centralizing all of this (exponentially) growing data to support threat detection activities at scale.

Threat Hunting Against Security Data: Detections vs. Threat hunting: Same Same, But Different

Detections and Threat Hunting are the two main ways to identify attackers. Sometimes these techniques are coupled together but they can also work separately. In simple terms, Detections are the continuous log analysis matched against “known” attacker patterns, whereas threat hunting typically involves searching your logs for indicators of compromise, attacks, or risks. This is the key difference.

Here are four steps to follow to threat hunt against massive volumes of data using your cloud security platform or a security data lake (built on AWS, Snowflake, etc):

1- Look for “atomic” indicators 
When threat hunting, we’re essentially trying to find “hits” for malicious behaviors wherever they may exist. Let’s say, if an attacker compromises employee credentials to a single sign-on (SSO) service (like Okta or OneLogin), they can access all authorized pages of that employee. Using atomic indicators, such as the IP from which the attacker accessed the service, you can trace back what happened.

2- Normalize your security data
Most security tools leave data normalization to the user to handle. One of the big challenges with security data is normalizing and extracting indicators from logs to enable actionability in hunting. Go for a tool that automatically normalizes your data.
3- Search for indicators across all of your normalized logs
Correlating and searching for indicators across all of your normalized logs is a great starting point for proactive hunting or triaging a generated alert. Typical indicator fields include IPs, Domains, Usernames, or anything that can be correlated as the result of a string of related activity.

4- Rinse and repeat to search for specific behaviors
Modify your query to search for specific behaviors you’re after. Rinse and repeat by detecting, searching, and refining to answer questions in your investigation.

More on Threat Hunting Against Security Data..

  1. Elastic Blog: Detecting threats in AWS Cloudtrail logs using machine learning
  2. Panther Blog: Threat Hunting at Scale

Security Monitoring

How to Design a Multi-Account Security Logging Platform in GCP?

Security teams often grapple with ways of enhancing visibility over their cloud environments and improving security posture. Designing and implementing a strategy around security-related logging is essential and entails defining the scope for logging as well as providing integration with existing monitoring and alerting systems.

CloudSecList’s Marco Lancini in this blog post shares how to deploy a security logging and monitoring solution with well-established metrics and integrations with a SIEM of choice. 
Just like AWS, GCP has a suite of services for logging and monitoring. In a nutshell, these are the broad steps when designing a logging platform in GCP:

  • Collect security-related logs from all environments
  • Ingest those logs into a SIEM
  • Parse those logs and use them to generate dashboards
  • Create alerts on anomalies

Monitoring AWS for Deep Security Insights

If you’ve been using a legacy security analytics solution or a traditional SIEM, you will notice such solutions don’t natively understand the cloud environments well. These legacy solutions are complex, weren’t designed for the cloud, and don’t scale well to handle cloud data volumes.

We discuss 7 AWS security monitoring use cases to generate deep insights into your AWS infrastructure and workloads, and monitor logs with a modern security analytics solution:

  1. Amazon CloudWatch logs to understand the history of log changes and detect suspicious activity. You can continuously audit and monitor AWS CloudWatch log group configurations and enforce security compliance.
  2. AWS Security Hub to detect, investigate, and respond to AWS security events.
  3. AWS CloudTrail to investigate user behavior patterns and monitor platform configuration changes.
  4. Amazon VPC Flow Logs to monitor trending behaviors and traffic patterns and generate network traffic alarms for observed anomalies and outliers.
  5. AWS Config to monitor the modification of AWS resources.
  6. Elastic Load Balancing to analyze status codes based on the ELB and backend instances, and monitor all data that resides within Amazon S3 buckets.
  7. Last but not least, use AWS GuardDuty data to monitor your environment for any trends, anomalies, and outliers. If your SIEM supports dashboards, you can graphically depict and visualize threats.


Anatomy of an Attack: DarkSide

The DarkSide ransomware attacks stand out for their use of stealthy techniques. The group performs careful reconnaissance and ensures their attack tools and techniques evade detection on monitored devices and endpoints. This article from Varonis analyses DarkSide’s large-scale attack campaigns in detail.

The stealth techniques mostly always include:

  • Command and control over TOR
  • Avoiding nodes where EDR is running
  • Waiting periods & saving noisier actions for later stages
  • Customized code and connection hosts for each victim
  • Obfuscation techniques like encoding and dynamic library loading
  • Anti-forensics techniques like deleting log files

Later stages of their attack sequence, include:

  • Harvesting credentials stored in files, in memory, and on domain controllers
  • Utilizing file shares to distribute attack tools and store file archives
  • Relaxing permissions on file shares for easy harvesting
  • Deleting backups, including shadow copies
  • Deploying customized ransomware

Example: Command and Control
Let’s look at how Darkside ransomware attackers established command and control primarily with an RDP client running over port 443, routed through TOR:

After installing a Tor browser, they modified its configuration to run as a persistent service, redirecting traffic sent to a local (dynamic) port through TOR via HTTPS over port 443, so it would be indistinguishable from normal web traffic. Attackers then established RDP sessions to and through the compromised hosts, facilitating lateral movement. The attackers also used Cobalt Strike as a secondary command and control mechanism.

You may also enjoy

  1. Krebs: A Closer Look at the DarkSide Ransomware Gang
  2. INTEL471: Here’s what we know about DarkSide ransomware

Offensive Security Resources

Kaboxer: A tool for managing applications in containers by the Kali Linux team

CISO Secrets

5 Ways to Protect Against DDoS Attacks

DDoS attacks come in a variety of forms, including volumetric bandwidth, resource exhaustion, and application-layer attacks. Gerhard Giese of Akamai discusses how DDoS attacks overwhelm critical infrastructure and how you can protect against DDoS attacks.

Here are the top 5 actions you can take to strengthen your company against DDoS attacks and improve security posture:

  1. Know your traffic: Use network and application monitoring tools to identify traffic trends and tendencies. By understanding your company’s typical traffic patterns and characteristics, you can establish a baseline to more easily identify unusual activity symptomatic of a DDoS attack.
  2. Build your defensive posture: Be sure to analyze risk and prioritize DDoS mitigation and service recovery efforts in meaningful business terms like lost revenue in accordance with your company’s strategic information risk management models.
  3. Consider implementing a Zero Trust security model. A Zero Trust framework can help protect against DDoS attacks by enforcing least-privileged access and ensuring only authorized users gain access to critical applications and services.
  4. Test, re-test, document, and measure. Incorporate DDoS attacks into penetration testing to simulate complex attacks, identify vulnerabilities, and shore up defenses.
  5. Practice good cyber hygiene: Foster a security-oriented corporate culture and be sure developers and system administrators follow industry best practices for cybersecurity.

More reads..

The evolution of the modern CISO
Recent cyberattacks have presented a critical question to many leaders that is yet to be answered – “What does it take to be a CISO in today’s threat-riddled economic landscape?”

How does ransomware actually spread?
Ransomware can reach your system through a mix of outdated technology, “good enough” defense strategies focused solely on perimeters and endpoints, lack of training (and poor security etiquette) and no known “silver bullet” solution.

Cloud Security blind spots: Where they are and how to protect them
Security experts discuss oft-neglected areas of cloud security and offer guidance to businesses working to strengthen their security posture.

The makings of a better cybersecurity hire
Don’t overlook a creative, motivated candidate just because their background doesn’t match the job description.


  1. Recorded Future: Malware Party Tricks and Cybersecurity Trends
  2. AWS Podcast: Diving into Amazon Macie
  3. Cloud Security Podcast by Google: Scaling Google Kubernetes Engine Security

The SecPro is a weekly security newsletter to help you stay sharp and upgrade your skills with trending threat insights, practical tutorials, hands-on labs, and useful resources. Build skills in as little as 10 minutes.

Stay up to date with the latest threats

Our newsletter is packed with analysis of trending threats and attacks, practical tutorials, hands-on labs, and actionable content. No spam. No jibber jabber.