Welcome back to the deep Dive. Today we are we're doing something a little different. We're putting aside that comforting idea that your firewalls and your anti virus software are enough.
Yeah, that's a tough pill to swallow for.
A lot of people, it really is. I mean, we are opening a source document today called hunt Pedia, and the core premise right from the start is uncomfortable. It basically says, the adversary is likely already inside your network. Right, so the question isn't you know, how do we keep them out? It's how do we find them before they actually achieve whatever it is they're trying to do exactly.
It's a fundamental shift in philosophy because for the longest time, the industry was focused on incident.
Response, right, which is just waiting for an alarm.
Yeah, incident response is essentially waiting for the fire alarm to ring and then scrambling. But thread hunting, which is what hunt pedia is all about, is walking the floor. You're actively sniffing the air for smoke before any sensor even registers a problem.
And this document, hunt key, it's really a fascinating collection. It aggregates wisdom from some of the absolute heavy hitters in the industry.
Oh yeah, you got Richard Batelitch, David Bianco, Chris Sanders.
Right, and it standardizes what used to be considered this I don't know, almost a dark art in cybersecurity.
It really does. And it all starts with the mindset. Baelitch actually traces the whole concept back to the Air Force.
To hunter killer missions right, exactly.
Friendly force projection. The idea is that you aren't just sitting behind a wall defending a perimeter. You are actively engaging within your own territory to flesh out the enemy.
And I think that distinction is key for the listener because a lot of organizations out there believe they're.
Hunting, but they're really not right.
They just have a security operations center watching a dashboard waiting for red lights to blink.
Which is entirely passive. That is monitoring. Real hunting is well, it's hypothesis driven. Danny A. Kacki puts it perfectly in chapter one. He defines hunting as finding ways for evil to do evil things.
I love that phrasing.
It's great. You aren't waiting for a piece of software to tell you something is wrong. You are operating on the assumption that something is already wrong and you're actively trying to prove it.
Which brings up this whole man versus machine debate that runs through the entire text.
Yeah, it's everywhere in the book.
There's this great quote in the intro from the old TV show Airwolf.
Oh I remember that show. Yeah.
The quote is they haven't built a machine yet that could replace a good pilot, and Betglitch uses that to argue that attackers they can test their malware against all your automated tool Absolutely.
They literally buy the exact same endpoint detection software.
That you use, right, and they run it in their own labs until they figure out how to bypass it.
Exactly, if you're relying solely on automation, you're fighting a completely static defense. The attacker replicates your defense, beats it, and then attacks. But the one thing they cannot test against in a lab is you. Is you not test against? A creative human analyst who I don't know wakes up one morning and decides to look for some highly specific, weird anomaly in the DNS.
Logs that unpredictability is the ultimate defense.
It is human creativity is the variable they can account.
For But you know, we can't just rely on a gut feeling, right, We can't just wake up with a hunch every day. We need a framework to actually direct that creativity.
You need structure.
And that leads us to probably the most famous mental model in this entire document, the Pyramid.
Of Pain, Ah David Bianco's masterpiece.
It really is.
It is absolutely essential for understanding modern defense.
And I think people often misunderstand it at first glance, Like they see a pyramid and they automatically think it's a ranking of how bad the malware is.
Yeah, that's a common misconception. Yeah, but it's actually a ranking of how much pain we cause the adversary when we detect them at different levels.
It's an economic model, really exactly.
It's an economic model for the attack. So at the bottom of pyramid, the wide base, you have things like hash values and IP addresses, the easy stuff, very easy for us to detect, but also incredibly easy for the attacker to change.
Right because if I block a malicious IP address, they don't care. They don't they probably have a botnet of ten thousand other ips. They burn one and move to the next. In the literal milliseconds.
It costs them absolutely nothing. It's a minor nuisance. You haven't disrupted their operation. You've just made a computer change a variable.
But then you move up the pyramid, right, you.
Move up through domain names, the network, artifacts than tools, and it gets progressively harder and more expensive for them to change those things until you hit the peak, the pinnacle.
Yeah, TTPs, tactics, techniques and procedures. And this is behavior. This isn't what the malicious file is named or what IP it came from. This is how the attacker actually operates.
Precisely. Let's say you detect that an attacker is using a technique like past the hash to move laterally through your network. Okay, if you can detect that specific behavior and block that technique, you haven't just burned a cheap IP address. You've burned their education. You've burned the entire methodology they might have spent six months developing and practicing.
You force them to completely go back to the drawing board. You're taxing their resources.
That is the pain in the pyramid of pain. It costs them real time and real money. And that is why the hunter's mindset has to focus on the top of the pyramid.
We want behaviors, not just giant lists of bad IP addresses exactly. So okay, effective hunting is about understanding the behavior of the enemy. But to find that behavior you need a method. I mean, you can't just scroll through millions of log lines hoping to see the word evil.
No, you go crazy. And that's what Jack Crook and sergiokel Tajerone argue in chapters three and four. They call that wandering wandering. To actually hunt, you need the scientific method. You need to start with a solid hypothesis.
Have to think like the thief.
To catch the thief, specifically, you have to think about the thief's needs.
Right, because they have a job to do on your network.
They do they need to execute code, they need to escalate their privileges, they need to package and move data. So a good hunter sits down and asks, if I were an attacker and I needed to steal the CEO's password, how would I do it?
And that question becomes the hypothesis. So, for example, you might say, if an attacker is staging data to exfiltrate it, they might be compressing large files in a temporary directory.
Perfect, that is a hunt. Now you go look for rare dot x or seven zip running in the seed drive Windows temp folder.
You aren't looking for a virus signature.
No, you're looking for the behavior of staging data.
To help structure this, the text brings up the diamond model. It connects four points adversary capability, infrastructure, and victim.
It seems simple on the surface, but the power is in how it lets you pivot right.
It turns a single isolated data point into a whole web of intelligence.
Because if you find a capability that's say, a specific piece of malware, you don't just delete it and stop there. You trace the line to infrastructure, where's this malware calling home to?
And then you trace the line to victim. Who else in our network has this file?
Exactly? It forces you to map the entire campaign.
Let's get practical here, because the theory is great, but huntpedia is absolutely full of these specific technical hunts that really bring this mindset to life.
Well, the real world examples are the best part.
I want to break down three of them that really stood out to me. The first one is from Tyler Hudak, and it's all about DNS collisions.
Ah. Yes, this is a classic OOPS vulnerability that attackers just absolutely love to exploit.
So it starts with a configuration issue known as split brain DNS. Let's say, inside my company, internally we use the domaincorp dot example dot org. Okay, my work laptop knows that internet dot corp dot example dot org is a private internal server right down the.
Hall, right. But then you take that laptop back to a coffee shop. Yep, you connect to the public Wi Fi, and your laptop, just trying to be helpful, shouts out to the local coffeeshop DNS server, Hey, where's interrnet dot corp dot example dot org.
Because it's constantly looking for in the background, and since I'm not on the corporate network, that query goes out to the public Internet.
Now here is a real danger if your company doesn't actually own the public registration for example dot org dot org, or if using an internal suffix that overlaps with a real public top level domain, an attacker can just register that domain.
So the attacker sets up a server on the public Internet that simply says hey, I'm right here, and your.
Laptop fully believes them. Hohodec specifically points out the danger of thewpad dot dot.
File here WPAD the web proxy autodiscovery file. That's the file that basically tells the browser how to connect.
To the Internet right exactly, it configures your proxysettings. So if the attacker serves their malicious WPAD file to your laptop because of this DNS collision.
They designate themselves as your proxy.
Yep, and suddenly every single bank password, every email, every session cookie you send flows directly through their server before it goes to the real Internet.
That is terrifying efficiency. They don't even need to break into your laptop. They just raise their hand when your laptop asked for directions.
It's a man in the middle attack handed to them on a silver platter.
So the hunt here, bringing it back to the hunter mindset, isn't looking for malware. It's looking for your own internal assets, trying to authenticate to things that shouldn't exist on the public web.
Precisely, you are hunting for the misconfiguration before the attacker finds it. You're looking for internal host names resolving to public eyeps.
That's brilliant, okay. Hunt number two comes from Chris Sanders, and this one deals with proxy logs. Right now, Normally we rely on our security vendors to categorize the web for us. They tell us this site is sports, this site is gambling, this one is malicious.
But the Internet is just too big. I mean, millions of new domain are registered every single day. The vendors simply can't categorize everything instantly, and.
Attackers know this. They're registering fresh domains for their command and control servers, their C two's constantly, just to avoid those vendor blacklists.
Right, So when an attacker spins up a brand new domain for a campaign today, the proxy vendor hasn't seen it yet, it has zero reputation, so.
It just gets labeled uncategorized or unknown exactly. So Sanders says the hunt should focus on that uncategorized bucket. But isn't that incredibly noisy? I mean, legitimate news sites launch all the time, small blogs, local pop up shops.
Oh, it could be very noisy. You definitely can't just block all uncategorized traffic, or you'll completely break the Internet for your users. But Sanders suggests correlating that uncategorized traffic with frequency or beaconing behavior.
Ah right, because normal human web browsing is entirely sporadic. I read a page, I click a link, I walk away to get coffee exactly.
Humans are random, but malware beacons a rhythmic where it needs to check in with the C two server for instructions automated right. So if you see a machine inside your network reaching out to an uncategorized domain every five minutes exactly, twenty four hours.
A day, that's a heartbeat.
That's C two traffic. That is the signal hidden in the noise. It's hiding in the blind spot of the categorization engine. But the behavior, the rhythm, gives it away completely.
Okay, Hunt number three. This one is honestly my favorite because it feels exactly like running a spell checker. Because this is from David Bianco on process impersonation.
It's so clever.
You know the standard Windows processes right, like Airy Coast.
Dot xa right or LSAs dot xe.
Exactly, And attackers know that Sissigmand's just scan process lists visually.
We read by pattern recognition.
We just scan. So if an attacker names their malware SCVHOSD swapping the C in the V, yeah, your brain just instinctively autocorrect sit to system in. You skip right over it.
You don't even notice.
So how do you catch that without reading every single line of a us log like a lawyer proofreading a contract. Bianco suggests using the Levenstein distance algorithm.
It's a brilliant application of a string metric. The Levenstein distance simply counts the number of edits, meaning insertions, deletions, or substitutions required to change one word into another word.
So changing syspein to swistem is just swapping two letters, right.
And depending on the specific variant of the algorithm you use, like the Damro Levenstein one, a swap of adjacent characters counts as a distance of exactly one.
So if the distance is zero, it's a perfect match. It's the legitimate Windows file.
And if the distance is say ten, it's a totally different word, entirely not suspicious in this context.
But if the distance is one or two.
That's the danger zone. That means someone is actively trying to trick.
Your eyes exactly. So you just run a script that says, show me every process name running in my environment that has a Levenstein distance of one from a known system binary.
It's mathematically identifying deception. Yeah, you don't have to rely on your tired eyes at two am. You let the math find the camouflage.
It's using the attacker's desire to blend in against them.
It really is.
But let's play this out. Let's assume we use these methods. We found the typosquadded process where we found the beaconing proxy log. We actually found that the bad guy on the network.
Okay.
Segment four of our Deep Dive covers the strategy of the kill, and Scott Roberts introduces a genuinely controversial idea.
Here, the Hamilton dilemma.
Yes, he quotes the musical Hamilton regarding erinberr, I am not standing still. I am lying in wait.
Because the natural instinct of every single security and certainly every manager is kill it right now, get them out right. You see a bad EP, you block it. You see an infected machine, you isolated and reimage it immediately. But Roberts argues that while that might be a tactical win, it's often a strategic.
Loss because if you kill it immediately, you show your hand, you.
Tell the attacker I see you.
Yeah.
What do they do? They disappear, they patch their tool, they change their EYEP, and they come back next week. Using a method, you don't know about.
You've stopped the immediate bleeding, sure, but you've lost the intelligence. You have no idea who they actually are or what they were trying to steal exactly. But keeping them alive that's incredibly risky. You're knowingly letting a thread actor operate on your live network. How do you possibly justify that to the business.
It's a highly calculated risk, and Roberts gives a checklist for it. The first, absolutely most important question is is the victim safe?
Right?
If the attacker is about to exfiltrate your entire customer database, or if they're staging ransomware to encrypt your servers, you kill it, yeah, immediately, game over.
But if they're just doing reconnaissance, if they're just looking around the network.
Then you watch, You lie and wait. You sit back, and you see what commands they type, You see what other internal ips they try to connect to. You map out their entire infrastructure.
You wait until you can burn their entire operation to the ground, not just chop off one tentacle.
Precisely, it fundamentally changes your role from being a digital janitor just constantly cleaning up messes to doing actual counterintelligence.
You want to understand the human on the other side of the keyboard. If you kick them out too early, you never learn their objectives.
And that really brings us full circle, doesn't it. We started with man versus machine. We talked about algorithms like Levenstein distance and automated tools like proxies, but ultimately Hunt PDIA keeps coming back to the fact that this is a human on human fight.
It really is. Automation handles the known threats. It clears out that low hanging fruit at the bottom of the pyramid of pain. It blocks the bad EPs and the known hashes.
But the top of the pyramid is creative. It's novel, and it takes a human mind to spot the anomaly that an algorithm simply ignores because it hasn't.
Seen it before a machine sees data. A hunter Season.
Ten well put the sources heavily emphasized that while AI and machine learning are great, they are not a replacement for human intuition. Is a human being, they will make mistakes, they will have observable patterns. Right.
A machine might miss the typo in the process name because it doesn't understand the intent to deceive, But a human hunter, armed with the right hypothesis will catch it every time exactly, which brings me to a final thought for you to chew on. We talked a lot today about how automation handles the bottom of the pyramid for us, the defenders. But what happens when the attackers start using AI to automate the top of the pyramid?
Ooh, that's a scary thought, right.
What happens when they use large language models to dynamically rewrite their TTPs on the fly, so there is no consistent behavioral pattern for us to track. The top of the pyramid becomes completely fluid. That is the next frontier of hunting, and it's going to require even more human creativity to solve it.
Absolutely will, So for.
Everyone listening, don't just sit there waiting for the red light on your dashboard to blink. That's the old way. The challenge that hunt Pedia leaves us with is to be proactive. Ask yourself today, if I were trying to hide in my own network, where would I go?
And then go? Look there? Happy hunting.
Thanks for joining us. We'll catch you on the next deep dive.