RetroHunt: Retrospective Analysis for Threat Hunters

Posted on 2018-05-09 by Adam Swanda

InQuest helps organizations in both threat-hunting and incident response through the use of our RetroHunt capability.

RetroHunting allows the searching of a historical data with signatures in order to see if any of the signatures match within that historical file set.

For readers of who have used VirusTotal Intelligence (VTI), this is a familiar concept and a powerful research tool. One of the major features of the InQuest platform is providing that very same RetroHunting functionality across the artifacts traversing your own network. We do this automatically on a weekly basis with each new signature release and/or update, as well expose the functionality to users as an on-demand feature.

This allows users to search back through mass amounts of sessions and files on newly created or recently updated signatures. Weekly releases of new signatures ensures we stay on top of the latest threats and exploits, while RetroHunt makes sure you stay alerted if they appear in your environment. Users are able to leverage both InQuest signatures, and we provide YARA compatibility within our signatures for users to define and/or import their own signatures they wish to scan for.

Very often organizations do not know that a threat actor or malware has breached them until days, months, or even years after the initial intrusion. According to the FireEye M-Trends report for 2017, the median discovery time of an incident was 99 days. Worst yet, some organizations may receive first notice of a breach from a third party. Fast incident response time is crucial in remediation and mitigation of both known and unknown threats, just as it is immensely useful to have the ability to proactively monitor your environment for attacks, threat groups, and malware of interest.

To help address these problems, InQuest provides customers our unique RetroHunt feature. In combination with Deep File Inspection (DFI), through the use of automated historical analysis across the past 14 days by default or further as your environment allows it, of captured data, including full sessions, files, and files discovered through the DFI process. The 14-day retention mentioned above time-period can be customized by InQuest users and is only limited to the amount of data your particular InQuest setup provides.

Knowing that generally, we are not as smart today as we are tomorrow, the RetroHunt scanning feature occurs automatically every time a new signature gets added; either from InQuest updates or manual user submissions, to alert on past threats once intelligence becomes available to us on an ongoing basis.

As we provide a weekly release of InQuest signatures, this means that not only will users be alerted to brand new and updated rules we have published, but each weekly release will automatically start a scan of historical session data and any associated artifacts using any of the newly published or updated signatures.

InQuest also supports a custom layer of signature search operators that can be used by analysts and operators when writing rules to act against network traffic, such as HTTP/SMTP content, SSL certificate information, and file artifact metadata, among other attributes. Not including every potential use-case but, for example, if you were investigating an actor known to use a specific type of network traffic you would be able to craft a signature in InQuest that parsed and searched many commonly seen HTTP headers and content, SSL certificate information, SMTP headers. When it comes to more disk-based or file artifact, our custom signature operators allow users to analyze many aspects of data such as the original file artifacts, file metadata, and their DFI post-processed derived files can be searched against in various ways. This set of InQuest specific and provided operators even cover inbound and outbound IP addresses and ports for more stringent hunting, in scenarios where you know very well where on your network or how, tactically, to expect a particular attack.

Use Case: Threat Hunting

As security teams become more mature in their processes and methods, there comes a time where teams will inevitably want the ability to proactively hunt for and track specific threats targeting their environment as opposed to waiting for the threat to go to them.

Analysts may be interested in a specific campaign or threat actor group they have seen targeting other organizations in their sector or vertical. Whether the original artifacts gets collected from public or private sharing groups, innate intelligence, or OSINT (Open Source Intelligence), this can all add up to generating a broader profile of threat of interest. After identification and creation of an initial profile, many artifacts make an excellent candidate for a set of custom/internal signatures within InQuest to begin hunting with, and allow well-placed collectors to catch all downstream session data should that threat ever appear in your environment.

If that signature triggers, users have the confidence to know they are protected, and they immediately can perform a RetroHunt. This look back in time allows the analysts to see if the threat has targeted them before and view the full stream information on how that attack occurred. Therefore, giving the analysts further details on the threat, such as IP addresses used, file names, and other artifacts that can then be added back into the threat hunting profile in an on-going and refined manner.

After expanding the threat profile from the InQuest discovered artifacts, analysts can then leverage other InQuest integrations (such as Splunk, ArcSight, and OPSWAT, among others) to collect indicators from other available sources and begin to correlate these data points. These tasks further build out the original threat profile - with all of this stemming from an analyst adding a signature and running a RetroHunt.

Use Case: Incident Response

Taking the recent case of the Adobe Flash Player 0day (CVE-2018-4878) as an example for the usefulness of RetroHunting, let's follow the timeline of events from initial disclosure, in-the-wild usage, mainstream knowledge of the vulnerability, InQuest coverage for the attack, and public attack tool releases. With this exploit affecting Adobe Flash Player 28.0.0.137 and all earlier versions, this is of particular interest due to the extensive attack range.


CVE-2018-4878 Timeline

Date Event
Feb. 2nd, 2018 Adobe releases an advisory for this vulnerability
Feb. 3rd, 2018 Talos published report on a zero-day exploit found in the wild
Feb. 3rd, 2018 InQuest published signature utilizing DFI for detection of exploit attack vector to customers and community
Feb. 8th, 2018 Adobe announces a patch for Flash Player to mitigate this exploit
Feb. 10th, 2018 Exploit source code and public toolsets become available on Github

Reference links for each table item are available in the appendix of this blog.


Even though the Talos report covered the first known incident of this exploits use in the wild, InQuest can assess with moderately high confidence that both cyber-criminals and advanced actors pay close attention to the same security advisory pages, blogs, and news feeds that defenders do. These same actors potentially began working on the means to exploit this vulnerability once the Adobe released their advisory, if not significantly earlier simply due to the time and effort it takes to craft a reliable exploit. The time between vulnerability disclosure and a working exploit relies heavily on the difficultness of the vulnerability, the quality of your operators, and the number of resources you can throw at the development of a given exploit. As we do not have direct insight into this actor and their exploit development cycle, it is very challenging to assess when the exploit development process began.

In fact, a security researcher created a public Github repository containing a CobaltStrike module for the CVE-2018-4878 exploit on February 10, 2018, as well as other a small handful of other public Github repositories with variations of the exploit and the means to build it.

These facts and the timeline above leaves many unknowns when defending an environment:

  • How long was this exploit being actively used before being discovered?
  • Who is using the attack?
  • What is the Threat actor after in a targeted environment?
  • Will widespread adoption appear in the near-future?
  • Most importantly, was your environment affected by this exploit before any public reporting was available?

This type of scenario is the perfect time to leverage RetroHunting. It also helps to cycle back to the Threat Hunting use case and profile any discovered attacks and their actions.

Performing a RetroHunt

On the right-hand side of this view, the "Rescan Historical Content" menu is visible within the "RetroHunt" drop-down menu which allows users to search within given time-frames for this specific rule.

Event View to Begin RetroHunt From

The Retrohunt retention period is only limited by the hardware your InQuest environment runs on, which allows you to check for the existence of this exploit, or any other new or updated threat, as far back as you would like. In the demo environment pictured, we would be able to search backwards 30 days from when the rule was initially published to detect any historical events leveraging this exploit and then begin triaging the attack right away.

Selecting RetroHunt Time Range

If discovered, analysts can view the malicious file's metadata seen above quickly, any other signatures the artifact may have also hit on, and the ability to dive into every unique session where the exploit or signature event was found.

Conclusion

A Security Operations Center or Threat Intelligence team is only as good as the data they receive and how fast they can act on it. With the InQuest signatures, RetroHunt built-in to InQuest, and automatically executing after every weekly release, customers can stay up to date on the latest threats and quickly become aware of past threats that have slipped by other common detection methods on a continual basis. This ability allows users to quickly determine which assets have been affected and prioritize response to the identified threat much more efficiently, and in the world of incident response, every second can make the difference between containment and infection.

References

Sources used above in the CVE-2018-4878 Timeline:

threat-hunting incident-reponse malware-analysis retrohunt YARA