By Yaelle Harel, Technical Product Marketing Manager
Threat Hunting is a proactive approach for finding and remediating undetected cyber-attacks. It is a process that involved searching for indicators of compromise (IoC), investigating, classifying and remediate. The hunting can be IoC-Driven, as demonstrated in the previous chapter. It can also be hypothesis-driven, in which the hunt begins with an initial hypothesis or question, for example, have we been affected by a recent campaign covered in the news? SandBlast Agent’s Threat Hunting solution is a powerful platform that helps you hunt and investigate incidents promptly. In this blog post we will demonstrate how to hunt for the “Maze” Ransomware using the SandBlast Agent’s MITRE ATT&CK Threat Hunting Dashboard.
What is MITRE ATT&CK?
MITRE ATT&CK is a knowledge base of adversary tactics and techniques. It has become a useful tool across many cyber-security use cases such as Threat Hunting, Red Teaming and Threat Intelligence Enrichment. The framework has been frequently discussed at cyber-security conferences such as RSA, Black Hat and Gartner Security and Risk Management Summit. The framework provides intelligence information based on real-world observation, and therefore, it is beneficial for Threat Hunting.
Maze was one of the two top ransomware types in Q3 2020. SandBlast Agent Endpoint Protection Solution includes a powerful anti-ransomware protection blocks the Maze Ransomware, described in the previous chapter. MITRE ATT&CK has mapped the techniques used by the Maze ransomware:
Hunting using MITRE ATT&CK
SandBlast Agent’s Threat Hunting solution includes pre-defined queries that allow you to quickly find active attacks, detected attacks, malicious files and more. Also, the solution also provides a MITRE ATT&CK dashboard that helps to investigate attacks based on MITRE ATT&CK’s Intelligence. In the use case above, when we look for the “Maza” Ransomware in MITRE ATT&CK’s matrix (Figure 1), we see the list of techniques used by the Ransomware. We can look for those techniques using SandBlast Agent’s Threat Hunting dashboard. Let’s take a look first at “Windows Management Instrumentation (T1047)”. According to MITRE analysis, MAZE has used “wmic.exe” attempting to delete shadow volumes on the machine. When looking at the SandBlast Agent’s MITRE ATT&CK Dashboard (Figure 2), we can see that the technique was observed by SandBlast Agent 115 times on two hosts.
We can click the technique on the SandBlast Agent’s Threat Hunting dashboard to see more details about it and more importantly, to get queries that will help us quickly find all the relevant events and continue the investigation (Figure 3).
When running the pre-defined queries, we get impressive results. Even though all processes in the list are benign, the parent process of most of them is not. Great Hunting!
In the next chapter, we will explain how automatic containment and remediation with SandBlast Agent can save you a lot of time and money. Stay tuned.