Discovering Malicious Activity: A Blue Teamer’s Quick-Use Guide
Written by Lex Crumpton.
Red team adversaries need only one way to get in. But blue team defenders need to know all the ways security can be breached. Having a list upfront of questions to ask, places to go, and things to look for makes it easier for blue teamers by systematically ensuring we’re not leaving anything untouched.
There are so many questions you can ask and so many nuanced things you can do. As a lead cybersecurity engineer who leads teams helping shape and deliver cyber analytics, mitigations, and detections within MITRE ATT&CK® and MITRE Engenuity’s Center for Threat-Informed Defense and ATT&CK Evaluations, I see three main areas that an adversary will often manipulate. Those are: user activity, operating system (OS) configuration changes, and malicious processes/programs/software on a computer.
Let’s dive more deeply into each of these areas:
1. Malicious User Activity
Certain users have access to your computer systems or your organization. Start by looking at their names to ensure whoever is there, should be there.
● Are there any suspicious login events? Are they normal people from the organization? Do you see any names of users that normally aren’t there, or shouldn’t be in that environment? Are there any that were just recently created? Any suspicious accounts?
For instance, perhaps you and I are normal user accounts on a system. And then we see another account named Bob. Who is Bob, where did he come from, and is he supposed to be there? These questions must be answered.
● Next, are users doing anything suspicious? Is their activity the regular sort of activity they do daily, or is the activity outside of those bounds? Did someone launch a program or software outside of their usual scope of activity?
Let’s say you log in at 9 a.m. every morning, like clockwork. And then you find a login at an odd hour, like noon or 2 a.m. That tells you that there is unusual activity for the user of that account. Another suspicious activity: a user using a program or software they don’t normally use, or one that is outside of the scope of what they do.
2. Malicious OS Configuration Changes
Most organizations restrict the ability to talk from one computer to the next computer. Adversaries often try to enable access this way so they can move laterally from one computer to the next to then conduct their activity across an entire organization. To watch for this, consider:
● Are there OS changes that ease system access? That includes modifications that allow remote access, enable file sharing, make response harder, launch programs, and/or otherwise change the OS?
Let’s say you’re a lower-tier user who lacks permission as a user to execute specific executables or programs. An adversary will change that person’s permission or reconfigure the operating system to have access to running all programs without restrictions.
● Are there OS changes that prevent detection? Such as disabling firewalls, turning off antivirus tools, or doing anything that tends to stymie adversaries once they have initial access onto the box?
Adversaries also know how to circumvent restrictions set by publicly-available security tools and will turn those off, in a sense. So, don’t assume just because you have a first-line-of-defense tool, that the digital security tool is or was operating as it should.
3. Malicious Programs
If you don’t catch an adversary in the act, your computer system could potentially have some the activity saved — even the deleted files. This means, you could potentially find things previously done, regardless of what an adversary may have done to try to clear logs or delete hard drives.
And many adversaries do leave behind not just signs of previous activity but ways to leverage ongoing harm. Whenever an adversary comes onto the box, they have initial access. This is where the adversary enters your network to execute other techniques. Defenders can catch the adversary in this phase and prevent further action. But the adversary can also establish persistence — a way to back onto the box — so they don’t have to repeat the initial (and more apparent) compromise they did the first time around. In these situations, you can think about:
● Are there malicious persistent mechanisms? Are there malicious programs running? Are there signs that malware ran at some point? Is there a process or software running that usually isn’t there?
● Have you examined places where files are collected and stored, including process lists, event logs, temp folders, scheduled tasks folders, memory, and elsewhere to see what processes have run or are running? Are you finding anything outside the normal bounds and processes that you have as a user? Is something hiding here?
As an example, an adversary could set up a backdoor. They could inject into code a snippet of information that schedules a task to upload a value to the registry key. And once that registry key is uploaded, it will give the user logon privileges again, and the adversary will have access to come back through the network.
The Common Denominator: Systematically Identifying Anomalies
Anomalies tell us a lot. They don’t necessarily tell us everything, but they are an excellent foundational starting point that helps you unearth malicious activity.
That systemic approach applies both to discovering malicious activities and what those activities left behind. The adversary may be gone, but the threat may remain. It’s important to backtrack and go through everything to see what may have been left behind, and where. What are they hiding? And where?
Don’t assume that, just because the anomalies have disappeared, an adversary’s presence is past. Fully and effectively finding and turning back an adversary requires attention to detail and persistence.
Alexia “Lex” Crumpton is a Lead Cybersecurity Engineer — SOC and Blue team for the MITRE Corporation. Lex is a multi-functional leader whose current work spans across various exciting efforts involving security operations and research, specializing in defensive countermeasures and heuristic behavior analysis. She leads teams that help shape and deliver cyber analytics, mitigations, and detections within MITRE ATT&CK®, the Center for Threat-Informed Defense, and ATT&CK Evaluations. Lex previously worked as an Exploitation Developer, Windows Blue Team/Threat Hunter analyst, Malware Reverse Engineer, and lead DFIR analyst. Lex holds a M.S. in Cybersecurity from University of Maryland, Baltimore County (UMBC) and a B.S. in Computer Science from Bowie State University. Her personal mission is create defensive solutions for the everyday user to understand and to make a positive impact on youth through college courses, mentorship, and supporting high-school activities/summer camps teaching them how to defend their computers.
More from ATT&CK Evaluations
The MITRE Engenuity ATT&CK Evaluations program is on a mission to make a safer world with a threat-informed defense approach to security. To learn more or get involved, visit the ATT&CK Evaluations website. For more about MITRE Engenuity, a tech foundation for public good, follow us on Medium, LinkedIn, or Twitter.
© 2023 MITRE Engenuity, LLC. Approved for Public Release. Document number AT0041