Gaining Visibility

The Scariest Threats? The Ones We Cannot See

Casey Smith

Share this Project

It’s Halloween—my favorite time of year. If you think about most scary movies, what is it that scares us most? I propose that the scary things, the really scary things, are the ones we can’t see.

From the popular (and awesome) show Stranger Things to classics like Paranormal Activity, Predator, and Aliens, the evils we cannot see are often the most terrifying.

Now, what about those things that remain unseen in your network? What is lurking in the shadows that you fear, but can’t confirm? You can’t fight what you can’t see, which is why gaining visibility is so crucial for defenders.

How to Bring Threats to Light

When I was working as a Red Team leader for a bank, we conducted an annual “Halloween Havoc” exercise to test the effectiveness of our defenses. These unconstrained, objective-driven tests were great for identifying gaps in our visibility and detection. One example was a test to see if we could get a payload past our new whitelisting software. While we could have used PowerShell, we decided to go for something that had never been seen before. This led us to discover and use a system bypass that leveraged InstallUtil.exe. Having never seen this before, the defenders had to adapt visibility and analysis to uncover the activity.

Better Visibility

There are a number of ways for an organization to gain increased visibility and start bringing some of these “monsters” into the light. Our CSO, Keith McCammon, has long been an advocate for a concept he calls “Minimum Viable Collection.” It’s based on the development technique Minimum Viable Product, in which a new product is released with just enough features to drive feedback that guides ongoing development.

In the same way, organizations can start collecting just enough information about their environments to drive future detection efforts. To do this well, an organization needs to determine their ability to collect and analyze endpoint and network telemetry.

Where to Begin

I recommend starting with three areas to get a level of minimal viable collection:

  1. Sysmon – Windows Endpoint collection
  2. DNS Logging
  3. Baseline and Inventory of Your Environment

Why these? The collection and capability is low cost and high signal. If you have collection and analysis in these areas, you will likely be able to unmask adversary activity in your fleet.

Here are some resources for each area to help you get started.

1: Sysmon – Windows Endpoint collection

Sysmon is easy to deploy and can be configured to collect specific processes or everything happening on an endpoint. Either option provides enough data to perform the minimum viable collection for detection on the endpoint.

My colleague Michael Haag has an amazing Github repository on how to collect and analyze Sysmon with various tools. If you have Splunk, there is also a technology add-on and Splunk App for Sysmon. The Splunk App for Sysmon is another way to assist organizations in gaining visibility and making quick decisions on endpoint behavior. If Splunk is not your thing, check out ELK or Graylog; both are on the sysmon-dfir repository.

2: DNS Logging

If you are are using Microsoft DNS Servers, you may be able to turn this on and get tremendous insight. For example, what are all these NX domains (Non-Existent Domains) our endpoints are searching for? You can also gain insight into malicious domains your organization may be contacting. Check out this Microsoft Technet article for more on configuring and enabling this type of DNS logging, as well as how to use Windows Event Forwarding to help with intrusion detection. DNS Logging is just one facet of this collection and forwarding, but it’s a great place to start.

Another excellent resource is the article Phil Hagen wrote: Passive DNS Monitoring – Why It’s Important for Your IR Team.

3. Baseline and Inventory Your Environment

We’ve all heard it before… “Just build a baseline.” This glib advice is often not helpful at all. How do you build a baseline? Where do you start? How do you measure drift from the baseline? These are all valid questions.

Our team wrote a free tool called Surveyor to give security teams a practical way to follow the nebulous advice of “build a baseline.” It works in conjunction with endpoint telemetry from Carbon Black, which can provide your organization with some of the best insight into what is on your network. I would encourage you to check out this article for more details and instructions: How to Baseline and Inventory an Environment in Minutes with Carbon Black Response + Surveyor

Key Takeaways

We’ve looked at three areas to increase your visibility. Think of these as your “Night Vision” goggles to see what you would normally be unable to see. Once something is seen, it can be studied and analyzed.

Perhaps once you shine a light on the dark places in your network, things won’t seem quite so scary.