Been security analyst in SOC for more than 3 years. Besides waiting for the alerts triggering from the device such as IPS or end point protection, one can write up rules in SIEM to analyse logs. SIEM needs to be constantly updated with new Intel. Below are few things that I look for for a customer during hunting remotely or on-site. Understand Incident response and threat hunting can be integrated.
- Central logging place such as SIEM logs from various network devices.
- Traffic violating security standards.
- Traffic going to or coming from countries where customer does not do business with.
- Access/running executables or confidential files on hosts/servers – this can be done by acceptable use monitoring.
- Threat intelligence and/or threat feeds – open source and subscribed and matching against the logs.
- Endpoint protection logs – especially the ones that are cleaned or quarantined. We need to understand how endpoint and/or AV vendors are identifying or logging these entries to get a broader picture and what type of tools or malware are being used against you.
- Publicly available information for the customer and analysing how that information can be used to target customers and monitoring those open doors.
- Windows logs – privilege escalation, failed attempts, user accounts on the system, which user logged into the system, what services/process running, one can also make list of folders that should not have any executables or services starting from.
- Proxy and/or DNS logs – suspicious packets, HTTP request, large/similar number of bytes in and bytes out, any traffic going via clear-text protocols such as 22. Look for specific keywords in DNS logs, also check what DNS servers requests are going – may find some foreign DNS.
To identify IOCs and/or malicious entities independent of any customer logs:
- Randomly accessing websites on top-level domains to identify any suspicious/malicious re-direction – the traffic is passed to the interface being monitored by snort. Windows machine will also have procmon with Virus Total integration and ofcourse wireshark.
- Analysing spam emails and run it over Security Onion to see if any alerts gets trigger. Extract domains and IP address and use them in the SIEM.
- Check specific parameters in the URL/HTTP requests that can be used to exploit web applications – although the IDPS may trigger the rule for it but there are instances where we do not get IDPS logs.
- Lastly, honeypot to identify bad actors.
- Lurking on private forums, IRC and dark web – hell yeah.
- Following threat campaigns.
Hope this helps. Happy hunting!!!!!!