Full Report
John Strand// In this webcast, John walks through a couple of cool things we’ve found useful in some recent network hunt teams. He also shares some of our techniques and […] The post WEBCAST: Tales from the Network Threat Hunting Trenches appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Tool/Technique: RITA (Security Tool)
## Overview
RITA (Security Tool) is a tool utilized by Black Hills Information Security (BHIS) for network threat hunting, specifically designed to work through massive amounts of network data to identify suspicious activity.
## Technical Details
- Type: Tool
- Platform: Network/Data Analysis (Likely relies on network traffic data, potentially from Bro/Zeek logs)
- Capabilities: Advanced analysis of large datasets for threat hunting; used as a core tool in "network hunt teams."
- First Seen: The context implies it is a long-standing tool used by the presenters as of the webcast date (Feb 22, 2018).
## MITRE ATT&CK Mapping
*Note: RITA itself is a defensive/hunting tool, but its use focuses on detecting adversary techniques. Specific ATT&CK mappings are based on the type of activity it is intended to uncover.*
- TA0008 - Lateral Movement (If used to detect C2 callbacks)
- T1071 - Application Layer Protocol
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- TA0007 - Discovery (If used to detect beaconing identifying internal reconnaissance)
## Functionality
### Core Capabilities
- Processing massive amounts of data for network threat hunting.
- Used in conjunction with network monitoring solutions like Bro (Zeek).
### Advanced Features
- Implied capability to perform deep statistical or behavioral analysis on network traffic to flag anomalies, which is typical for tools derived from or related to **Active Countermeasures** work (like RITA).
- Used in BHIS "network hunt teams" methodology.
## Indicators of Compromise
- File Hashes: N/A (Tool, not malware)
- File Names: N/A (Tool, not malware)
- Registry Keys: N/A
- Network Indicators: N/A (The tool *analyzes* network indicators, it does not generate them itself.)
- Behavioral Indicators: Detection focuses on network patterns that RITA surfaces during analysis (e.g., suspicious beaconing, anomalous data flows).
## Associated Threat Actors
- N/A (This is a defensive/analysis tool used by security professionals/Blue Teams).
## Detection Methods
- **Tool Usage Detection:** Monitoring for the execution or output file of RITA on security analyst workstations, though the primary value is in the network data outputs it generates.
- **Network Monitoring:** The output of RITA highlights network traffic anomalies that can then be used for signature creation (e.g., YARA or Suricata rules against analyzed payloads).
## Mitigation Strategies
- Not applicable (It is a defensive tool).
- Organizations utilizing RITA should ensure their network logging (Bro/Zeek) is robust and spans necessary capture ports (SPAN ports).
## Related Tools/Techniques
- Bro/Zeek (Underlying network analysis platform often used with RITA)
- Active Countermeasures (Associated organization/developer listed in the tags)
- AI Hunter (Another commercial threat hunting tool demoed alongside RITA)
***
# Tool/Technique: AI Hunter
## Overview
AI Hunter is a commercial threat hunting tool created by Black Hills Information Security (BHIS). It is presented as a next-generation tool leveraging AI capabilities for threat hunting, which BHIS was actively seeking Beta testers for at the time of the article.
## Technical Details
- Type: Tool (Commercial Threat Hunting)
- Platform: Unknown (Implied Enterprise/Network monitoring integration)
- Capabilities: Threat hunting, likely incorporating Artificial Intelligence (AI) for advanced analysis.
- First Seen: Being commercially promoted/beta-tested around February 2018.
## MITRE ATT&CK Mapping
*Note: As a hunting tool, it aids in detecting adversary activity across the entire framework. Its features often target detection gaps left by standard security tools.*
- TA0011 - Command and Control
- TA0003 - Persistence
- TA0005 - Defense Evasion
- *General detection capability across all Tactic categories.*
## Functionality
### Core Capabilities
- Commercial threat hunting software designed to increase the effectiveness of network hunting teams.
### Advanced Features
- **AI Integration:** Utilization of AI/Machine Learning in its detection methodology.
- **Beta Testing Focus:** Seeking partners with existing SPAN ports and Bro/Zeek deployment suggests a strong focus on deep network visibility analysis.
## Indicators of Compromise
- File Hashes: N/A (Tool, not malware)
- File Names: N/A (Tool, not malware)
- Registry Keys: N/A
- Network Indicators: N/A (Tool, not malware)
- Behavioral Indicators: N/A (Tool output focuses on network IOCs/anomalies provided by the analyzed data).
## Associated Threat Actors
- N/A (Defensive/Commercial tool).
## Detection Methods
- Detection focuses on successful deployment and configuration of the tool within an organization's security infrastructure.
## Mitigation Strategies
- Not applicable (Defensive tool).
## Related Tools/Techniques
- RITA (Used/promoted in the same session/context)
- Bro/Zeek (Implied prerequisite or integration target)
***
# Technique/Concept: Network Threat Hunting
## Overview
The webcast focuses on practical techniques and tools used during "network hunt teams" to proactively search for malicious activity within network traffic data, moving beyond signature-based detection.
## Technical Details
- Type: Technique/Methodology
- Platform: Network Traffic Analysis (requires significant log/packet capture infrastructure, often leveraging tools like Bro/Zeek).
- Capabilities: Proactive searching for low-and-slow, novel, or evasive threats that bypass automated alerting systems.
- First Seen: Continuous methodology in cybersecurity, emphasized here in the context of 2018 analysis trends.
## MITRE ATT&CK Mapping
This encompasses the detection aspect of nearly all ATT&CK tactics, but is most relevant for detecting initial access, C2, and lateral movement:
- TA0001 - Initial Access
- TA0011 - Command and Control
- TA0008 - Lateral Movement
## Functionality
### Core Capabilities
- Working through "massive amounts of data" using specialized tools (RITA).
- Applying specific threat hunting methodologies taught by BHIS instructors (as suggested by the linked training courses).
### Advanced Features
- Leveraging advanced tooling (RITA, AI Hunter) to automate parts of complex data triage.
- Focusing on techniques and procedures learned through continuous testing and research ("Tales from the Network Threat Hunting Trenches").
## Indicators of Compromise
- N/A (This is the process of *finding* IOCs).
## Associated Threat Actors
- N/A (This is a defensive activity).
## Detection Methods
- Successfully executed network threat hunts result in previously unknown Indicators of Compromise (IOCs) being cataloged.
## Mitigation Strategies
- Investing in high-throughput network monitoring (SPAN ports, packet capture).
- Training security staff in advanced network analysis techniques.
- Deploying advanced analysis tools like RITA or AI Hunter.
## Related Tools/Techniques
- RITA
- Bro/Zeek
- John Strand (Presenter/Trainer associated with these methods)