Offensive Defence Techniques In Cyber Security, CounterHacking Methods For Cyber Threat Intelligence Analysts

Alparslan Akyıldız academy
6 min readDec 2, 2020

--

Hello firends, it’s been a long time since I wrote a blog, today I mention about Counter Hacking Methods for Cyber Threat Intelligence Analyst and Defence teams (blue and purple teams) This blog content is written only educational purposes and its Content has been made available for informational and educational purposes only. The author cannot be held responsible for all consequences that may arise from unauthorized use of these practices or techniques for good or malicious purposes. I set up a virtual enviorenment for demonstrating some Counter Hacking Techniques in my own local lab. Adversaries and threat actors can target your infrastructure so we need to perform proactive defance techniques, monitoring, threat hunting activities, Incident response, malware analysis and forensic operations for detecting attacks, eradicating malwares and post activities like creating yara, sigma, suricata rules for defending our infrastructure against following attacks. As a Threat Intelligence Analyst or blue team member or purple team member we need to create IOC’s from domain hash, IP, adversaries tools, artifacts then we create TTP of the adversary. Most of the case hash values, IP adresses and domain names for IOC are not enough. Before We start I present you my Udemy Trainings if you want you can benefit my training for learning deeply;

Lets look after the pyramid of pain;

We also need to answer those questions which are given in the below for cyber threat intelligence;

Strategic Cyber Threat Intelligence:

Who is responsible this cyber attack ( whic APT Group) ? Why did they target us? Where did they attack on our infrastructure? Thanks to MITRE and VirusTotal Intelligence. They are very useful for investigating them.

MITRE is a good option for linking attacks to APT groups;

For tactical and Operational Threat Intelligence we can perform reversing malwares, memory forensic, gather network artifacts, harvest ELK or Splunk logs ( you can Use SOC platforms) and threat feeds ans as well as Attack emulation plans like this;

Ok, How useful are IOC’s and TTP’s depend on your collected evidence, findings and traces. If you want to go deeper you can use Counter Hacking Techniques. I prepeared some scenerios about it;

1 1.Scenario Phishing attack, In this attack, threat actors performing a phishing campain and they continuous change the email domains IP address even content of email. Phishing email like this;

Well Analyst uses OSINT techniques and find an IP address of the web server which is published for phishing page. Then Red team member or Purple Team member try to find a vulnerability on the attacker web server. SQLmap is used for finding any sql injection vulnerability on the target web server;

As you see page is vulnerable to SQL Injection attacks. Now analyst starts to Counter Hacking Phase against the malicious server;

Analyst can reach the stolen informations. Then grab a local file which contains another C2 servers credentials. From first findings analyst can make inferences them;

Where did Threat actors target? ( Which Countries? Which Sectors Finance? Health? ), What was the their aim ( Theft? Espionage? Warfare?), Who are Them? , When did they attack?

Analyst can put a web shell via sql injection or can use SSHcredential for connecting the C2C server of threat actors. After SSH conection tools are used by the attacker were listed like this;

Analyst can download the custom tools and he can reverse it, analyze it and test it dynamiclly in a test enviorenment for investigating tool artifacts and finally analyst can answer How did they compromise? question. The log records in the system can be examined. Thus, information about the purposes of the threat actors is collected. It is analyzed which IP addresses and which countries they target. If the APT group targets only banks, it has different purposes if it targets only Scada systems for a different purpose. The places where phishing attacks were made were viewed from apache2 logs;

2 2. scenerio we detect the SSH credential of the attacker from pf file log by using ELK. In this scenerio attacker used Plink.exe for creating reverse SSH tunnel so we can see the C2C’s SSH credential from ELK via Sysmon like this;

As you see C2C IP address, SSH port, username and password can seen in the log. In the same way analyst can connect and compromise C2C like before.

3 3. Scenerio POST stealer malware sends stolen datas over FTP. FTP data is sended as cleart text so analyst can sniff the Adversaries FTP username And Password.

  • Why are counter hacking techniques are performed?
  • To see if there are other tools available to threat actors that we could not analyze because they were targeting our network.
    • Possibility of accessing open codes of the malicious or malware generating tools if a situation where malware cannot be analyzed when very advanced obfusucation, packaging, fudding methods are used, even if the attacked malware is found,
    • Finding out who the threat actors are targeting other than us and gaining a better understanding of what goals they are pursuing.

We continue this series with another techniques and examples. The next week ‘s blog post will be about VT Intellgence Usage. See you….

--

--

No responses yet