August 2024

  • Published on Sep 11, 2024
Prev Next

Note

This article was originally published on August 22, 2024.

Product updates

New Access Control Capabilities

We’re excited to introduce new capabilities designed to enhance the access security of the Hunters platform. These features will be available in the Hunters Administration panel for both MSSP Admin and Customer Admin roles:

Session Management

You’ll now be able to configure session management settings to improve security, including:

  • Idle Session Timeout

  • Force Re-login

  • Maximum Concurrent Sessions

Domain Restrictions

Account invitations and signups can now be restricted to specific email domains, with allow list and deny list options. This will apply to:

  • User invitation by email

  • User signup after clicking an invite link

These enhancements are designed to bolster defenses and ensure that only authorized users can access the platform.

Learn more here

Integrations

Netscout Arbor

Netscout Arbor specializes in advanced DDoS protection, offering comprehensive solutions to detect, mitigate, and report on attacks. Utilizing the ATLAS Intelligence Feed (AIF), it provides real-time global threat intelligence, leveraging data from its extensive network to anticipate and counter emerging threats.

The new integration includes:

  • Ingestion of the data to the data lake

  • Mapping the data to IOC Search

Learn more here

Blackberry Cylance

BlackBerry Cylance is a cybersecurity company that leverages artificial intelligence and machine learning to provide advanced threat detection and prevention solutions.

Known for its endpoint protection platform, CylancePROTECT, it proactively identifies and mitigates threats by analyzing the behavior of files and processes in real-time, rather than relying on traditional signature-based methods. This approach enables it to stop malware, ransomware, and other sophisticated cyber threats before they can cause harm.

The new integration includes:

  • Ingestion of the data to the data lake

  • Mapping the data to IOC Search

  • Mapping to the Hunters Login Schema

Learn more here

IIS W3C

The IIS W3C logging format is a standard format used by Microsoft's Internet Information Services (IIS) to log detailed information about web requests. This format is widely used for its comprehensive coverage of web server activities, including details such as client IP addresses, user names, request timestamps, HTTP status codes, and bytes transferred. These logs are invaluable for monitoring and analyzing web server performance, identifying security issues, and troubleshooting application problems.

The new integration includes:

  • Ingestion of the data to the data lake

  • Mapping to the Hunters Web Requests Schema

  • Mapping the data to IOC Search

Learn more here

Detection

New detectors

🔎 Extensive IP and port scanning reconnaissance by managed device

Detector ID: extensive_ip_and_port_scanning_reconnaissance

This detection identifies a host performing reconnaissance through extensive IP and port scanning activities. It monitors for a single host that communicates with a large number of IP addresses across multiple ports.

Such behavior is often indicative of reconnaissance efforts by attackers seeking to gather intelligence about the network's structure and vulnerabilities. This information is typically used to facilitate subsequent stages of an attack, particularly lateral movement within the network.

It is strongly recommended to conduct a thorough investigation of any host exhibiting these scanning behaviors to understand the intent and mitigate potential threats.

Recommended investigation steps:

  • Investigate the hash of the binary that initiated the scan.

  • If the binary is known and not malicious, create an ignore rule to prevent false positive alerts.

  • Investigate the user who initiated the scan.

  • If there were successful network requests on ports 22, 3389, or 445, ensure a focused investigation of those requests.

  • Check for any follow-up actions, such as successful connections, that could indicate lateral movement.

Modified detectors

🔎 Microsoft 365 Defender Endpoint alerts

Detector ID: microsoft_365_defender_endpoint_alerts

Following examinations, and to prevent the addition of massive amounts of alerts to the SOC queue, we’ve made the following adjustments to the Microsoft 365 Defender Endpoint alerts detector:

  • Increased the Alert threshold to 6 and keep the base Confidence score at 5.

  • Add confidence modifiers to increase confidence when the alert severity attribute value is Medium or High.

  • Only Medium and High severity Alerts will enter the SOC queue by default.

This will reduce the number of leads from this detector in the SOC queue by approximately 45%.

🔎 Suspicious execution from %ProgramData%

Detector ID: edr_execution_from_programdata

As part of our continuous quality improvement monitoring effort, we’ve identified that the Suspicious execution from %ProgramData% detector generates a large amount of leads, and takes up more than 10% of the total leads generated for some organizations.

As a result, we’ve excluded common false positives prevalent across multiple organizations from the detector’s logic.

These changes are expected to reduce the amount of leads for the detector by approximately 52%; reducing false positives and thus allowing for better, more focused investigation.

Risk score updated for multiple detectors

As part of our ongoing effort to improve content quality, we have applied one of our IP address reputation scoring layers to a list of new detectors.

This will allow us to improve confidence rating on known threats or suspicious IP addresses that generate these leads, thus making investigation attempts easier.

Updated Statistical Time Series detector template to handle real-time lead generation

Until now, our time series template waited until the analysis time window closed before evaluating anomalies and firing a lead. This caused delays, especially for processors with large windows (2, 4, 8 hours), where anomalous events at the beginning of the window wouldn’t trigger alerts until the window ended.

We've now updated the time series template logic to generate leads as soon as an anomaly crosses the dynamic threshold for a specific time interval. Additionally, at the end of the window, a second lead will be generated with complete statistics of the event, enhancing analyst investigations. Both leads will be visible on the platform and will be clustered together.

For example: For the office365_possible_file_exfiltration processor, which detects file download events, the dynamic threshold is set to 100 file downloads per this 2-hour window. Previously, we would wait until the 2-hour window closed to generate a lead if the threshold was crossed. Now, we generate a preliminary lead as soon as the threshold is met, and a final lead with full details at the end of the window.

Affected Detectors:

  • Discovery behavior in AWS Control Plane (`cloudtrail_cloud_awareness_behavior`)

  • Detection of suspected IAM privilege escalation behavior (`cloudtrail_privilege_escalation_behavior`)

  • Suspected Kerberoasting - excessive weakly encrypted TGS requests (`windows_event_excessive_tgs_requests`)

  • GCP IAM Roles Enumeration Using GetIAMPolicy (`gcp_audit_getiam_policy_enumeration_ts`)

  • Anomalous Number of Internal Server Error HTTP Responses (`web_requests_excessive_internal_server_error`)

  • High number of unauthorized HTTP requests (`web_requests_excessive_unauthorized`)

  • Possible exfiltration of file from Office 365 (`office365_possible_file_exfiltration`)