As far back as I can remember, I have had a fascination with power tools. My father was an auto mechanic and he had a toolbox filled with both hand tools and power tools. As a youngster, I watched him wield them with confidence, knowing exactly which tool to use for the task at hand. I recall thinking “real, professional mechanics use compressed air powered tools”. As I mentioned in my last blog, he always took the time to teach me how to handle them and I realized that power tools offered efficiencies and saved tremendous amounts of manual labor. The adage holds about “working smarter, not harder”. Using a power tool, “Pops” was able to complete tasks quickly and without breaking a sweat.
The same holds true with cybersecurity tools today. With so many tools in our toolboxes and so many threats to combat, we need to drive for efficiencies – reducing the manual labor required to accomplish the goal of securing environments.
As a feature in Cisco’s AMP for Endpoints Advantage, Orbital Advanced Search, our power tool for Threat Hunting. Orbital Advanced Search enables you to search your endpoints for malicious artifacts such as suspicious registry and system file changes. Orbital has an entire section of its Catalog, mapped to the MITRE ATT&CK™ framework, and dedicated to Threat Hunting with descriptions of live and on-demand easy-to-run-queries to get you the information you need, fast.
Whether you plug your tools into air compressors or electrical outlets to be efficient, let the machine do the work, and be safe.
Let’s start with one threat hunting Catalog query that you can run daily.
YOU WANT TO: Check to see if any Windows logs have been cleared by a suspect user account.
Orbital Catalog Query to run: Windows Events Monitoring – retrieves data from Windows Event Logs including such things as time event received, time event occurred on the host, source of the event: application, security, system, setup, and many more.
WHY IS THIS IMPORTANT: Windows Event Logs can provide great insight into actions taken on a host as part of a breach. Finding those items can be challenging, unless you know what to look for. The Windows Event Monitoring search in Orbital Advanced Search is preconfigured to pull back events specific to Threat Hunting and can be customized with additional Event IDs to push your hunt even further. Queries such as these can power organizations to a more productive, more efficient way of working.
- Select the endpoints you wish to query
- Search the Catalog for “Windows Event Monitoring”
- Click the “+” to copy into your SQL query window
- Close the Query Catalog Window
- Click the Query button
QUERY RESULT: Each event should have an Account Name and a Domain Name field to identify who took the action logged. If the log is cleared by a suspect user account, you may have a problem and need to continue investigations.
FREQUENCY TO RUN: Daily for specific groups of systems
That’s it! It’s easy to get you started on your first threat hunt using Cisco’s Orbital Advanced Search. Orbital Advanced Search’s Catalog has dozens of pre-built threat hunting queries to streamline your endpoint threat hunting operations, from checking if malware has disabled the task manager to providing a list of listening ports on a host.
Stay tuned, our next blog discusses Incident Investigation and how you can use Orbital Advanced Search to establish a timeline, determine installed programs on a host, if and what types of failed logins occurred, and, lastly, how to assess the damage.