Pyramid of Pain:

TASK 1: Introduction

·       This well-renowned concept is being applied to cybersecurity solutions like Cisco Security, SentinelOne, and SOCRadar to improve the effectiveness of CTI (Cyber Threat Intelligence), threat hunting, and incident response exercises.

·       Understanding the Pyramid of Pain concept as a Threat Hunter, Incident Responder, or SOC Analyst is important.

 

TASK 2: Hash Values (Trivial)

·       The hash value is a numeric value of a fixed length that uniquely identifies data. A hash value is the result of a hashing algorithm

·       Most common hashing algorithms: MD5 (128-bits), SHA-1 (160-bits), and SHA-2 (256-bits)

·       Security professionals usually use the hash values to gain insight into a specific malware sample, a malicious or a suspicious file, and as a way to uniquely identify and reference the malicious artifact

·       Various online tools can be used to do hash lookups like VirusTotal and Metadefender Cloud - OPSWAT

Question 1: Analyse the report associated with the hash "b8ef959a9176aef07fdca8705254a163b50b49a17217a4ff0107487f59d4a35d" here. What is the filename of the sample?

Answer 1: Sales_Receipt 5606.xls

 

TASK 3: IP Address (Easy)

·       Every device in associated with an IP address

·       In the Pyramid of Pain, IP addresses are indicated with the color green

·       One of the ways an adversary can make it challenging to successfully carry out IP blocking is by using Fast Flux

·       According to Akamai, Fast Flux is a DNS technique used by botnets to hide phishing, web proxying, malware delivery, and malware communication activities behind compromised hosts acting as proxies. The purpose of using the Fast Flux network is to make the communication between malware and its command and control server (C&C) challenging to be discovered by security professionals

Question 1: Read the following report to answer this question. What is the first IP address the malicious process (PID 1632) attempts to communicate with? 

Answer 1: 50.87.136.52

Question 2: Read the following report to answer this question. What is the first domain name the malicious process ((PID 1632) attempts to communicate with?

Answer 2: craftingalegacy.com

 

TASK 4: Domain Names (Simple)

·       Domain Names are indicated with color teal

·       Domain Names can be thought as simply mapping an IP address to a string of text

·       Punycode is a way of converting words that cannot be written in ASCII, into a Unicode ASCII encoding

·       Attackers usually hide the malicious domains under URL Shorteners

Question 1: Go to this report on app.any.run and provide the first suspicious URL request you are seeing, you will be using this report to answer the remaining questions of this task.

Answer 1: craftingalegacy.com

Question 2: What term refers to an address used to access websites?

Answer 2: domain name

Question 3: What type of attack uses Unicode characters in the domain name to imitate the a known domain?

Answer 3: punycode attack

Question 4: Provide the redirected website for the shortened URL using a preview: https://tinyurl.com/bw7t8p4u

Answer 4: https://tryhackme.com

 

TASK 5: Host Artifacts (Annoying)

·       Host Artifacts are a step up to the yellow zone

·       Host artifacts are the traces or observables that attackers leave on the system, such as registry values, suspicious process execution, attack patterns or IOCs (Indicators of Compromise), files dropped by malicious applications, or anything exclusive to the current threat

Question 1: A process named regidle.exe makes a POST request to an IP address on port 8080. What is the IP address?

Answer 1: 96.126.101.6

Question 2: The actor drops a malicious executable (EXE). What is the name of this executable?

Answer 2: G_jugk.exe

Question 3: Look at this report by Virustotal. How many vendors determine this host to be malicious?

Answer 3: 9

 

TASK 6: Network Artifacts (Annoying)

·       Network Artifacts also belong to the yellow zone in the Pyramid of Pain

·       A network artifact can be a user-agent string, C2 information, or URI patterns followed by the HTTP POST requests

·       Network artifacts can be detected in Wireshark PCAPs (file that contains the packet data of a network) by using a network protocol analyzer such as TShark or exploring IDS (Intrusion Detection System) logging from a source such as Snort

·       Tshark command to filter out the User-Agent strings: tshark --Y http.request -T fields -e http.host -e http.user_agent -r [file_name].pcap

Question 1: What browser uses the User-Agent string shown in the screenshot above?

Answer 1: Internet Explorer

Question 2: How many POST requests are in the screenshot from the pcap file?

Answer 2: 6

 

TASK 7: Tools (Challenging)

·       At this stage, we have levelled up our detection capabilities against the artifacts. The attacker would most likely give up trying to break into your network or go back and try to create a new tool that serves the same purpose

·       Fuzzy hashing is also a strong weapon against the attacker's tools. Fuzzy hashing helps you to perform similarity analysis - match two files with minor differences based on the fuzzy hash values

Question 1: Provide the method used to determine similarity between the files

Answer 1: Fuzzy Hashing

Question 2: Provide the alternative name for fuzzy hashes without the abbreviation 

Answer 2: context triggered piecewise hashes

 

TASK 8: TTPs (Tough)

·       TTPs stands for Tactics, Techniques & Procedures. This includes the whole MITRE ATT&CK Matrix, which means all the steps taken by an adversary to achieve his goal, starting from phishing attempts to persistence and data exfiltration

Question 1: Navigate to ATT&CK Matrix webpage. How many techniques fall under the Exfiltration category?

Answer 1: 9

Question 2: Chimera is a China-based hacking group that has been active since 2018. What is the name of the commercial, remote access tool they use for C2 beacons and data exfiltration?

Answer 2: Cobalt Strike