This is initially posted in THOR Collective Dispatch — https://substack.com/home/post/p-160462497
We all know how entertaining and impactful movie trilogies are — The Godfather, The Dark Knight, The Apu, and many others. Trilogies are bound together by central themes while providing multiple perspectives to the audience.
In that sense, we will build on my previous blog on Threat Hunt Research Methodology to go through a trilogy of three powerful frameworks/paradigms that can help us in threat hunting.
The Power of the Trio
My best trilogy (The Pyramid of Pain, MITRE Summiting the Pyramid, and Atkinson’s On Detection: Tactical to Functional AKA Operation Focus) can be applied to threat hunting. Although they were created for different purposes, like detection and threat intelligence, they all link to the central theme — understanding a behavior (adversarial or otherwise).
We will explore the LAYER approach, which will provide you with a different paradigm in hunting, so buckle up, because this movie will be as fun as it is informative.
I will not go into in-depth details on the above frameworks, as the original authors have articulated them better than I can. All of them can complement each other by giving different perspectives to hunters, and combining them will address the limitation/gap between high-level abstract/broad categories/concepts (MITRE Tactics and Techniques) and catch-all procedures.
That combination, the LAYER approach, can help us to bridge that gap by breaking down the abstract strategic objectives to fundamental elements that can make up an implementation.
The LAYER approach has seven layers, and each level will help us understand an adversary’s behavior from their technical details to strategic context. Each layer will also help us in different phases of threat hunting, from planning to performing hunts within a dataset:
As we have recently seen the treasure trove of information on BlackBasta, let’s take that as an example to understand how we can use the LAYER approach in threat hunting to develop more resilient hunt strategies. By understanding adversary behaviors from an operational level, we can continuously adapt our hunting techniques.
There are many things in those chat leaks, but one thing that stood out to me due to its popularity in recent conversations is the EDR “bypass” technique. We must recognize that these techniques don’t exist in a vacuum. They operate within specific conditions (the environment) and contexts (their position in the attack chain), and build upon historical methods (the evolution of EDR evasion).
🔔 I would like to note that there are other ways to bypass EDR, like creating WEF rules (EDRSilencer), host file manipulation, name resolution policy table, etc. We will review a couple of them to see how these concepts apply and give you something to ponder on other techniques and procedures mentioned in the chat leaks. For other actors, these may not be in their arsenal at all, as they might take other “routes” to achieve their “goal” (I’m looking at you, security camera).
Let’s jump into chat leaks. I used the BlackBastaGPT to get this info by focusing on EDR bypass conversations in the leaks. By doing so, we can learn their techniques, how they were used, and their implications. We can see that “EDR bypass” is applied in Initial Execution, Post-Exploitation, Privilege Escalation, Lateral Movement, Persistence, and Defense Evasion.
OK, there are several ways discussed to “bypass” EDR, and research articles have been published on doing it outside of this.
What does it mean for us in threat hunting? Well, with the face value, nothing really, at least just with the above information. Treating “EDR bypass” as a single technique to hunt for might leave massive blind spots in our research and hunt methodology, and this ambiguity reveals a fundamental challenge. As “EDR bypass” is a technique in the “Impair defenses” Tactic, we can never “hunt” for it without knowing its actual implementation or understanding multiple ways to compare and contrast.
In the next blog, we will go through a practical example on how we can apply our LAYER approach.
