Threat Hunting With Network: Insights from OffSec TH-200 Course module 4

Ransomware actors, motivated by financial gain, utilize tactics like phishing, exploiting vulnerabilities, and Initial Access Brokers to infect systems. The Ransomware-as-a-Service model enables lesser-skilled criminals to profit from these attacks. The attack process includes encryption, ransom demand, and payment typically in cryptocurrency. Modern strategies include double and triple extortion, combining data encryption with data theft to pressure victims.

The Offsec TH-200 course's Module 1 covers threat hunting in cybersecurity, focusing on proactive detection of threats as opposed to reactive SOC alerts. Threat hunting is categorized into in-house teams and third-party services, which enhance security by offering various detection solutions. The Threat Hunting Maturity Model outlines five levels of implementation based on data collection and analysis sophistication. Effective threat hunting consists of triggering a hypothesis, investigating, and resolving threats.

In OffSec TH-200 Module 2, Section 1, key cybersecurity threat actors are explored, including cybercriminals like script kiddies, hacktivists, and ransomware groups, as well as sophisticated APTs and insider threats. Each group possesses distinct motivations and impacts on organizations, necessitating robust defense strategies.

In OffSec TH-200 Module 3, the importance of timely intelligence and effective communication in threat hunting is highlighted. Key concepts include leveraging Operational, Tactical, and Technical Threat Intelligence for detecting threats like Emotet, and employing the Traffic Light Protocol (TLP) for secure and controlled information sharing during incidents to prevent data breaches.

The reconnaissance phase involved scanning the target IP address using Nmap, which revealed open ports and services. Further investigation focused on the web server and port 3000, which indicated the presence of a web application. Directory discovery techniques were used, including Dirbuster and Gobuster, which uncovered some directories with content. A remote file read exploit was found for Cassandra Web, allowing access to sensitive files. Passwords were revealed, but attempts to log in via SSH were unsuccessful. The Freeswitch service was also explored, but no successful exploits were found. Finally, using Samba, read permissions were obtained for backups, allowing access to archives of Cassandra and Freeswitch. The password for Freeswitch was obtained from a configuration file, but no further access was gained. Overall, the reconnaissance phase involved thorough scanning and exploitation of various services.