Offensive Security: Towards Proactive Threat Hunting via Adversary Emulation

Attackers increasingly seek to compromise organizations and their critical data with advanced stealthy methods, often utilising legitimate tools. In the main, organisations employ reactive approaches for cyber security, focused on rectifying immediate incidents and preventing repeat attacks, through protections such as vulnerability assessment and penetration testing (VAPT) security information and event management (SIEM), firewalls, anti-spam/anti-malware solutions and system patches. Such system have weaknesses in addressing modern modern stealthy attacks. Proactive approaches, have been seen as part of the solution to this problem. However, approaches such as VAPT have limited scope and only works with threats that have already been discovered. Promising methods such as threat hunting are gaining momentum, enabling organisations to identify and rapidly respond to any potential attacks, though they have been criticised for their significant cost. In this paper, we present a novel hybrid model for uncovering tactics, techniques, and procedures (TTPs) through offensive security, specifically threat hunting via adversary emulation. The proposed technique is based on a novel approach of inducing adversary emulation (mapping each respective phase) model inside the threat hunting approach. The experimental results show that the proposed approach uses threat hunting via adversary emulation and has countervailing effects on hunting advance level threats. Moreover, the threat detection ability of the proposed approach utilizes minimum resources. The proposed approach can be used to develop the offensive security-aware environment for organizations to uncover advanced attack mechanisms and test their ability for attack detection.


I. INTRODUCTION
Modern computer systems often hold information which is of significant value to competitors, foreign nation states or criminal actors. As these systems become increasingly connected, the threat of attack by adversaries increases. As a result many enterprise networks have been, or currently are, under cyber attack. The market for security tools to help protect systems and identify attacks has grown significantly over recent years, but many tools are not interactive in nature, The associate editor coordinating the review of this manuscript and approving it for publication was Ilsun You . often working on some specific logic -for example watching a specific gateway and searching for specific threats. In such cases, the security function in an organisation aims to identify active threats. This approach is based on actions that have been, or are being performed by an adversary; such an approach is known as a ''Reactive Approach''. While this approach has been widely adopted, with some success, it is not capable of foreseeing threats. Cyber criminals are well aware of reactive approaches and know how to deal with them. For example, ''polymorphous malware'' are very good at evading anti-viruses. To combat the limitations of reactive methods, new techniques such as threat hunting have been developed. Threat hunting involves proactive searching for cyber threats that may be lying undetected in a network. Threat hunting is used to uncover new techniques, tactics, and procedures (TTP's) to forecast new threats. Threat hunting uses information from a variety of sources such as endpoints, Indicators of Compromise (Iosco), Firewalls and intrusion detection and prevention systems (IDPS). SANS presented a formal threat hunting model in 2019 [1], which opened new doors for researchers.
Many organizations conduct offensive security exercises such as penetration testing and adversary simulation. Penetration testing determines the presence of any critical vulnerability that needs to be addressed. Such testing aims to test how well security mechanisms are working. Some organizations have dedicated Red and Blue Teams to test and evaluate the organizational security. One problem with this approach is that red team operations have been criticised for being resource intensive. In an evolving threat environment, where attackers are motivated to employ sophisticated and lingering attacks, organizations are more prone to cyber attacks. Approaches such as vulnerability scanning, management and mitigation, and Vulnerability Assessment and Penetration Testing (VAPT) rely on known threats [2], [3] [4], [5]. Such mechanisms have limited efficacy on Advanced Persistent Threat (APT) attacks, which are designed to remain stealthy for a long period before triggering a zero day attack.
A Red Team involves attack simulation which allows organizations to measure how strong security controls are against potential cyber attacks, and the resilience of systems. Most of the research available in securing systems is focused on defensive approaches that prevent the occurrence of any possible vulnerability being exploited. Many historic and recent cyber attacks have demonstrated the need to employ proactive approaches. The purpose of proactive approaches is to learn and understand TTP's to avoid future attacks.
Organizations are moving towards adopting proactive approaches to predict threats. Proactive methods such as threat hunting have proven effectiveness in detecting threats, although, such approach is resource intensive as it requires intense monitoring. Event logs generated at endpoints and Iosco can grow enormously over time. Such logs require significant processing and analysis which increases the usage of resources. This can also increases the false positives alerts of supposed malicious activity that ultimately prove to be non-malicious.
In this paper, we propose a threat hunting model via adversary emulation, with the aim of minimizing the resource utilization while increasing the efficiency of the approach. This can allow organizations to perform two different related tasks simultaneously. To validate our model, we have built a simulated environment and launched a real world APT attack scenario on patched systems. We have demonstrated that using an induced form of threat hunting model with adversary, an emulation is effective in hunting emerging threats.
The rest of the paper is organized as follows: the next section presents a review of the literature on threat hunting and VAPT. In Section III, we propose the formal model for threat hunting via adversary emulation. In Section IV, we describe the implementation of a the proposed model. In Section V, details are provided about the experiments that have been conducted. Furthermore, an evaluation of the proposed system using the penetration testing scoring model by Packt [6] is presented. The paper is concluded in Section VI.

II. RELATED WORK
The threat hunting model is presented in [1], Our approach uses an induced form of this model with an adversary emulation model. This research provides an efficient and repeatable method for evaluating computer and network security using threat hunting through offensive security. This approach defines offensive security as process of understanding the adversary and then building plans for launching attacks. The overall coverage and integrity of the whole process is measured. In the proposed approach, methodologies for generating hypotheses and their validation are derived from [7]. The authors describe the two key components involved in generating hunting hypotheses. First, an analyst's ability to create hypotheses is derived from observations. Second, the hypotheses must be testable. We have used first component of the hypothesis development methodology in our model. Table 1 presents the summary of VAPT related research work which is evaluated on the basis of three factors [6]: realism exhibits if emulation was close to real world attack scenario, methodology describes which tools are used, limited scope explains the techniques where only limited attack scenarios are considered. We have developed the adversary emulation process using a human-led penetration testing approach inspired by the PoinTER ''human firewall'' penetration-testing framework [8].
VAPT assists organizations in the evaluation of their cyber defense strategy. An overview of the different techniques used in VAPT is provided in [2]. The proposed approach includes a mechanism for capturing unknown threats as well as the known threats. Without consideration of unknown, future attacks, VAPT methodologies remain susceptible to APT and zero day attacks. Earlier research, for example [28] and [27] considered vulnerability and patch management as a solution for securing organizations. Recent research has been published, such as the penetration testing framework for mobile devices [29], in which authors consider testing of common security controls, but these are also limited in their consideration of, and efficacy against, unknown threats and social engineering attacks.
Adversary emulation exercises can provide cyber defenders with an opportunity to view their networks from an attacker's perspective. Recent research has discussed formalisation of the problem and has provided techniques for adversary emulation [30]. This work is built upon the ''Atomic Red Team'' mechanism [31] to create test cases for MITRE ATT&CK tactics and techniques. We have further developed  this concept to provide a more agile system that considers a diverse and increased set of TTPs. For example, to develop APT29 attack cases, careful consideration needs to be given to the sequence of attack cases.
The majority of recent research models for VAPT rely on ''known threats'', see for example [2]- [4] and [5]. Furthermore, a number of open source tools for adversary emulation have been developed recently; these are categorised in Table 2. many of these projects build attack cases mimicking an adversary, which has demonstrated efficacy in testing security controls for known adversary and threats.

III. NOVEL THREAT HUNTING & OFFENSIVE SECURITY APPROACH
In the proposed research, we integrate a proactive approach for hunting threats within an adversary emulation process and model threats on the basis of techniques discussed in [38].
We consider threat severity, progression and relevance for threat modeling as defacto standard [39]. Our offensive security approach specifically uses payloads described in Table 3. Similar attack vectors have been used in recent adversary emulation projects including those presented in Table 2. We have used PE files, OLE files and PS1 for experiments. The payloads described in Table 3, can be generated through the use of Algorithm 1.
The proposed offensive security model consists of eight steps which are in sequence. These stages are: purpose, scope, equip, planning, weaponizing, plan review and validation (weaponization), execute and reporting. This is achieved by mapping the adversary emulation model onto the threat hunting model. Figure 1 explains the induced model.
The proposed approach can be defined as a tuple < AE, P, S, F, E, WP, PR, EX" HT, RP>, where AE is a set of pre-requisites, P is a purpose set, S is a scope set, F is feedback set, E is an equipping set, WP is a weaponizing process set, ER is a review set, EX is an execution information set, HT is a set of hunted threats and RP is a reporting set.
Purpose set P in Equation 1 represents the set of information about purpose of threat hunting which might be oriented to organizational goals. Executives may guide threat hunters about organizational goals and objectives. AE represents the set of prerequisites. Scope set S represents all information regarding scope of our whole operation. Here, we build analytical question ''Hypothesis''. TTP set represents adversarial techniques, that can be obtained by threat intelligence. RVS is reconnaissance and vulnerability identification set in Equation 2.
Equip set E in Equation 3, represents information about answering previously build questions. Set E contains two subsets E = (AC, VDS) analytical questions and verifying them. It includes organizing data which is collected from this stage. VDS is a set of information representing possible weakness or flaws in system. AC is a set of attack mappings related to expected system flaws.
Weaponization set WP in Equation 4, represents the set of exploits or actual implementation of attacks identified at previous stage. MSF set represents information about ported exploits in metasploit.
Before moving on towards emulation, we need to validate if our planned activity is according to desired plan. For this purpose, we review our plan. Plan review set PR in Equation 5 represents the information about our whole plan up-to now and compares it with our, already set objectives and Scope.
Execute set EX in Equation 6 represents information about execute plan process. Which includes information about target systems and network, with ported exploits. This is the actual process where all adversary emulation takes places. Evasion and exploitation is heart of this process. EV is a subset of EX set, which includes information about newly developed evasion techniques.
Hunted Threats set HT in Equation 7 represents the threats that are successfully hunted. For example, while adversary emulation operation suspected a flaw in system, which may lead towards zero day attack and moreover we have successfully exploited it, so hunted threats will be moved to HT set.
Reporting set RP in Equation 8 represents whole process carried out with analysis of each phase, feed backs from each phase from set F is used to generate report.
• Purpose: At this stage we define the purpose of offensive security and threat hunting exercise, which might be related to organizational goals. Top management and executes may guide offensive security team about purpose and objectives.
• Scope: In scope, we identify network and systems that to be a part of offensive security exercise. We define different functions at this stage that whole purpose will include or can be extended during process. Scope is further divided into two steps, first one is to define hypothesis (a set of analytical questions) second one is developing hypothesis formally. Moreover, it will define direction to the whole process.
• Equip: This stage is about collecting data from different sources for analysis, this includes identification of various data sources and analytical TTP's. Threat hunters will use this analysis of data to answer analytical questions build during first stage. At this stage we also prove or disprove early developed hypothesis. Moreover, we build mappings of data against attacker targets and there data sources in later section (experiment) we have added example for CMF (collection management framework).
• Weaponizing process: At this stage we develop different type of attack vectors which can be used during adversary simulation process. These attack vectors can be build for endpoints only, that depends on scope. One of the contribution of this research is the presentation of algorithm for pre-compromise attack algorithm through mail, which is presented in Algorithm 1.  website link in email. And return website in html with embedded file or link with receiver details. Result will be store in payload_result. This result will be passed to template_generation() function and it will return proper email template. This result will pass on to mail_spoof() which replace sender details and pass result to send_mail().

Algorithm 1 Sending and Generating Phishing Mail
• Plan Review At this stage, it acts like a checkpoint to make sure our plan is according to the defined goals and objectives.
• Execute: This process is iterative, once plan is approved, we execute plan and simultaneously launch different planned attacks and collect data for analysis. This process keeps on going for several iterations until threat hunters get enough data for the analysis. A simplified flow chart which explains operational flow of approach is presented in Figure 2. The adversary simulation element comprises Weaponization, Shell Code development and Obfuscation, creation of the FUD (fully undetectable payload) and establishing the toolsets.

A. ADVERSARY EMULATION MODEL
We emulate adversaries through a process comprising six major sequential steps. These are described Figure 3.

1) OBJECTIVES & GOALS
Here, we formally define the purpose of adversary emulation. This process is usually aligned with organizational goals. Once the purpose is defined, objectives and goals are established.

2) GATHER THREAT INTELLIGENCE
Gathering threat intelligence is a critical task for effective threat-based adversary emulation. There are many feeds available for threat intelligence, including those from the VOLUME 9, 2021 DHS (Department for Homeland Security), FBI, SANS, and commercial and free versions of the CISCO Talos system. Further intelligence sources include threat research forums and blogs. The OpenCTI project, developed by ANSSI along with the CERT-EU, provides a system to structure, store, organize, visualize and share cyber threat intelligence.

3) EXTRACTION TECHNIQUES
According to professional bodies and industry, such as MITRE, Cisco & SANS, identifying TTPs is the toughest task in the so-called ''Pyramid of Pain'' of security. Establishing TTPs requires a structured process to ensure the effectiveness, completeness and accuracy of information. Phase 1 starts with the categorise each techniques at a tactical level. For example: malware used dll unhooking technique to evade anti-virus. If we map this technique onto MITRE ATT&CK framework, it would be categorised as defense evasion. The second phase starts involves defining the flow of methods related to a specific adversary [40]. For example, an adversary might use different techniques for stealing hashes and then used these hashes for password spraying to get access of system.

4) ANALYZE & ORGANIZE
At this stage, the understanding of adversary goals is elaborated, and mapping the method flow into an adversary plan. Figure 4, for example, shows the plan for APT28 from MITRE the APT3 plan.

5) DEVELOP TOOLS AND PROCEDURES
This stage involves the development of any new tools, or reconfiguration of existing tools, to launch the malware or attack systems. If the adversarial techniques can be conducted using existing tools, then this is most appropriate because building a new tool is a costly process. Due to the cost of developing or purchasing new tools, there is often a preference to utilise the range of open source tools available. The process involves  • Identifying related open source projects • Identifying process-specific requirements • Creating the payload The most common existing open source tool used is Metasploit. As an example, if we are considering a dll injection being used by an adversary to evade EDR, there are a number of techniques that can be employed. Firstly, we look for similar dll injection in Metasploit. If it meets the requirements then this can be used, otherwise it is modified or rewritten.

6) EMULATE THE ADVERSARY
The killchain used in our scenario has reduced to 6 phases only, As first phase is already done in earlier phases. At this stage, we know our target system according to the defined scope we are done with planning phase. We are ready to start executing plan. Execution includes weaponization, deliver, exploit, control, install and maintain.
Threat hunting process is cyclic in nature, it consists of four processes. First one is about creation of a hypothesis, second is about verifying and validating hypothesis. This process includes investigation for any proof with the help of tools and techniques. Next process explains new TTP's and patterns. Final process includes enrichment. Informing incident response team about the new TTP's. Below is the big picture ( Figure 5) of whole induced model which we were explaining is this section.

IV. EXPERIMENT
We have devise an experiment to demonstrate the efficacy of employing the two proactive approaches. The experiments can be divided into two phases: the first phase starts with launching offensive security exercise to compromise target; the second phase involves a counter offensive exercise which aims to capture expected threats emerging from offensive exercise. Our experiment are lab-based but aim to closely mimic real world scenarios. Security mechanisms are installed at the target including the presence of host based and network level firewalls. An intrusion detection system, such as Snort, is installed at the endpoint. Hardware and software used in the experiments are detailed in Table 5.
In the experiment, we consider T1090.004, also known as ''Domain Fronting''. One mitigation technique for domain fronting is SSL/TLS Inspection, though, it is not widely deployed nor applicable in some scenarios; its effectiveness in the mitigation of this attack is limited. Figure 6 explains our lab and target environment and Figure 7 explains our strategy for domain fronting. Techniques used to evade detection at the endpoint include using a ''modular design'' in the payload. The execution of payload is critical process in the adversary emulation. Now, we employ T1055.012, T1055.08, T1055.04, T1055.09 and T1055.014. Some modifications are required, for example, modifying T1055.012. We modified the process using a hollowing technique with hybrid graded launch method to avoid detection. At the first trusted binary call, the payload will list itself in the PEB (Process Environment Block) and suspends itself. Once the trusted binary is executed it replaces itself with executed VOLUME 9, 2021   process by taking advantage of the data already stored in the PEB. Proxy techniques for C2 T1090 with sub techniques as T1090.001, T1090.002, T1090.003, T1090.004 are some of the most reliable techniques to identify C2. Figure 7, depicts our attack strategy.

V. RESULTS
After successfully conducting the threat hunting and offensive security exercise it can be seen that the offensive activity was able to evade security solutions using unknown attacks. At the same time, the threat hunting team started its counter offensive activity using real time logs from the endpoint and firewalls. The attack vector (Hash: 37f56970252e51258b8583b996501d50669bf9 9 6 e472bfc35a1294f09accf19e) was fully undetected by 79 antivirus engines on virustotal.com. Some of the techniques detected by the hunt team are shown in Table 6. Figure 8 shows the overall experimental results detailing the attacks that were successful, reported, neutralized and undetected. Of the total attacks, 72% of attacks were able to make it through the endpoint, 15% were reported at endpoint, 7% of attacks were detected in the initial phases and 6% of attacks were completely neutralised. The techniques that were detected, and their mapping to ATT&Ck is shown in Table 6.

A. IMPACT ANALYSIS (ATTACK VECTORS)
We have analysed different attack tactics and corresponding techniques with the methods we used in our experiments. The first attack tactic is initial access. More specifically, we utilised spear phishing.

1) PHISHING
Analyzing mail headers yields the use of blind mail with SMTP server IP address and location. The mail was encrypted with TLS during transit and the server we used was a VM on MS Azure. This email landed in the inbox. We then attached a payload (exe file) with custom UTF encoding during transit. This time mail landed in the spam folder as it was detected as suspicious due to the presence of suspicious file type.

2) ATTACK VECTOR(PAYLOAD) ANALYSIS
We tested meterpreter shell code in plain text (with slight modification) on Windows 10 2004 and virustotal.com. The shell code was able to bypass static analysis but was caught with heuristics. Moreover we tested payload with greater complexities, including heavy obfuscation, strings and variable name encryption with AES. Such payloads were completely undetectable to any AV. Analysis of the payload, using reverse engineering, is shown in Table 7.

3) EXECUTION
Threat hunters can detect the presence of suspicious processes through analyzing the behaviour of the system. In the experiment, we analyzed our payload execution with T1553 technique. The following are some known indicators of the hypothesis.
1) The name of PE file 2) Access rights being used to access specific process Understanding the specific techniques implemented in known methods plays important role in detection. For example, knowledge of the use of strings inside PE files and known  hashes can aid detection. Such characteristics are simple to modify with minimal effort. To evade detection we used renaming of the file with a trusted binary name such as msmpeng.exe (which is the windows defender binary).
Phase 2, at this stage, threat hunters have ample data from different sources to analyse. They can approve or disapprove each hypothesis or validate it and move on to the enrichment/reporting phase. In our case we can assume that the hypothesis is validated since there are sufficient validation proofs from Table 7, 8 and 9. Findings from Tables 8 and 9 are sufficient to enable reporting. The reporting phase ends with threat and risk assessment. For this purpose, we have used a combined threat and risk assessment to show the effectiveness of merging two approaches. Table 8 describes the low level techniques that can be employed for initial access. Each of these sub-techniques are related to spear phishing. After successfully conducting threat hunting, hunters utilise a collection management framework to manage the data collected to be used in validation. Threat hunters consider the different dimensions of threats that are likely to happen or already exist.
After conducting the offensive security and threat hunting exercises, we can present a summary of the analysis in Table 11.
This table describes security posture of the target environment in the form of a threat and risk assessment. The scoring scale we use is: Low < 4; 4 < Medium < 7; and High > 7. Each threat value is calculated by summing the damage potential, reproducibility, exploitability, affected people and detectability and the dividing this total by 5.

VI. CONCLUSION
This paper has presented a novel hybrid model for launching offensive security exercises to capture, determine and understand attack patterns by foreseen threats using threat hunting. The proposed approach has increased the efficiency of identifying and countering threats using real world attack scenarios and presents an algorithm to generate attack vectors for phishing. In contrast to traditional methods that focus on known threats, such as VAPT. The proposed scheme is designed to identify and address emerging unknown threats. In the future, we plan to focus on increasing the realism of the emulation of adversaries with advanced stealthy attacks.