2.1.8. Retro hunt engine
2.1.8.1. CTI module overview
The CTI module uses Indicators Of Compromise (IOC) to generate alerts.
The CTI module is composed of:
A database of Indicators Of Compromise named Gatewatcher CTI
The Active CTI engine: it generates Sigflow rules on the basis of the database of Indicators Of Compromise in order to raise alerts
The Retro hunt engine: it searches the Indicators Of Compromise (defined in the database) in metadata (corresponding of the network flow captured by Sigflow)
Note
An additional license is required to activate this module. It is therefore not automatically activated in the solution.
2.1.8.2. Introduction
2.1.8.2.1. For what types of threats is this engine designed?
The Retro hunt engine searches the Indicators Of Compromise in metadata to generate alerts.
It can be the hash of a file, a file name, a URL or a domain.
2.1.8.2.2. How does this particular engine detect threats?
Upon receipt of IOCs from the Gatewatcher CTI site, the Retro hunt engine searches for these IOCs in the Elastic database metadata.
The Retro hunt engine raises alerts if it finds concordance between IOC and metadata.
2.1.8.2.3. How does Retro Hunt work in the GCenter?
GCenter regularly receives Indicators Of Compromise from the Gatewatcher CTI platform.
In parallel, the Sigflow engine analyzes the network flow.
Sigflow reconstructs the files and stores them for further analysis by other engines.
Sigflow generates the metadata of the reconstituted files and is kept in Elastic/Kibana during the metadata retention period.
The Retro hunt engine searches for concordances between Indicators Of Compromise and the metadata present.
If this is the case, an alert is raised in the various NDR and Kibana alert display dashboards.
The idea is that if a malicious file was not detected as such by Malcore during its analysis (too recent for the Malcore anti-viral database for example), then if one of the clues corresponds to the hash of the file in question in the metadata, an alert will be raised.
It can be:
- Hash of a file
- Name of a file
- An IP
- A domain
- A URL
2.1.8.3. Events generated
Events generated by the Retro hunt engine are alerts.
These are displayed:
- In the main interface named WEB UI of the GCenter in the
`Alerts`screen:The main interface named WEB UI is described in Overview of the WEB UI.
`Retro hunt`engine filter.See the presentation of the Web UI `Alerts`.`Alert details`window is displayed.The detailed information of this alert is displayed.
- In the Kibana UI interface
- In the main interface WEB UI, to view the alerts, select the
`Retro hunt`category of the`Alerts`section in Kibana then the`Overview`or the`Messages`tab.The interface displayed is the interface named Kibana UI (described in Overview of the Kibana GUI). - By clicking on an alert, select on the command
`Flow details`then select the arrow to the left of the alert.The detailed information of this alert can be viewed in table or json format.
2.1.8.3.1. Example of a Retro hunt alert in the WebUI
The presentation of the Alert details is given in the Alert details window.
The counters are given in the Retro hunt logs data structure.
2.1.8.3.2. Retro hunt logs data structure
The logs are composed of different parts:
The leading part
The source part defined by "_source"
The field portion defined by "_fields"
This information is displayed in the Expanded document of Kibana.
2.1.8.3.2.1. The header part of Retro hunt logs
The header section contains:
"_index": "engines_alerts",
"_id": "-",
"_version": 1,
"_score": 0,
The detailed information is given in the table (Counters of the header part of logs).
2.1.8.3.2.2. The source part of Retro hunt logs
The source part is defined by "_source" in the logs.
Note
The data displayed on the Webui (alerts details window) is a part of the data displayed on the Extended document on the Kibana interface.
All data can be exported to a SIEM via syslog (an example of an exported alert is shown).
The detailed information is given in the tables ( Data related to detection results).
The example given here is an export example.
"observer": {
"id": ""
},
"event": {
"kind": "alert",
"dataset": "alert",
"category": [
"network",
"intrusion_detection"
],
"module": "retrohunt",
"created": "2022-12-14T09:51:30.455Z",
"id": "8223b432-7e97-4570-a29d-254f41dbb9db",
"severity": 2
},
"ecs": {
"version": "8.6.0"
},
"network": {
"ether": ""
},
"source": {
"ip": "127.0.0.1",
"port": "80"
},
"destination": {
"ip": "127.0.0.1",
"port": "8080"
},
"matched_event": {
"id": "1"
},
"ioc": {
"id": "1"
},
"@timestamp": "2022-09-01T12:49:07.749Z"
The example given here is an kibana example.
The source part defined by "_source" contains:
"flow_id": 1540796205479447,
"@timestamp": "2023-10-18T13:56:14.789Z",
"kill_chain_phases": [],
"gcenter": "gcenter-xxx.domain.local"
"signature": "RetroHunt - Host - malware/Unknown - Hajime - GW Lab Test - 00135350-1810-2023-34db-1319151da1fd",
"src_ip": "X.X.X.X",
"event_type": "retrohunt",
"case_id": "00135350-1810-2023-edb7-7f8f1e4fccb9",
"ioc_tags": [
"trojan.generickd.34055387 (b)",
"linux/hajime.a trojan",
"e32/agent.cd",
"linux.hajime.bc",
"backdoor.hajime.linux.129",
"linux/hajime.75930",
"unix.malware.agent-6626471-0",
"linux/hajime.nsnlw",
"hajime",
"elf.mirai.43048.gc",
"trojan.elfarm32.hajime.fbhtfi",
"trojan.linux.hajime",
"trojan.generickd.34055387"
],
"families": [
"Hajime"
],
"targeted_platforms": [
"linux"
],
"risk": "Suspicious",
"categories": [
"malware"
],
"campaigns": [],
"@version": "1",
"threat_actor": [
"GW Lab Test"
],
"timestamp_detected": "2023-10-18T08:08:31.112Z",
"ioc_value": "im.a.very.bad.doma.in",
"external_links": [
{
"source_name": "URLHaus Abuse.ch",
"url": "https://urlhaus.abuse.ch/url/2269068/"
}
],
"gcap": "gcap-xxxxxxxxx.domain.local",
"uuid": "19fe0b3d-05fb-433a-ada0-f246e284d9bd",
"dest_port": 80,
"ioc_id": "00135350-1810-2023-34db-1319151da1fd",
"ttp": [],
"targeted_sectors": [],
"meta_data": {
"cwe": [],
"ssdeep": "1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBht5:8D+CAXFYQChaAUk5ljnQssL",
"descriptions": [],
"usageMode": "hunting",
"filetype": "ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux)",
"size": 78.3984375,
"tslh": "T16D7312E017B517CC1371A8353BED205E9128223972AE35302E97528DF957703BAB2DBE"
},
"type": "cti",
"ioc_creation_date": "2023-10-18T13:53:50+00:00",
"timestamp_analyzed": "2023-10-18T13:56:14.789Z",
"targeted_organizations": [],
"matched_event_type": "http",
"ioc_updated_date": "2023-10-18T13:53:50+00:00",
"severity": 1,
"matched_event": "cf7cf312-883b-4b84-a530-fea8d49b294c",
"community_id": "1:oPgJrwIH53r44+0TfDB+7uhzL50=",
"vulnerabilities": [],
"targeted_countries": [],
"timestamp_package": "2023-10-18T13:53:50.696659+0000",
"description": "IOC matching first tests",
"relations": [
"0e3cc27b-7999-48ce-8484-dc12b325a355"
],
"": 0.5,
"dest_ip": "X.X.X.X",
"src_port": 59338,
"tlp": "green",
"usage_mode": "hunting",
"ioc_type": "Host"
},
2.1.8.3.2.3. List of counters of the Retro hunt alert
Note
The alert counters are visible:
in the Alert details screen of the WEBUI
in the Expanded document of Kibana
in the export to the SIEM
The detailed information is given in the table (Counters of the source part of logs).
2.1.8.4. Management of the engine
2.1.8.4.1. Viewing the engine status
The current engine status is displayed in `Health checks` screen.
2.1.8.4.2. CTI update
2.1.8.4.2.1. The basis of compromise indices
2.1.8.4.2.2. Engine update
The engine is updated with each new version of the GCenter.
2.1.8.4.3. Engine configuration
The configuration interface enables to active the Retro Hunt engine.
The management interface is described in the `Retro Hunt` screen.
The procedure is described in the Setting up the retro hunt engine.
2.1.8.5. Alert Analysis
The alerts are displayed on a specific screen: this screen is described in the Web UI `Alerts`.
The general procedure for analyzing alerts is described in the Using of NDR dashboards.
The specific procedure for analyzing Retro Hunt alerts is described in the Analysing the Retro hunt alerts.