Wei-Chea Ang is a senior threat hunter in our Singapore office. He will be speaking at HitCon in Taiwan on December 7, 2017, where he will give a talk on “Threat Hunting, The New Way”. We sat down with him ahead of the event to hear about his view from the threat hunters’ desk in Singapore, his take on the cyber security threat landscape, and a quick overview of what we can expect from his talk at HitCon.
Wei, thanks for taking the time to talk with us today. As a senior threat hunter in our Singapore office you have a unique insight into some of the more specific cyber security challenges facing organizations today. What do you think is the biggest challenge?
I think the biggest security challenge for many organizations is getting their basic cyber security hygiene right.
We still come across many organizations that don’t apply patches on their critical systems quickly and regularly. Many don’t have proper network segregation and many services – such as email without two-factor authentication – are easily exposed.
For example, when the Shadowbrokers first released the equation tools, we looked up which Singapore IP addresses were infected with the DoublePulsar implant and many of them were hosting outdated CMS and webmail. Numerous victims of WannaCry could have prevented becoming infected if they had applied the right patches.
Implementing basic security controls will prevent the majority of common attacks. But many organizations also need to improve their detection capability. It’s been proven that it’s no longer a matter of whether you will be compromised, but when.
What does a typical work day look like for you?
I usually start my day easy, going through Twitter and InfoSec sites to catch up with what’s happening in the industry.
I will then follow up on emails and go through the hunt tickets that were filed during the UK office’s threat hunting shift. In the afternoon, it is either performing hunts for interesting things I came across in the morning or focusing on innovation and research to improve the capability and efficiency of the team.
Are there any common threats that you are seeing and investigating on a regular basis?
We often see both external and internal threat actors using legitimate tools in Windows, such as PowerShell and PsExec, to perform malicious activity. It can be a challenge for organizations to detect such activity as most traditional security solutions will not be able to identify activity that falls into such a grey area. In fact, one of the case studies that we will be sharing on HitCon will be showing how malicious actors use legitimate tools to perform ransomware infection.
You’ve detected many threats that – had they not been detected – could have severely impacted an organization. Which ones stand out as the most innovative, from an attack perspective, and what was the process of you detecting and containing it?
One of the most interesting attacks we recently discovered was executed by an insider. The threat actor wrote and ran a key logger program to track the keyboard activities on his endpoint. He then called the helpdesk and asked them to login to his workstation to fix an issue, which enabled him to capture the helpdesk’s credentials. With that information he was able to install the key logger on more endpoints and capture the credentials of other employees. He managed to get the credentials for an employee with access to the corporate payment system, which could have resulted in a significant monetary loss for the organization.
It was picked up by our team when we observed that the executable first appeared on a small subnet of the endpoints and increased over time. The payload was reverse engineered and we realized that it was a key logger. The client was notified and the breach was escalated to our Incident Response team for on-site investigation to contain the incident.
The attack was not exactly technically innovative, but the entire process of capturing credentials across the organization was particularly interesting for me.
Your talk at HitCon is “Threat Hunting, The New Way.” What is the old way, and why isn’t it effective?
The old way of detecting threats is reactive, relying heavily on security technologies (IDS/IPS, AV, NGFW) to detect security threats.
For the past few years, we have seen an increase in the amount of investment in security across many organizations and yet breaches are still happening.
Many of these organizations have security operations centres (SOCs) or MSSP partners to monitor the security alerts from the latest blinky boxes they have purchased. They rely heavily on technologies to detect threats, even though it has been proven that this is not effective.
Threat hunting is the opposite. It is human driven, relying on people to detect the threat actor proactively. Remember, threat actors are humans that do not obey rules, so trying to catch them with technology is not going to work because they will bend the rules and try multiple methods to achieve their objectives. You need a defender that thinks like an attacker to detect them.
What can you tell us about what you’ll be covering in your talk at HitCon?
Threat hunting is still a relatively new concept to many organizations. In our talk, my colleague and I will share ‘what is threat hunting’, and what organizations should consider if building their own threat hunting capability. We will also share some real life case studies of what we have discovered through threat hunting. Our aim is to help organizations understand the effectiveness of threat hunting.
What do you enjoy most about working for Countercept?
The Friday beer fridge! But seriously, I enjoy working with a group of very dedicated and passionate people that always push ourselves to understand and explore the latest attacks as well as the many ways to detect them.
Get your tickets to hear Wei’s talk at HitCon on December 7, 2017.