Lumu’s outstanding detection and monitoring capabilities also make it an extremely powerful tool for threat hunting. In this playbook, we will learn how Lumu’’s features can help your organization’s cybersecurity team actively hunt for threats lurking in your network.

There are two main ways that Lumu can be used for threat hunting: proactively and retroactively. We will go over both in this article. But first, let’s learn about a critical concept: the Pyramid of Pain.

The Pyramid of Pain

The Pyramid of Pain helps prioritize threat indicators based on the level of disruption their detection causes to adversaries. In threat hunting, it guides analysts from basic, easily changed indicators (like hash values and IP addresses) to more complex, behavior-based ones (like tools, tactics, and procedures).

By moving up the pyramid, hunters focus on harder-to-alter indicators, which can lead to more effective and lasting detection. Conversely, when testing a hypothesis about an existing threat, hunters may start at the top with known behaviors and tactics, then look downward for supporting evidence. The framework encourages a flexible, contextual approach to identifying and confirming threats within a network.

Info: A great ally when investigating TTPs associated with a threat is the MITRE ATT&CK Matrix. Be sure to have it at hand.

For example, let’s say that you find a remote management tool within a device in your organization that doesn’t have it. This in itself isn’t malicious; however, you can track IPs that have been associated with malicious use of said tool, and look for connections with those IPs to ascertain that it has been used maliciously with a certain degree of certainty. Criminal actions can be carried out using resources deemed as benign, but throughout this article, we will see how Lumu’s features can be used to elucidate the identity of a threat, even when this is the case.

Proactive Threat Hunting - BYOTI

Organizations can leverage Lumu’s capabilities to act on their suspicions and proactively look for threats within their networks. If an organization has a particular suspicion regarding connections to a particular IP or domain, but an incident hasn’t been confirmed by Lumu, they can provide that IP or domain as their own threat intelligence for analysis. This is an example of this use case:

1. The cybersecurity team at Organization A was conducting a thorough review of their assets after detecting contacts with IoCs linked to the DragonForce ransomware family in their network. During the investigation, they identified an IP address associated with a popular cloud storage service that the company does not use. Although not inherently malicious, the specialist leading the investigation suspects this IP may be linked to the attack and potentially used for data exfiltration.

2. The specialist reaches out to other teams within the organization to verify whether the connection to this IP is deliberate and legitimate. After confirming that no one in the organization is intentionally connecting to it, the cybersecurity specialist classifies the IP as malicious and incorporates it into the threat intelligence used for threat hunting.

3. The cybersecurity specialist contacts Lumu Support to make use of Lumu’s BYOTI (Bring Your Own Threat Intelligence) feature. The suspicious cloud storage IP is provided to the support team so it can be analyzed.

4. Lumu analyzes Organization A’s network metadata in real time to identify any connections with the suspicious IP. It detects multiple connections originating from an endpoint within the organization, displays them as incidents in the Lumu Portal, and alerts Organization A.

5. Organization A’s cybersecurity team investigates the incidents, tracing the affected endpoint to an employee device within the perimeter that had access to privileged information and credentials. The device was found to be communicating with the malicious IP at regular intervals. With confirmation from Lumu, the investigators’ hypothesis is validated, allowing them to begin mitigating and remediating the confirmed ransomware incident.

If the specialist wants to trace any past connections to the suspicious IP or domain, they can do so through the Lumu Log Archive. This can be done directly through the Lumu Portal and does not require assistance from the support team.

As you can see, Lumu’s BYOTI feature is a powerful asset for proactive threat hunting, enabling organizations to monitor contacts and act on their suspicions to identify potential adversaries.

Retrospective Threat Hunting - Log Archive

Organizations can use Lumu’s Log Archive to investigate past contacts with malicious infrastructure. This can be done to validate hypotheses on cases of potential compromise stretching months, or even years, that haven’t been detected by your cybersecurity stack.

Let’s take a look at an example of a use case for retrospective threat hunting using Lumu.

1. Organization B receives a series of incidents within their network corresponding to the Lumma Stealer malware family in the Lumu Portal. The cybersecurity team is tasked with finding out how this type of malware got within their network to improve their cybersecurity posture and policies to prevent potential incidents in the future.

2. The cybersecurity team decides to examine all the endpoints where Lumma Stealer incidents were detected in hopes of finding any potential vulnerabilities and compliance violations that may have contributed to the incident. Among the validations they carry out, they want to access detailed logs of those endpoints across an extended period of time. Lumu has a feature suited for this scenario: the Lumu Log Archive.

3. They query the endpoints corresponding to the affected assets to find detailed information on their network behavior up to the point the infection was detected. The logs reveal a radiography on the processes and connections these devices had during this period of time. The logs are parsed and examined by the team’s specialist taking into account the characteristics of the devices and their role in the organization’s network. The investigation focuses on two specific Windows Server devices which hosted sensitive information and services for Organization B’s operation.

When investigating associated tools and techniques, it's important to remain flexible. Related tools can range from legitimate communication and remote access software repurposed for malicious use to actual precursor malware. Context is key—there's a significant difference between finding niche VoIP software on a personal computer versus on a critical Windows Server, for example.

4. After a detailed analysis, the specialist identifies a popular social media platform, Discord, which is commonly used for online gaming. While the presence of this legitimate tool does not inherently indicate a compromise, it raises several red flags for the following reasons:

• These are Windows Server devices with specific roles and functions within the network and Discord is neither relevant nor necessary for any of them. This software simply doesn’t belong in these devices.
• Discord has been associated with LotL (living-of-the-land) attacks meaning that it is used to disguise malicious activities within the affected device, and given that it is a legitimate tool, it will not set off any alarms on common cybersecurity tools.
• Discord isn’t among the list of approved tools in the organization, meaning that this is a case of shadow IT, which is a sign of poor adherence to compliance.

Taking this into account, the specialist determines that the tool is suspicious in the context of this investigation and carries on with the premise that the tool was being used to carry out this attack and it was likely the way the threat got in in the first place.

5. Armed with this information, the cybersecurity specialist decides to delve deeper into the Pyramid of Pain and consult the MITRE ATT&CK Matrix to identify advanced persistent threats (APTs) that incorporate Discord into their attack chains. This approach helps the specialist better understand the attack’s context, motivations, and potential connections to the log data. They begin analyzing network traffic to and from the two affected devices, cross-referencing the IPs and domains these devices communicated with. During this process, the specialist identifies a list of suspicious IPs and domains that have no legitimate reason to be contacted by the affected Windows Server devices.

While the Pyramid of Pain typically guides us from broad indicators to more specific and impactful ones, the process can also be reversed when validating the hypothesis of an existing threat. This mindset is important when examining device logs.

6. The specialist manually validates and correlates the IPs and domains, confirming that they are indeed suspicious. They have recently been flagged by threat intelligence aggregators and are linked to both the identified threat and Living-off-the-Land (LotL) attacks. With this evidence, the specialist can now state with a high degree of confidence that Discord was the vulnerability exploited by cybercriminals to compromise the organization.

7. The specialist presents their report, initiating the remediation process. The social network platform is promptly removed from all affected devices, and the employees responsible for its maintenance and operation are reprimanded and retrained. The organization’s cybersecurity training is updated to reflect this incident, and corporate security policies are revised and distributed to prevent similar situations in the future.