How do reactive threat detection and proactive threat detection differ? Analytics engines apply reactive threats in the

SIEM, intrusion detection system $($IDS$),$ or endpoint sensors $-$ tools you will learn about later in this module. Proactive

detections are made by threat hunters searching through the data based on threat intelligence information and

internally generated intelligence.

According to a $2020$ Threat Hunt survey conducted by the SANS Institute, $70\%$ of organizations report that they

currently perform proactive threat hunting. However, these respondents noted that their proactive detections are

relatively immature, with the biggest obstacles cited as a lack of skilled staff, budget constraints, and a lack of defined

processes.

In this Try$-$It Activity, you will first research a prevalent detected malware sample by digging into reports from a malware

sandbox that detail its static and behavioral characteristics. Then, if endpoint monitoring capabilities discover this

malicious code present or running on a system in your environment, the security operations team and incident

responders would be called to take reactive actions in accordance with playbooks specific to the threat.

In the second part of this Try$-$It Activity, you will model proactive detection techniques similar to the actions of a threat

hunter. Given a specific threat group, you will identify the tactics, techniques, and procedures unique to that actor.

Based on your findings, you will formulate hunt hypotheses on how you may detect malicious activity attributed to this

actor.

Part $1$

Access the MalwareBazaar Database

Explore the page and identify the following:

Note: Ensure you follow best practices when navigating this website. Identifying the information doesn't require

clicking on any additional links.

File type:

Filename:

MD$5$ Hash:

First seen data and time:

Names of the YARA Rules that detected this sample:

Part $2$

The DeathStalker threat group, tracked by Kaspersky since $2018,$ is known to target law firms and financial

institutions. However, this threat actor does not appear to be motivated by financial gain. It deviates from the typical

tactics used by cybercriminal gangs, such as ransomware, financial transactional data theft, or customer account

compromise. Instead, Kaspersky researchers deduce that this actor is a group of hackers$-$for$-$hire, picking up operations

based on the needs of their customers.

Read the Kaspersky reference below regarding the Powersing toolset, the DeathStalker threat group. Then, identify the

tactics, techniques, and procedures unique to that actor and formulate hunt hypotheses for detecting this malicious

actor.

Resources

Lifting the Veil on DeathStalker, a Mercenary Triumvirate G$\_$ Ivan Kwiatkowski, Pierre Delcher, and Maher Yamout

Hunt Evil: Your Practical Guide to Threat Hunting