Cosive co-founder and Managing Director Kayne Naughton has claimed the first ever threat detection bounty on the recently launched Bluehat Platform, brainchild of Australian cybersecurity startup Illuminate Security.
Bluehat connects a community of independent analysts with anonymised logs from real-world organisations for the purposes of threat detection under a pay-for-results model.
Kayne says that in the past, he and other researchers have suffered from organisations “shooting the messenger” when notifying an organisation about threats or breaches.
“I’ve almost been in legal trouble for it, because they got me confused with someone who was trying to extort them.”
“You might have the skillset, but you put yourself on difficult ground trying to help people.”
Kayne says the Bluehat platform gives threat hunters a framework to help organisations that want assistance, while being protected and rewarded.
The platform operates on a merit based system that rewards analysts for results, says Illuminate Security co-founder Shaun Vlassis. “Whoever is the fastest, the most accurate, and the most complete in the submitted security finding, will win.”
Campaign background and building a SIEM
Each campaign on Bluehat represents a discrete set of anonymised logs from a real-world organisation, with set bounties attached to different types of detections.
In this case, the detection campaign included Fortigate logs from a mid-sized organisation with the goal to get threat detection coverage.
Logs go through an extensive data anonymisation process before being made available to Bluehat’s analyst community. In this case, the organisation specified that they only wanted the campaign made available to Australian citizens whose identity had been human-verified by the Bluehat team.
Kayne was one of the detection engineers who matched this criteria and was invited to participate in the campaign.
“I’d been messing with the idea of speed-running a SIEM. How long would it take me, starting from an empty folder, to be able to build all of the bits and pieces that make a SIEM?”
Kayne had initially used his homemade SIEM to run through a synthetic campaign provided by Bluehat, which allows analysts to prove their skills before accessing real-world logs
A real-world campaign offered Kayne the perfect opportunity to test-drive the log analysis stack he’d built using real log data.
Kayne’s threat detection approach
Kayne used Vector, developed by Datadog, to write a log interpreter for the Fortigate. He then used this log interpreter to produce Apache Parquet files, which allowed him to efficiently query the log data.
Kayne says his initial approach was to look for something malicious, like an antivirus hit, and then follow the hit in either direction to find something that may not have been detected by the tooling, such as a malware loader.
While the logs didn’t contain any antivirus detections, Kayne was able to find evidence of a potentially unwanted program: remote access tooling which appeared to be connecting from outside the organisation’s environment.
“I thought that was worthy of a report,” says Kayne, “because it could have been a remote support scam.”
What was the biggest challenge?
Inconsistent timestamps across log types, which Kayne calls “the curse of all logging”, presented the biggest challenge in the process.
Kayne says this illustrates a useful tip for people starting out in threat detection. “Never believe anyone about dates and times, unless you’ve been able to validate it yourself, because it’s all lies.
“It’s the real world, and real world data is messy.”
Shaun agrees. It’s why all logs on the Bluehat platform include a collected timestamp field in UTC, ensuring they have a universal timestamp that represents the time when the Bluehat Platform received and processed the data.
“Of course, theoretically you’d want to use the log timestamp,” says Shaun. “Until you start doing it at scale or across multiple types of logs– it doesn’t work. Nobody is ever going to have a pipeline that doesn’t have lag, or an outage.”
Kayne adds: “It’s very hard to get everything on time, and to only get it once. It’s impossible to do both, I think.”
Submitting findings and claiming the bounty
Kayne says that Bluehat provides analysts with a clear structure for reporting findings.
“It forces you to report your findings in a way that someone else can follow your thinking. I’ve seen plenty of free-form bug bounty submissions that are all over the place.”
Once Kayne submitted his findings, the report was passed through several automated checks on the Bluehat platform, including anti-fabrication checks, quality assurance checks, and checks to verify that the logs provided as evidence were appropriate for the type of assertion being made.
“Next, we paid Kayne,” says Shaun.
“It was a low value detection in this case,” says Kayne. “The organisation paid me for something that could have been real, even though there wasn’t really any meat to it.”
“It means you’re rewarded for spending your time on something, rather than just being rewarded when you do get a smoking gun.”
To learn more about joining or utilising the Bluehat community, visit Illuminate Security.
To benefit from Cosive’s expertise in logging, alerting and threat detection, talk to us about our logging, monitoring and alerting uplift program.