Threat hunting policies
Threat hunting policies are a separate category of built-in policies used by the Spectra Assure platform to help you improve the overall software package security.
These policies are used during software package analysis to check your code and inform you if any of the built-in validation rules are violated. Specifically, threat hunting policies focus on detecting malicious and suspicious behaviors in software components to prevent tampering incidents and software supply chain attacks.
In the Spectra Assure SAFE report, these policy violations can be found in the Threat Hunting issue category and cause risk in the SAFE Assessment Tampering category.
Developers, release managers, and software publishers will benefit the most from the guidance provided by these policies. When Spectra Assure products detect malicious or suspicious behaviors in a software package, the affected files are highlighted in the analysis report. Development teams can then apply the remediation advice for each particular policy to resolve detected issues.
Security challenges and practicesโ
Lack of visibility and context into components and dependencies that make up the software supply chain is a major challenge that security teams face in their day-to-day work. This challenge translates into difficulties in decision-making on internal risks, vulnerabilities and threats, as there is not enough actionable information available to the relevant teams. Specifically, SOC teams struggle with an absence of in-depth knowledge about incidents, and threat hunting teams have too few clues to build out useful hunting hypotheses.
Threat hunting comprises a number of proactive measures to assess environments for threats that are not detected by security tools and practices currently in place. Most organizations have threat hunting programs, or at least recognize their importance, and continually invest in improving their approach to identifying active threats in their environments. By definition, every software supply chain has a large attack surface, as compromise can happen at any stage of the software development lifecycle. An organization must protect its own source code repositories, build environments, and software deliverables not only from outside attackers, but also from insider threats. The added responsibilities of maintaining high-quality code, monitoring third-party dependency usage, and employing security best practices at every level require a combination of strategies and activities. However, without the right kind of threat intelligence, all those efforts can yield inconclusive, subpar results, and in the worst case, fail to prevent software supply chain attacks.
The Spectra Assure platform leverages the renowned ReversingLabs threat hunting expertise and condenses it into an extensive set of built-in threat hunting policies. This reduces time-consuming threat hunting activities that require manual work. Supported by explainable threat intelligence provided by Spectra Assure, organizations can confidently automate their processes to reveal security risks, software quality gaps, and indicators of malicious tampering before reaching production.
More specifically, diffing and threat hunting policies in Spectra Assure together form a powerful solution for detecting tampering early in the software development process. Differential analysis or diffing compares two subsequent versions of the same software to identify modifications and potential indicators of tampering. Those modifications can include anything from file format and hash changes to new or updated dependencies, introduced or resolved known vulnerabilities, and new or altered software functionalities. The most relevant differences in this context are behavior changes. When Spectra Assure compares two software versions, threat hunting policies highlight behavior changes that can be considered anomalies and therefore warrant a deeper review or investigation.
Threat hunting policies are also used to predict novel supply chain attacks based on expected attacker patterns and heuristic rules. ReversingLabs regularly collects and analyzes packages from popular package management repositories (npm, PyPi, Nuget, RubyGems). In each of those software communities, ReversingLabs identifies and tracks software behaviors. Malicious behaviors, as well as behaviors that are uncommon or unusual for a community, are distinguished from typical behaviors that are expected from highly used packages in a community. This wealth of data is then used to enrich analysis reports with behavior prevalence information. Prevalence and distribution of detected behaviors in a software package are key points in onboarding third-party components, deciding which components require manual review, and preparing risk mitigation or issue resolution plans.
Software behaviorsโ
In the context of Spectra Assure, software behaviors (or just "behaviors") are human-readable descriptions of file intent detected in the software during analysis. As part of the static analysis and file decomposition process, Spectra Assure converts complex code patterns into descriptions that clarify what the analyzed software is capable of doing, or how the software may "behave" when used. The code patterns, metadata, and file content collected during analysis must fulfill specific conditions for Spectra Assure to identify them as software behaviors. In Spectra Assure reports, those conditions are explained as reasons why a behavior was triggered.
A file can trigger dozens of behaviors, not all of which are equally problematic. It's important to understand the context - the type of software and its main functionalities, and how detected behaviors match what a developer or end-user expects an application to be capable of.
Spectra Assure products can identify and describe hundreds of software behaviors. They are organized into the following general categories:
- Anomaly - Contains unusual characteristics
- Autostart - Tampers with autostart settings
- Behavior - Automatically executes activities as a user
- Disable - May disable system services
- Document - Exhibits unusual activities when handling documents
- Evasion - Tries to evade common debuggers/sandboxes/analysis tools
- Exploit - Contains known exploits against the system
- Execution - Creates other processes or starts other applications
- Family - Associated with known malicious families
- File - Accesses files in an unusual way
- Flow - Leaks sensitive information to external hosts
- Macro - Contains macro functions or scripts
- Memory - Tampers with memory of foreign processes
- Monitor - Able to monitor host activities
- Network - Has network-related indicators
- Packer - Contains obfuscated or encrypted code or data
- Payload - Extracts and launches new behavior in an unusual way
- Permissions - Tampers with or requires permissions
- Registry - Accesses registry and configuration files in an unusual way
- Search - Enumerates or collects information from a system
- Settings - Tampers with system settings
- Signature - Matches a known signature
- Steal - Steals and leaks sensitive information
- Stealth - Tries to hide its presence
Every behavior is assigned a unique ID, which is visible in the analysis reports when the behavior is triggered for the analyzed file. Similar to policy controls, custom filters for behaviors are supported in the policy configuration. Users can target each behavior by copying its unique ID from the analysis reports and adding it to the appropriate section in the policy configuration.
Behavior prevalence information collected from software communities complements behavior descriptions in Spectra Assure reports, and makes unusual, suspicious, or downright malicious behaviors easier to surface and assess. Such behaviors may be indicators of software tampering, so it is highly recommended to manually review them and apply remediation advice suggested by relevant threat hunting policies.
When prevalence information is available for a behavior, it can be one of the following:
- Common - the detected behavior is often found in the community the software component belongs to
- Uncommon - the detected behavior is rare within a community the software component belongs to
- Anomalous - the detected behavior was never seen in a community the component belongs to
- Important - the detected behavior is not malicious, but should be prioritized for code intent review
- Malicious - the detected behavior is seen only in malicious packages within a community the component belongs to
When prevalence information is not available for a behavior, it is indicated by the "Unknown" prevalence status.
Policies in this categoryโ
Threat hunting policies cover the following:
- known malicious behaviors
- generally suspicious behaviors that require manual review
- suspicious network references
- unsafe AI models
- indicators of regulatory non-compliance
Show/hide all policies
- TH15101 - Detected presence of files with behaviors that were marked to issue a warning.
- TH15102 - Detected presence of files with behaviors that were explicitly restricted.
- TH15103 - Detected presence of files with behaviors commonly used by malicious software.
- TH15104 - Detected presence of files with behaviors exclusively used by malicious software.
- TH15105 - Detected presence of files with behaviors that match the hacktool malware profile.
- TH15106 - Detected presence of files with behaviors that match the backdoor malware profile.
- TH15107 - Detected presence of files with behaviors that match the coinminer malware profile.
- TH15501 - Detected presence of files with behaviors similar to malicious packages published on PyPI.
- TH15502 - Detected presence of files with behaviors similar to malicious packages published on NPM.
- TH16101 - Detected presence of obfuscated software components.
- TH16102 - Detected presence of files containing bidirectional Unicode control characters.
- TH16103 - Detected presence of files that dynamically execute Base-encoded data.
- TH16104 - Detected presence of files that dynamically execute compressed data.
- TH16105 - Detected presence of files that use hex-encoded module import directive.
- TH16106 - Detected presence of files that collect and exfiltrate user information.
- TH16107 - Detected presence of files that embed a Base-encoded executable.
- TH16108 - Detected presence of files that embed a raw encrypted executable file.
- TH16109 - Detected presence of files that embed a raw compressed executable file.
- TH16110 - Detected presence of document file formats that embed an executable.
- TH16111 - Detected presence of software components that can tamper with the machine power settings.
- TH16112 - Detected presence of software components that can tamper with the system certificate stores.
- TH16113 - Detected presence of software components that can tamper with the system network settings.
- TH16114 - Detected presence of software components that can tamper with the system security settings.
- TH16115 - Detected presence of software components that can tamper with the system security software.
- TH16116 - Detected presence of software components that can bypass system security software.
- TH16117 - Detected presence of software components that can detect installed security software.
- TH16118 - Detected presence of software components that can change the system startup sequence.
- TH16119 - Detected presence of software components that can elevate the running application privileges.
- TH16120 - Detected presence of software components that can elevate the user privileges.
- TH16121 - Detected presence of software components that can tamper with the system backup functions.
- TH16122 - Detected presence of software components that can access browser databases.
- TH16123 - Detected presence of software components that can access email application databases.
- TH16124 - Detected presence of software components that can access instant messaging application databases.
- TH16125 - Detected presence of software components that can access third-party application databases.
- TH16126 - Detected presence of software components that can access user identity information.
- TH16127 - Detected presence of software components that have code outside of the common screen width.
- TH16128 - Detected presence of software components that can detect common crypto tokens.
- TH17101 - Detected presence of files containing URLs that were explicitly restricted.
- TH17102 - Detected presence of files containing a Base-encoded URL.
- TH17103 - Detected presence of files containing references to TOR or hidden service URLs.
- TH17104 - Detected presence of files containing URLs related to paste-and-share services.
- TH17105 - Detected presence of files containing URLs related to Bitcoin mining pools.
- TH17106 - Detected presence of files containing URLs related to Bitcoin laundering services.
- TH17107 - Detected presence of files containing URLs related to Bitcoin exchange services.
- TH17108 - Detected presence of files containing URLs that link to deceptive file formats.
- TH17109 - Detected presence of files containing URLs that match known malware resource paths.
- TH17110 - Detected presence of files containing URLs that use homoglyph spoofed variations of trusted domains.
- TH17111 - Detected presence of files containing URLs that use sign-in paths specific to trusted domains.
- TH17112 - Detected presence of files containing URLs that use punycode spoofed variations of trusted domains.
- TH17113 - Detected presence of files containing URLs that use typosquatted variations of trusted domains.
- TH17114 - Detected presence of files containing URLs that use trusted domains as subdomains.
- TH17115 - Detected presence of files containing URLs that use non-standard ports.
- TH17116 - Detected presence of files containing URLs with important query parameters.
- TH17117 - Detected presence of files containing URLs that link to blacklisted domains.
- TH17118 - Detected presence of files containing URLs that use suspicious top-level domains.
- TH17119 - Detected presence of files containing URLs with suspicious path components.
- TH17120 - Detected presence of files containing URLs that redirect to malicious domains.
- TH17121 - Detected presence of files containing URLs related to anonymous file-sharing services.
- TH17122 - Detected presence of files containing URLs related to IP querying services.
- TH17123 - Detected presence of files containing URLs that link to Discord attachments.
- TH17124 - Detected presence of files containing URLs that link to Dropbox download pages.
- TH17125 - Detected presence of files containing URLs related to Discord webhooks.
- TH17126 - Detected presence of files containing domains related to out-of-band application security testing tools.
- TH17127 - Detected presence of files containing URLs that link to raw files on GitHub.
- TH17128 - Detected presence of files containing URLs that link to raw files on GitLab.
- TH17129 - Detected presence of files containing domains associated with ransomware.
- TH17130 - Detected presence of files containing domains related to coinmining services.
- TH17131 - Detected presence of files containing domains used for intercepting and inspecting HTTP requests.
- TH17132 - Detected presence of files containing URLs related to the Telegram API.
- TH18101 - Detected presence of files containing URLs that reside in regions with export restrictions by the United States.
- TH18102 - Detected presence of files containing URLs that reside in regions with export restrictions by the European Union.
- TH19101 - Detected presence of Pickle serialized data that can execute code.
- TH19102 - Detected presence of Pickle serialized data that has networking capabilities.
- TH19103 - Detected presence of Pickle serialized data that can create new processes.
- TH19104 - Detected presence of Pickle serialized data that can access system interfaces.
- TH19105 - Detected presence of Pickle serialized data that can manipulate other Pickle files.
Differential analysis policiesโ
Differential analysis policies are a subset of threat hunting policies that detect behaviors and changes characteristic for known software supply chain attacks. They focus on detecting issues that closely resemble previously discovered supply chain attacks based on their signatures.
In Spectra Assure analysis reports, these policy violations are listed in the Issues > Differential Analysis category. Differential analysis policies are triggered only on diffs and reproducibility scans and visible in the reports only in those cases. These policy violations are always considered "blocking", because they should stop the release process automatically and immediately.
Differential analysis policies cover the following:
- tampering indicators resembling the SolarWinds Orion software compromise
- tampering indicators resembling the 3CX DesktopApp software compromise
- tampering indicators resembling the Codecov Uploader software compromise
- tampering indicators resembling the UAParser.js software compromise
- tampering indicators resembling the CTX software compromise
- tampering indicators resembling the XZ Utils software compromise
Show/hide all policies
- TH20101 - Detected indicators of tampering that resemble the SolarWinds Orion software compromise.
- TH20102 - Detected indicators of tampering that resemble the 3CX DesktopApp software compromise.
- TH20103 - Detected indicators of tampering that resemble the Codecov Uploader software compromise.
- TH20104 - Detected indicators of tampering that resemble the UAParser.js software compromise.
- TH20105 - Detected indicators of tampering that resemble the CTX software compromise.
- TH20106 - Detected indicators of tampering that resemble the XZ Utils software compromise.
- TH20107 - Detected indicators of tampering that resemble the Intellect Service M.E.Doc software compromise.
Recommended for youโ
Integrate threat hunting into the SOC triage process to mitigate software supply chain risk (ReversingLabs blog)
Software tampering (ReversingLabs glossary)