As more advanced attack techniques and tools become more accessible in the cyber criminal community, companies are increasingly turning to a more proactive approach to security. An important part of this approach is looking for evidence of potential threats which may already be in their systems.
Implementing an incident response (IR) plan is a great place to start, but is too reactive - by the time you are notified of a breach, it could be too late. Likewise, organisation have now realised that waiting for antivirus and other security solutions to alert them of unusual activity is not a good enough approach for detecting sophisticated and stealthy adversary.
Instead, organisations can combine an IR plan and traditional AV defences with more proactive techniques such as threat hunting to give organisations the best chance to avoid cyber criminals gaining access to their IT environment. Threat hunting enables security teams to confidently answer the question “am I under attack?”.
Not all suspicious activity indicates an attack is imminent - however, these kinds of actions can potentially become security problems further down the line. Identifying these activities early on can give defenders a better understanding of where possible weaknesses lay within their environment and provide an opportunity to harden them. For example, let’s say a healthcare organisation undertook a threat hunt with the aim of disproving concerns about its security environment. The company’s CISO forbade his employees from using the file transfer protocol (FTP). He thought that that this would eliminate the possibility of attackers using ftp.exe for data exfiltration.
However, a hunting exercise discovered that despite the ban some were still using FTP. It was found that 50GB of data was leaving the company each day. Had it not been for the threat hunting exercise, the company would never have had the visibility into its IT environment. The company would have continued to operate in the same way and its security could have been jeopardised. Threat hunting can also be used as a pre-emptive defence, if banks, for example were being targeted by cyber criminals. Armed with this information, other financial services may choose to conduct threat hunts to bolster their own defences.
Peace of mind
Threat hunts are not only useful for discovering a breach and identifying whether there is a bad guy in your environment. They can also be useful to audit your managed security services provider (MSSP) to determine if they may have missed any security incidents. If something has been missed this will give you the opportunity to fix it before it becomes a serious problem Threat hunting is also a useful tool for a new CISO to use to take stock of the security team’s processes and technologies and also for conducting security due diligence before a merger is finalised. Identifying deficiencies or breaches before the purchase is finalised will save the buyer having to deal with the fallout of any data breaches or security incidents.
Conducting your hunt
Once you have made the decision to carry out a threat hunting exercise, you need to decide whether you use your own internal security team or outsource to an external threat hunting service provider. If your organisation is lucky enough to already employ a talented and highly skilled security team, then you may want them to carry out the exercise. However, even with a talented team at your disposal, it would require them to work solely on the hunting assignment for the span of the operation. In many cases, the security team in unable to dedicate the amount of time and resources necessary for carrying out a threat hunt. In this situation, we would advise hiring an external team.
Regardless of whether you use an internal or external security team, proper planning is essential. The most successful engagements begin with good preparation, and treating threat hunting as an ad hoc process will not provide effective results. Good planning will ensure the hunt doesn’t interfere with the daily work of the organisation. The security team then needs to select a topic to examine, with the aim of either confirming or denying if a certain activity is occurring in their environment. For example, they might focus on advanced threats which use tools such as file-less malware to evade the current security setup.
Testing and collating
A hypothesis needs to be established by determining the outcome expected from the hunt. In the case of fileless malware, the aim of the hunt is to identify hackers who are carrying out attacks using tools such as PowerShell and WMI. Collecting every PowerShell process which is observed in the environment will provide too much information and prevent any meaningful results being identified. A smart approach needs to be developed for testing the hypothesis without examining every event. Once the data has been collected it needs to be compiled. There are several analytics tools which could be used to do this, for example, the reporting tool in a SIEM or creating pivot tables in Excel. After the data is organised, analysts should be able to identify trends in the environment and plan a course of action. Automating some tasks is key for the security team to succeed, however, some security analysts may not be keen. There will, of course, be some tasks which are better being automated and some which will require an analyst’s personal attention.
Options for how automation can be used have improved significantly in recent years as technology has developed. A newer approach that can be particularly effective is to us an in-memory graph to collect information in real time from all endpoints and servers. This information can then be run through millions of questions every second to identify malicious behaviour – sparing analysts from having to manually query huge amounts of endpoint and network data themselves. For example, Cybereason automates the search for tools that use DGAs (domain generation algorithms) to hide their command and control communication. While an analyst could manually dig through DNS logs and build data stacks, this process is time consuming and error-prone.
It is impossible for any security team to plan for every possible scenario which could lead to a data breach. However, using threat hunting alongside existing security infrastructure enables proactive identification of signs which could indicate something is wrong in the security environment. Adversaries are not completely invisible and will leave certain patterns of behaviour within networks which they’ve infiltrated. Threat hunting allows security teams to find those behaviour patterns and stop the attackers before they cause real damage.
Sam Curry, Chief Security Officer at Cybereason
Image Credit: Den Rise / Shutterstock