Saturday, March 21, 2020

A Guide to Effective Threat Hunting


Cybercriminal organizations today steal information because they see profit from it. It is where the money is. And waiting for an intrusion to occur is no longer an option. We need to proactively search for would‐be intruders and signs of potential future intrusions. This is what Threat Hunting is.

Threat hunting can be defined as a proactive approach to detect and respond to any unauthorized activity that occurs in an your environment. It is the pursuit of the evidence that attackers leave behind when they’re conducting reconnaissance, attacking with malware, or exfiltrating sensitive data.

Factors that motivates cyberattacks are as follows

- Financial gain
- Political statement
- Theft of intellectual property
- Disruption of critical infrastructure
- Revenge
- Fame

Just because intruders are not seen or technology hasn’t raised any alert of their presence doesn’t mean they aren’t there. The absence of security alerts only means that security mechanisms haven’t detected intrusion. Attackers, patient and resourceful, could get into virtually any organization provided they followed time‐proven techniques of research, reconnaissance, stealthy intrusion, and quiet exfiltration. The concept of assumption of breach accepts the very real possibility that intruders are already inside your networks and systems, regardless of your defenses and your ability (or inability) to detect them.

Attackers will often employ a path of least resistance to break into an organization, but no matter how they can get in, they consider it a win. Some of the methods used in attacks are following
- Stealthy malware
- Hacking the people
- Hacking the systems
- Recruiting insiders

Threat hunting should be systematic and hunters need to carefully and continuously look for anything that could be evidence of intrusion. Threat hunting needs to be instilled as a process that security teams make and schedule time for. The types of threat attributes that are hunted include the following:
- Processes: look for processes with certain names, file paths, checksums, and network activity
- Binaries: look for binaries with certain checksums, file names, paths, metadata, specific registry modifications, and many other characteristics
- Network activity: specific domain names and IP addresses
- Registry key modifications: registry key additions and modifications

What threat hunting is not
- Acquiring or analyzing threat intelligence
- Installing tools and waiting for alerts
- Reporting on incidents or intrusions
- Incident forensics

Skills required in threat hunting team
- Operating system internals
- Endpoint application behavior
- Threat hunting tools
- Incident response procedures

Technology: Getting the Necessary Tools in Place
- Complete endpoint visibility
- Obtaining the necessary network event data
- Threat intelligence gathering
- Integrating your information
- Data correlation and analytics tools

Traits of Master Hunter
- Strengthen organization’s overall posture
- Be Embedded in the Environment
- Research
- Developing Intuition. Intuition is also about (OODA) Observe, Orient, Decide, and Act.
- Educated hunches
- Strong opinions, loosely held. The only constant is change. Be open to change in information.
- Developing Your Own Tools and Custom Integrations
- Setting Landmines. A master threat hunter thinks ahead and anticipates what a known or a potential adversary might do.

Ten Tips to Effective Threat Hunting
- Know Your Environment
- Think Like an Attacker
- Develop the OODA Mindset
- Devote Sufficient Resources to the Hunt. Personnel, Tool, and Infrastructure.
- Deploy Endpoint Intel across the Enterprise
- Supplement Endpoint Intel with Network Intel
- Collaborate across IT
- Keep Track of Your Hunts
- Hone Your Security Skills. Trainings and Conferences
- Be Aware of Attack Trends

Reference: Threat Hunting For Dummies®, Carbon Black Special Edition by Peter H. Gregory

No comments:

Post a Comment