Story image

How to make attackers’ lives harder with effective threat hunting

30 Nov 2017

In today’s threat landscape, modern security teams recognise that compromise is unavoidable, but this doesn’t mean that a breach should be inevitable as well. In fact, the majority of threats can be avoided if organisations have good cyber hygiene practices such as regular patching, upgrades, and having the right people and processes in place. But it is also important that threat hunting is in an organisation’s cybersecurity strategy and culture.

So how can organisations learn to be more proactive rather than reactive and how can we change the culture if we set up a threat hunting capability within our Security Operations Centers (SOC)?

I believe that threat hunting means proactively searching through data. We’ve been doing this on the network for a long time using network analysis tools, but these new attacks have caused a contextual problem: there are leaks and evasion techniques that bypass tools.

For example, sandboxing was big, but I believe that in two years sandboxing won’t provide any value and won’t be an effective control, because the bad guys understand it. Threat hunting can be used as a powerful tool not only to detect malicious behaviour missed by other security measures, but also to drive a deeper understanding of how malicious software, actor tools, and behaviours work.

Threat intelligence is also a valuable weapon when combined with retrospective analysis, allowing the hunter to uncover previously unknown indicators in historical data. With detailed and complete knowledge, an intelligent strategy can be implemented to proactively detect, respond to, or prevent attacks.

Today’s next gen SOC needs to be able to fuse together external threat feeds with the knowledge the security team has about their own environment and end users. The good news is that you don’t need big budgets to undertake threat hunting and equip the SOC with a more proactive approach, you can start simple. Below are a number of pointers to consider:

Change the mindset of your SOC.  Get them to think like a detective. They don’t need to look at all the endpoints; threat hunting doesn’t need to start with an all-encompassing approach. The security team could just look at a particular incident. The website: Threathunting.net provides all kinds of open source process scripts to find information and is a good place to start for free.

Centralise your data.  The SOC needs to centralise all its data – SIEMS, logs, tools etc. – needs to be consolidated and correlated. In particular, look at the mean time-to-detect and mean time-to-respond – these are the two key metrics that matter.

Recognise that this is a process issue.  Security teams should not only centralise their data but also activate directory logs, e-detection and response tools. They should consolidate what they have and, where possible, get rid of technical debt and normalise their environment from the endpoint to the network.

Think through use cases. List out a couple of strategic projects to start. Provide the team with a data set. For example, pick an endpoint, pick a network, or pick a small data centre.

View this as an agile, iterative process. Get the team to come back with problems. Prove the model and then show how you can now do the job faster. Once you have done a hunt four or five times the team will start to adopt hunting behaviour.

Allocate time for threat hunting. Look strategically at time because it is an issue. The security team should review the low value security activities that they undertake and reallocate that time. This means saying no to some activities that have low value.

Show the value of threat hunting. If you want the organisation to adopt a threat hunting culture you need to be able to show the return on investment (ROI) on your recommendation. “I’m saving XX dollars by performing this activity, so we won’t have to go out and buy YY more technology.”

Over time, the security team needs to perform these tasks faster, to move at the speed of the attacker. Likewise, they need to consider the people, process, then technology. And finally, to threat hunt successfully, you need a team that is interested and incentivised to do threat hunting, so make sure they are rewarded in the right way.

Once the organisation has a simple approach in place then it is all about replicating this so that it can perform threat hunting tasks faster each time. And this is where technology comes in as the organisation looks to scale its threat hunting capabilities and automate. Orchestration and automation are the next steps in building out the threat hunting capability of a progressive SOC.

Article by Rick McElroy, security strategist, Carbon Black.

Oracle updates enterprise blockchain platform
Oracle’s enterprise blockchain has been updated to include more capabilities to enhance development, integration, and deployment of customers’ new blockchain applications.
Used device market held back by lack of data security regulations
Mobile device users are sceptical about trading in their old device because they are concerned that data on those devices may be accessed or compromised after they hand it over.
Gartner names ExtraHop leader in network performance monitoring
ExtraHop provides enterprise cyber analytics that deliver security and performance from the inside out.
Symantec acquires zero trust innovator Luminate Security
Luminate’s Secure Access Cloud is supposedly natively constructed for a cloud-oriented, perimeter-less world.
Palo Alto releases new, feature-rich firewall
Palo Alto is calling it the ‘fastest-ever next-generation firewall’ with integrated cloud-based DNS Security service to stop attacks.
The right to be forgotten online could soon be forgotten
Despite bolstering free speech and access to information, the internet can be a double-edged sword, because that access to information goes both ways.
Opinion: 4 Ransomware trends to watch in 2019
Recorded Future's Allan Liska looks at the past big ransomware attacks thus far to predict what's coming this year.
Red Box gains compliance boost with new partnership
By partnering with Global Relay, voice platform provider Red Box is improving the security of its offerings for high-value and risk voice data.