sb-as logo
Story image

Blurred lines: How counterinsurgent strategies apply to threat hunting

15 Aug 2018

Article by Carbon Black chief cybersecurity officer Tom Kellermann and Carbon Black security strategist Rick McElroy

In Pierce Brown’s Red Rising trilogy, he introduces a military tactic called Iron Rain that can be defined as a mass invasion tactic.

In the real world, Iron Rain has a parallel - as destructive attacks surge, integrity attacks become the nightmare scenario for multinational corporations.

System integrity is paramount.

Successful counterinsurgency operations depend on thoroughly understanding the environments in which they are being conducted.

In most counterinsurgency operations where foreign forces participate, insurgents hold a distinct advantage in their level of local knowledge.

They speak the language, move easily within the society and are more likely to understand the population’s interests.

From a cyber perspective, ‘culture’ lies within network topology, netflow and user behaviour analytics.

Understanding the operational environment allows a counterinsurgent to identify the conditions which impact prerequisites for an insurgency and the root causes driving the population to accept the insurgency.

Only through understanding the operational environment can the counterinsurgent plan and execute successful operations to offset the conditions that allow the insurgency to exist.

Updated network topology diagrams coupled with regular penetration tests and the use of endpoint detection and response give defenders greater situational awareness of the operational environment.                                         

Intelligence drives operations                                  

Effective counterinsurgency operations are shaped by timely, relevant, tailored, predictive, accurate and reliable intelligence, gathered and analysed at the lowest possible level and disseminated throughout the force.

Without accurate and predictive intelligence, it is often better to not act rather than react.

Gaining situational understanding before action is often essential in avoiding long-term damage to objectives.

In environments where commanders do not have situational understanding, the first action they should take is to use forces to gain that understanding or drive to a known state. 

Security experts today are dealing with data fatigue.

How do we improve the contextual accuracy of intelligence?

Intelligence can help focus a team’s efforts on what matters while assessing the bigger picture.

Having the right intel can focus a team on the right threats to help better craft their defensive posture.                            

Human interpretation of data is fundamental.

Reporting by tactical ‘hunt teams’ and IT teams is often more important than reporting by specialised assets.

Learn and adapt                         

An effective counterinsurgency force lies within an organisation that is constantly learning.

Insurgents connected with other organisations constantly exchange information about their enemy’s vulnerabilities—even with insurgents in distant areas.

However, skilful counterinsurgency forces can adapt at least as fast as insurgents.

Every unit needs to be able to make observations, draw and apply lessons and assess results.

Leaders must develop an effective system to circulate best practices throughout their organisation.

They might also need to seek new policies that authorise or resource necessary changes.

Insurgents shift their locations looking for weak links, so widespread competence is required throughout the counterinsurgency force.

In cyberspace, establishing hunt teams is fundamental to countering a cyber insurgency.

The hunt teams must first develop a threat profile, which helps a hunter know where to prioritise hunting (and ultimately where to start hunting).

Applying streaming analytics to unfiltered data will allow hunters to sort information faster and enable tools to do the team’s target acquisition.

This results in a force multiplier for the threat hunters.

Analytics will predict future attacks via attack origin to survey the attacks’ root cause.

As a result, teams can anticipate and focus on the organisation’s defensive weaknesses.

As the team gels, they should develop rapid-response protocols.

Deciding when to reveal oneself is critical as counterincident response measures and destructive attacks are becoming the norm.

  • Assess threat intel from IPs, domains and hashes applied to historical data.
  • Query similar threads that are not identical matches in historical data.
  • Anomaly detection – requires continuous analysis of unfiltered data from the endpoint.

Threat hunting is most effective when employing both active measures (agents deployed to endpoints), as well as passive measures (netflow, packet capture appliances).

User-entity behaviour analytics must be employed as it is critical to baseline ‘normal’ network and host behaviour in a threat hunt; contextualising normal behaviour is the most effective way of determining where an adversary might lie in wait. 

Hunters must position themselves on the high ground, as defined by greater situational awareness.

Specifically, the hunter must analyse threat intel from customer IPs, domains and hashes applied to historical data.

From that vantage, one must search for similar threads that are not identical matches in historical data.

Successful anomaly detection requires continuous analysis of unfiltered data from the endpoint.     

On the battlefield, especially when operating in an environment where insurgency exists, communications will break down.

Time will be a factor.

Individual team members need to be empowered with the right data to make the right decision at the right time.

Ground truth is imperative. 

In order to achieve it, everyone on the team must be empowered.

The security team and IT teams must know their environment, know their intel sources and make decisions in the best interest of the organisation.

Often, system administrators and security teams will have the best grasp of their situations, but they require access to, or control of, the resources needed to produce timely intelligence, conduct effective tactical operations and manage intelligence and civil-military operations.

Within a network, system administrators must be empowered to make tactical security decisions.

They must receive cybersecurity training.

Effective counter insurgency operations are decentralised, and leaders owe it to their teams to push as many capabilities as possible down to their levels.

However, this must be balanced by ensuring that tactical leaders have the situational intel to make rapid decisions.

Story image
Emotet malware is on a rampage after months of silence
CERT agencies around the world are reporting a surge in cyber attacks related to the Emotet malware, which is being distributed by email.More
Story image
ConnectWise launches bug bounty program to bolster cybersecurity strategy
“Crowdsourcing in this way represents a solid additional layer of security, and we clearly value the community's expertise and participation in helping us keep our products secure."More
Story image
Global attack volume down, but fraud and cyber threats still going strong
“The move to digital, for both businesses and consumers, has been significant. Yet with this change comes opportunity for exploitation. Fraudsters look for easy targets: whether government support packages, new lines of credit or media companies with fewer barriers to entry."More
Story image
Ripple20 threat has potential for 'vast exploitation', ExtraHop researchers find
One in three IT environments are vulnerable to a cyber threat known as Ripple20. This is according to a new report from ExtraHop, a cloud-native network detection and response solutions provider. More
Story image
Phishing scam imitates SharePoint & OneNote for nefarious clicks
Sophos researchers say that the attackers take a slightly different approach to the standard ‘fake login’ phishing email.More
Story image
Report: 151% increase in DDoS attacks compared to 2019
It comes as the security risk profile for organisations around the world increased in large part thanks to the COVID-19 pandemic, forcing greater reliance on cloud technology and thrusting digital laggards into quick and unsecured migrations.More