Story image

How to make attackers’ lives harder with effective threat hunting

30 Nov 2017

In today’s threat landscape, modern security teams recognise that compromise is unavoidable, but this doesn’t mean that a breach should be inevitable as well. In fact, the majority of threats can be avoided if organisations have good cyber hygiene practices such as regular patching, upgrades, and having the right people and processes in place. But it is also important that threat hunting is in an organisation’s cybersecurity strategy and culture.

So how can organisations learn to be more proactive rather than reactive and how can we change the culture if we set up a threat hunting capability within our Security Operations Centers (SOC)?

I believe that threat hunting means proactively searching through data. We’ve been doing this on the network for a long time using network analysis tools, but these new attacks have caused a contextual problem: there are leaks and evasion techniques that bypass tools.

For example, sandboxing was big, but I believe that in two years sandboxing won’t provide any value and won’t be an effective control, because the bad guys understand it. Threat hunting can be used as a powerful tool not only to detect malicious behaviour missed by other security measures, but also to drive a deeper understanding of how malicious software, actor tools, and behaviours work.

Threat intelligence is also a valuable weapon when combined with retrospective analysis, allowing the hunter to uncover previously unknown indicators in historical data. With detailed and complete knowledge, an intelligent strategy can be implemented to proactively detect, respond to, or prevent attacks.

Today’s next gen SOC needs to be able to fuse together external threat feeds with the knowledge the security team has about their own environment and end users. The good news is that you don’t need big budgets to undertake threat hunting and equip the SOC with a more proactive approach, you can start simple. Below are a number of pointers to consider:

Change the mindset of your SOC.  Get them to think like a detective. They don’t need to look at all the endpoints; threat hunting doesn’t need to start with an all-encompassing approach. The security team could just look at a particular incident. The website: Threathunting.net provides all kinds of open source process scripts to find information and is a good place to start for free.

Centralise your data.  The SOC needs to centralise all its data – SIEMS, logs, tools etc. – needs to be consolidated and correlated. In particular, look at the mean time-to-detect and mean time-to-respond – these are the two key metrics that matter.

Recognise that this is a process issue.  Security teams should not only centralise their data but also activate directory logs, e-detection and response tools. They should consolidate what they have and, where possible, get rid of technical debt and normalise their environment from the endpoint to the network.

Think through use cases. List out a couple of strategic projects to start. Provide the team with a data set. For example, pick an endpoint, pick a network, or pick a small data centre.

View this as an agile, iterative process. Get the team to come back with problems. Prove the model and then show how you can now do the job faster. Once you have done a hunt four or five times the team will start to adopt hunting behaviour.

Allocate time for threat hunting. Look strategically at time because it is an issue. The security team should review the low value security activities that they undertake and reallocate that time. This means saying no to some activities that have low value.

Show the value of threat hunting. If you want the organisation to adopt a threat hunting culture you need to be able to show the return on investment (ROI) on your recommendation. “I’m saving XX dollars by performing this activity, so we won’t have to go out and buy YY more technology.”

Over time, the security team needs to perform these tasks faster, to move at the speed of the attacker. Likewise, they need to consider the people, process, then technology. And finally, to threat hunt successfully, you need a team that is interested and incentivised to do threat hunting, so make sure they are rewarded in the right way.

Once the organisation has a simple approach in place then it is all about replicating this so that it can perform threat hunting tasks faster each time. And this is where technology comes in as the organisation looks to scale its threat hunting capabilities and automate. Orchestration and automation are the next steps in building out the threat hunting capability of a progressive SOC.

Article by Rick McElroy, security strategist, Carbon Black.

Cloud application attacks in Q1 up by 65% - Proofpoint
Proofpoint found that the education sector was the most targeted of both brute-force and sophisticated phishing attempts.
Singapore firm to launch borderless open data sharing platform
Singapore-based Ocean Protocol, a decentralised data exchange that promotes data sharing, has revealed details of what could be the kickstart to a global and borderless data economy.
Huawei picks up accolades for software-defined camera ecosystem
"The company's software defined capabilities enable it to future-proof its camera ecosystem and greatly lower the total cost of ownership (TCO), as its single camera system is applicable to a variety of application use cases."
Barracuda expands MSP security offerings with RMM acquisition
Managed Workplace delivers an RMM platform with security tools and services, such as site security assessments, Office 365 account management, and integrated third-party antivirus.
Flashpoint: APAC companies must factor geopolitics in cyber strategies
The diverse geopolitical and economic interests of the states in the region play a significant role in driving and shaping cyber threat activity against entities operating in APAC.
Expert offers password tips to aid a stress-free sleep
For many cybersecurity professionals, the worries of the day often crawl into night-time routines - LogMeIn says better password practices can help.
SolarWinds extends database anomaly detection
As organisations continue their transition from purely on-premises operations into both private and public cloud infrastructures, adapting their IT monitoring and management capabilities can pose a significant challenge.
Adura launches new SOC and MSP in Singapore
The new SOC focuses on the needs of businesses to gain insight into their organization’s security posture and increase their ability to react promptly.