Blurred lines: How counterinsurgent strategies apply to threat hunting
Article by Carbon Black chief cybersecurity officer Tom Kellermann and Carbon Black security strategist Rick McElroy
In Pierce Brown’s Red Rising trilogy, he introduces a military tactic called Iron Rain that can be defined as a mass invasion tactic.
In the real world, Iron Rain has a parallel - as destructive attacks surge, integrity attacks become the nightmare scenario for multinational corporations.
System integrity is paramount.
Successful counterinsurgency operations depend on thoroughly understanding the environments in which they are being conducted.
In most counterinsurgency operations where foreign forces participate, insurgents hold a distinct advantage in their level of local knowledge.
They speak the language, move easily within the society and are more likely to understand the population’s interests.
From a cyber perspective, ‘culture’ lies within network topology, netflow and user behaviour analytics.
Understanding the operational environment allows a counterinsurgent to identify the conditions which impact prerequisites for an insurgency and the root causes driving the population to accept the insurgency.
Only through understanding the operational environment can the counterinsurgent plan and execute successful operations to offset the conditions that allow the insurgency to exist.
Updated network topology diagrams coupled with regular penetration tests and the use of endpoint detection and response give defenders greater situational awareness of the operational environment.
Intelligence drives operations
Effective counterinsurgency operations are shaped by timely, relevant, tailored, predictive, accurate and reliable intelligence, gathered and analysed at the lowest possible level and disseminated throughout the force.
Without accurate and predictive intelligence, it is often better to not act rather than react.
Gaining situational understanding before action is often essential in avoiding long-term damage to objectives.
In environments where commanders do not have situational understanding, the first action they should take is to use forces to gain that understanding or drive to a known state.
Security experts today are dealing with data fatigue.
How do we improve the contextual accuracy of intelligence?
Intelligence can help focus a team’s efforts on what matters while assessing the bigger picture.
Having the right intel can focus a team on the right threats to help better craft their defensive posture.
Human interpretation of data is fundamental.
Reporting by tactical ‘hunt teams’ and IT teams is often more important than reporting by specialised assets.
Learn and adapt
An effective counterinsurgency force lies within an organisation that is constantly learning.
Insurgents connected with other organisations constantly exchange information about their enemy’s vulnerabilities—even with insurgents in distant areas.
However, skilful counterinsurgency forces can adapt at least as fast as insurgents.
Every unit needs to be able to make observations, draw and apply lessons and assess results.
Leaders must develop an effective system to circulate best practices throughout their organisation.
They might also need to seek new policies that authorise or resource necessary changes.
Insurgents shift their locations looking for weak links, so widespread competence is required throughout the counterinsurgency force.
In cyberspace, establishing hunt teams is fundamental to countering a cyber insurgency.
The hunt teams must first develop a threat profile, which helps a hunter know where to prioritise hunting (and ultimately where to start hunting).
Applying streaming analytics to unfiltered data will allow hunters to sort information faster and enable tools to do the team’s target acquisition.
This results in a force multiplier for the threat hunters.
Analytics will predict future attacks via attack origin to survey the attacks’ root cause.
As a result, teams can anticipate and focus on the organisation’s defensive weaknesses.
As the team gels, they should develop rapid-response protocols.
Deciding when to reveal oneself is critical as counterincident response measures and destructive attacks are becoming the norm.
- Assess threat intel from IPs, domains and hashes applied to historical data.
- Query similar threads that are not identical matches in historical data.
- Anomaly detection – requires continuous analysis of unfiltered data from the endpoint.
Threat hunting is most effective when employing both active measures (agents deployed to endpoints), as well as passive measures (netflow, packet capture appliances).
User-entity behaviour analytics must be employed as it is critical to baseline ‘normal’ network and host behaviour in a threat hunt; contextualising normal behaviour is the most effective way of determining where an adversary might lie in wait.
Hunters must position themselves on the high ground, as defined by greater situational awareness.
Specifically, the hunter must analyse threat intel from customer IPs, domains and hashes applied to historical data.
From that vantage, one must search for similar threads that are not identical matches in historical data.
Successful anomaly detection requires continuous analysis of unfiltered data from the endpoint.
On the battlefield, especially when operating in an environment where insurgency exists, communications will break down.
Time will be a factor.
Individual team members need to be empowered with the right data to make the right decision at the right time.
Ground truth is imperative.
In order to achieve it, everyone on the team must be empowered.
The security team and IT teams must know their environment, know their intel sources and make decisions in the best interest of the organisation.
Often, system administrators and security teams will have the best grasp of their situations, but they require access to, or control of, the resources needed to produce timely intelligence, conduct effective tactical operations and manage intelligence and civil-military operations.
Within a network, system administrators must be empowered to make tactical security decisions.
They must receive cybersecurity training.
Effective counter insurgency operations are decentralised, and leaders owe it to their teams to push as many capabilities as possible down to their levels.
However, this must be balanced by ensuring that tactical leaders have the situational intel to make rapid decisions.