sb-nz logo
Story image

Blurred lines: How counterinsurgent strategies apply to threat hunting

15 Aug 2018

Article by Carbon Black chief cybersecurity officer Tom Kellermann and Carbon Black security strategist Rick McElroy

In Pierce Brown’s Red Rising trilogy, he introduces a military tactic called Iron Rain that can be defined as a mass invasion tactic.

In the real world, Iron Rain has a parallel - as destructive attacks surge, integrity attacks become the nightmare scenario for multinational corporations.

System integrity is paramount.

Successful counterinsurgency operations depend on thoroughly understanding the environments in which they are being conducted.

In most counterinsurgency operations where foreign forces participate, insurgents hold a distinct advantage in their level of local knowledge.

They speak the language, move easily within the society and are more likely to understand the population’s interests.

From a cyber perspective, ‘culture’ lies within network topology, netflow and user behaviour analytics.

Understanding the operational environment allows a counterinsurgent to identify the conditions which impact prerequisites for an insurgency and the root causes driving the population to accept the insurgency.

Only through understanding the operational environment can the counterinsurgent plan and execute successful operations to offset the conditions that allow the insurgency to exist.

Updated network topology diagrams coupled with regular penetration tests and the use of endpoint detection and response give defenders greater situational awareness of the operational environment.                                         

Intelligence drives operations                                  

Effective counterinsurgency operations are shaped by timely, relevant, tailored, predictive, accurate and reliable intelligence, gathered and analysed at the lowest possible level and disseminated throughout the force.

Without accurate and predictive intelligence, it is often better to not act rather than react.

Gaining situational understanding before action is often essential in avoiding long-term damage to objectives.

In environments where commanders do not have situational understanding, the first action they should take is to use forces to gain that understanding or drive to a known state. 

Security experts today are dealing with data fatigue.

How do we improve the contextual accuracy of intelligence?

Intelligence can help focus a team’s efforts on what matters while assessing the bigger picture.

Having the right intel can focus a team on the right threats to help better craft their defensive posture.                            

Human interpretation of data is fundamental.

Reporting by tactical ‘hunt teams’ and IT teams is often more important than reporting by specialised assets.

Learn and adapt                         

An effective counterinsurgency force lies within an organisation that is constantly learning.

Insurgents connected with other organisations constantly exchange information about their enemy’s vulnerabilities—even with insurgents in distant areas.

However, skilful counterinsurgency forces can adapt at least as fast as insurgents.

Every unit needs to be able to make observations, draw and apply lessons and assess results.

Leaders must develop an effective system to circulate best practices throughout their organisation.

They might also need to seek new policies that authorise or resource necessary changes.

Insurgents shift their locations looking for weak links, so widespread competence is required throughout the counterinsurgency force.

In cyberspace, establishing hunt teams is fundamental to countering a cyber insurgency.

The hunt teams must first develop a threat profile, which helps a hunter know where to prioritise hunting (and ultimately where to start hunting).

Applying streaming analytics to unfiltered data will allow hunters to sort information faster and enable tools to do the team’s target acquisition.

This results in a force multiplier for the threat hunters.

Analytics will predict future attacks via attack origin to survey the attacks’ root cause.

As a result, teams can anticipate and focus on the organisation’s defensive weaknesses.

As the team gels, they should develop rapid-response protocols.

Deciding when to reveal oneself is critical as counterincident response measures and destructive attacks are becoming the norm.

  • Assess threat intel from IPs, domains and hashes applied to historical data.
  • Query similar threads that are not identical matches in historical data.
  • Anomaly detection – requires continuous analysis of unfiltered data from the endpoint.

Threat hunting is most effective when employing both active measures (agents deployed to endpoints), as well as passive measures (netflow, packet capture appliances).

User-entity behaviour analytics must be employed as it is critical to baseline ‘normal’ network and host behaviour in a threat hunt; contextualising normal behaviour is the most effective way of determining where an adversary might lie in wait. 

Hunters must position themselves on the high ground, as defined by greater situational awareness.

Specifically, the hunter must analyse threat intel from customer IPs, domains and hashes applied to historical data.

From that vantage, one must search for similar threads that are not identical matches in historical data.

Successful anomaly detection requires continuous analysis of unfiltered data from the endpoint.     

On the battlefield, especially when operating in an environment where insurgency exists, communications will break down.

Time will be a factor.

Individual team members need to be empowered with the right data to make the right decision at the right time.

Ground truth is imperative. 

In order to achieve it, everyone on the team must be empowered.

The security team and IT teams must know their environment, know their intel sources and make decisions in the best interest of the organisation.

Often, system administrators and security teams will have the best grasp of their situations, but they require access to, or control of, the resources needed to produce timely intelligence, conduct effective tactical operations and manage intelligence and civil-military operations.

Within a network, system administrators must be empowered to make tactical security decisions.

They must receive cybersecurity training.

Effective counter insurgency operations are decentralised, and leaders owe it to their teams to push as many capabilities as possible down to their levels.

However, this must be balanced by ensuring that tactical leaders have the situational intel to make rapid decisions.

Story image
Businesses can save on the hefty cost of a security breach if they're honest
SMBs and enterprises that disclose breaches proactively tend to experience 40% less financial damage, according to new research from Kaspersky. More
Story image
Palo Alto Networks launches enterprise data loss prevention service
"As a single centralised cloud service, Palo Alto Networks Enterprise DLP can be deployed across an entire large enterprise in minutes with no need for additional infrastructure."More
Story image
Forrester names Thycotic a Leader in privileged access management
Thycotic received the highest possible score in 11 of the 24 criteria in the study, including SaaS/cloud, innovation roadmap, and integrations, deployment, supporting products and services, commercial model, and PIM installed base.More
Story image
Rising threat of data breaches among enterprises drives growth in network security revenue
"Key factors leading to the growth of network security market revenue in the Asia Pacific region includes instances of ransomware attacks, targeted attacks and phishing."More
Story image
DevSecOps increasingly important, but APAC organisations lagging behind
The rise of DevSecOps comes at a time when IT leaders are faced with an increasingly active cyber threat landscape, coupled with higher consumer expectations of digital offerings and application usage due to a sharp increase in online activities.More
Story image
Trend Micro launches cloud native security solution for modern applications and APIs
“Application security is an invaluable part of the Cloud One platform, integrating technology to provide superior protection for customers deploying applications wherever it makes the most sense for them."More