sb-nz logo
Story image

How to make attackers’ lives harder with effective threat hunting

30 Nov 2017

In today’s threat landscape, modern security teams recognise that compromise is unavoidable, but this doesn’t mean that a breach should be inevitable as well. In fact, the majority of threats can be avoided if organisations have good cyber hygiene practices such as regular patching, upgrades, and having the right people and processes in place. But it is also important that threat hunting is in an organisation’s cybersecurity strategy and culture.

So how can organisations learn to be more proactive rather than reactive and how can we change the culture if we set up a threat hunting capability within our Security Operations Centers (SOC)?

I believe that threat hunting means proactively searching through data. We’ve been doing this on the network for a long time using network analysis tools, but these new attacks have caused a contextual problem: there are leaks and evasion techniques that bypass tools.

For example, sandboxing was big, but I believe that in two years sandboxing won’t provide any value and won’t be an effective control, because the bad guys understand it. Threat hunting can be used as a powerful tool not only to detect malicious behaviour missed by other security measures, but also to drive a deeper understanding of how malicious software, actor tools, and behaviours work.

Threat intelligence is also a valuable weapon when combined with retrospective analysis, allowing the hunter to uncover previously unknown indicators in historical data. With detailed and complete knowledge, an intelligent strategy can be implemented to proactively detect, respond to, or prevent attacks.

Today’s next gen SOC needs to be able to fuse together external threat feeds with the knowledge the security team has about their own environment and end users. The good news is that you don’t need big budgets to undertake threat hunting and equip the SOC with a more proactive approach, you can start simple. Below are a number of pointers to consider:

Change the mindset of your SOC.  Get them to think like a detective. They don’t need to look at all the endpoints; threat hunting doesn’t need to start with an all-encompassing approach. The security team could just look at a particular incident. The website: Threathunting.net provides all kinds of open source process scripts to find information and is a good place to start for free.

Centralise your data.  The SOC needs to centralise all its data – SIEMS, logs, tools etc. – needs to be consolidated and correlated. In particular, look at the mean time-to-detect and mean time-to-respond – these are the two key metrics that matter.

Recognise that this is a process issue.  Security teams should not only centralise their data but also activate directory logs, e-detection and response tools. They should consolidate what they have and, where possible, get rid of technical debt and normalise their environment from the endpoint to the network.

Think through use cases. List out a couple of strategic projects to start. Provide the team with a data set. For example, pick an endpoint, pick a network, or pick a small data centre.

View this as an agile, iterative process. Get the team to come back with problems. Prove the model and then show how you can now do the job faster. Once you have done a hunt four or five times the team will start to adopt hunting behaviour.

Allocate time for threat hunting. Look strategically at time because it is an issue. The security team should review the low value security activities that they undertake and reallocate that time. This means saying no to some activities that have low value.

Show the value of threat hunting. If you want the organisation to adopt a threat hunting culture you need to be able to show the return on investment (ROI) on your recommendation. “I’m saving XX dollars by performing this activity, so we won’t have to go out and buy YY more technology.”

Over time, the security team needs to perform these tasks faster, to move at the speed of the attacker. Likewise, they need to consider the people, process, then technology. And finally, to threat hunt successfully, you need a team that is interested and incentivised to do threat hunting, so make sure they are rewarded in the right way.

Once the organisation has a simple approach in place then it is all about replicating this so that it can perform threat hunting tasks faster each time. And this is where technology comes in as the organisation looks to scale its threat hunting capabilities and automate. Orchestration and automation are the next steps in building out the threat hunting capability of a progressive SOC.

Article by Rick McElroy, security strategist, Carbon Black.

Story image
ConnectWise launches bug bounty program to bolster cybersecurity strategy
“Crowdsourcing in this way represents a solid additional layer of security, and we clearly value the community's expertise and participation in helping us keep our products secure."More
Story image
Is cyber deception the latest SOC 'game changer'?
Cyber deception reduces data breach costs by more than 51% and Security Operations Centre (SOC) inefficiencies by 32%, according to a new research report by Attivo Networks and Kevin Fiscus of Deceptive Defense.More
Story image
SecOps opens new Cyber Defence Operations Centre in Auckland
Privacy Commissioner John Edwards officially opened the centre this week, recognising SecOps’ efforts to provide managed security services to New Zealand businesses.More
Story image
Exabeam and Code42 partner up to launch insider threat solution
The solution will give customers a fuller picture of their environment, and will leverage automated incident response to obstruct insider threat before data loss occurs.More
Story image
75% of IT execs 'worried' about being targeted in cyber-attack
A new report from ConnectWise has shed light on the widespread concern about cyber-attacks, with 91% of SMB executives considering a move to an MSP if it provided the 'right' solution.More
Story image
Check Point acquires Odo Security to bolster remote security offering
The deal will integrate Odo’s remote access software with Check Point’s Inifinity architecture, bolstering the latter company’s remote security capabilities in a time where working and learning from home has become the norm, and looks to largely remain that way in the near future.More