Attackers are ahead of the game: Cyber-attacks these days are no longer just executed to prove technical prowess and cause disruption, but to monetize the spoils from the cyber-attacks. Product companies, security firms and CISOs do respond to the growing cyber threat by actively releasing slew of patches; new cyber defense products; and increased/advanced SIEM use cases. Yet the attackers always seem to be one step ahead of the game in the cyber security world.
This technical superiority to a large extent is attributable to a huge underground market place on the dark web that sells “do-it yourself hack kits” or “professional hackers on hire” who operate without geographical boundaries and offer non-conventional payment such as bitcoins to evade the gaze of law enforcement authorities.
Current chinks in the cyber detection and defense armor
In order to achieve a reasonable amount of resilience, it is vital to resolve chinks in the armor. One of the key chinks is limited use of the SIEM (Security Information & Event Management). While the SIEM is the heart of the SoC operations, it also has limitations and challenges for a CISO to manage. The capabilities of the SIEM though reasonably strong, are difficult to leverage on account various challenges, some of which are outlined below:
- Cost Prohibitive charging structure (EPS based ) –limits the number of use cases that can be created
- Static infrastructure sizing– leads to performance issues when more sources of data are configured for ingestion and analysis
- Lack of SIEM platform specific talent – limits the amount the SIEM can be optimized for boosting its attack detectionability
The above factors are a roadblock for every CISO’s need to enhance detection capability from a larger attack surface. In this age of attackers’ quickly evolving attack and cyber defense evasion techniques, such limitations leave the organization susceptible to advanced attacks.
Threat Hunting: What is it?
In the above scenario and with pace of attacks increasing, organizations are looking towards use of big data analytics for threat detection. Threat hunting is the proactive detection of threat (before they materialize into an attack) by analyzing network flows, packets and logs for anomalies and known indicators of attacks.
Though threat hunting is the buzz phrase in most cyber security circles, the key to a successful threat hunting program is to be clear on the following strong foundational principles:
- Get the hunting plane right: locking in on the relevant threat surface to track
- Build ability to hunt at scale: Ability to leverage tools to analyze large volumes of relevant data to decipher threat indicators from the non-relevant network noise
Starting the hunt
The key to getting the right start to the threat hunting program is to carry out the following:
Understand what threat to detect?
- The kind of threats are most likely to hit your crown jewels
- The potential cyber kill chain sequences would the threat actors follow across your IT landscape
- Building a strong hypothesis to detect such attacks
Decide what threat indicator to hunt for?
Key inputs to threat hunting campaigns are:
- Past attacks and TTP’s based on learnings from attack on other companies
- External threat intelligence (which needs to contextualized)
- Internal intelligence
- Event and traffic flow anomalies
- Critical entity behavior anomalies
Start small
The advent of big data based threat hunting platforms leads to a tendency to boil the ocean which usually results in large false positive base. The key for a strong start is to start with small hunt campaigns then gradually migrating to larger complex hunt campaign. Some small campaigns around detecting potential indicators such as the following can be a good starting point:
- Anomalous tunnels
- Network beaconing
- Internal reconnaissance
- Large data uploads
- Outbound traffic to C&C/Dark web sites
- Privilege escalations
- Pass the hash
- Unusual DNS requests
Refine Threat Models and hypothesis
As hunting activities progress and maturity increases, the hunt hypothesis must be adapted/modified/upgraded based on the deep understanding gained during the hunt process. This activity ensures hunt campaigns are tuned to context and reduces false positives.
Automating hunting process - A key outcome expected out of hunting is automating threat hunting. While automation will bring down the mean time for detection, organizations would do well to start the journey by automating routine traffic signal based detection campaigns and then moving onto automating complex hunt scenarios which may require use of ML/AI models. While certain hunt scenarios can be automated, a good amount of hunt parameters need to be executed manually.
Conclusion
While organizations start up their hunting programs, it is vital to remember that hunt campaigns are more skill driven than tool driven. The hunt campaigns at the start generate more noise than news but tend to even out with great insights as the function matures, so it’s wise for teams not to give up the initiative in the starting days. Lastly, it’s key to note is that threat hunting is not a onetime static activity, it should be a continuousprogram that is ever evolving and business context relevant for providing true value to the CISO and business as a whole.
Co-authored by:
Sandeep Gupta, Managing Director-Technology Consulting, Protiviti India Member Firm
Prashant Bhat, Managing Director - Cyber Security & Privacy, Protiviti India Member Firm