Wikipedia defines Data Science as “A multi-disciplinary field that uses scientific methods, processes, algorithms and systems to extract knowledge and insights from structured and unstructured data”…
Modern-day cyberattacks keep growing in sophistication and sheer volume. This dynamic makes it virtually impossible to detect and block all attacks using the traditional methods of comparing incoming requests to known attack signatures. To effectively operate in this new aggressive cyberthreat environment, it is paramount that IT operations, developers, and DevSecOps adopt a proactive defense mindset. Threat hunting is all about having that powerfully proactive mindset. The underlying goal of threat hunting is to detect, evaluate, and mitigate threats before they can impact core operational functions.
In this post, we will suggest a methodology of remediating threats based on the technique called Threat Modeling.
From a 1000-foot view, threat hunting methodology is not hard. As with most critical situations, your time is scarce and the information is insufficient. The methodology follows an Assess, Prioritize, Address flow.
It goes something like this:
Lets dive in.
Only one thing about tomorrow is certain: the cybersecurity threat landscape is under siege by a new, more sophisticated and challenging type of attacker than ever before. They are different than previous generations of hackers. New attacks will be stealthier and grow more covert every year. New threat vectors are coming, adding to a growing tally of variants from existing threats. Newer forms of phishing attacks, ransomware, social engineering, and even cryptojacking will proliferate — to name only a few. The key difference in the way attacks are launched than in previous years is in the modus operandi of the new hacker. Sophomoric attacks, like “Smash and Grab” campaigns, are gone. The new cyberattacker is patient and deliberate.
The new cyberattacker takes their time to select a target (or victim) and study it completely for any unknown weaknesses and vulnerabilities. They determine the best possible backdoor in which they can enter into their target and stay in for longer periods of time than ever before. If the earlier cyberattacker could be likened to cat burglars, then the new cyberattacker could be likened to a cartel.
A cyberattacker may not stay in the confines of their target for months on end. They may leave and penetrate it again later via the backdoor that they left ajar. The point is that they now have the ability to go undetected for long periods of time. Rather than trying to take what they want all at once, they bleed their victim bit by bit.
Not all assets are vulnerable to all threats. First, you need to make sure your most critical assets are protected. Implement a classification schema in order to determine what is most at risk in your existing IT Infrastructure. All assets need to examined. But, in this case, you are using a top-down approach by classifying items that are at extremely high risk down to those assets that are least at risk.
Determine the identification mechanisms implemented (or planned for implementation) for employees or other parties trying to gain access to shared network resources.
Examples of identity management mechanisms are password managers, two-factor authentication (2FA), and biometrics (like fingerprint or voice recognition).
Evaluate the comprehensiveness of employee awareness and training in security best practices and policies. Everyone in the company plays a role in protecting IT resources — from on-premise use to mobile devices and laptops. Firmly relay the need for compliance and clearly explain the policies surrounding noncompliance or improper use of company resources.
Auditing your security awareness and training should include looking at internal traffic. Check that high-traffic areas are being properly secured and used with appropriate rights and permissions.
The line between work-life and personal time blur in the age of smartphones and remote work. Ensure that user practices, technology, and companywide policies are aligned is not solely in the hands of an isolated security team.
Periodic scrutiny of existing security policies that support security awareness and compliance is critical. Check whether security is being enforced. Address any weaknesses. Regular updates should be released, reflecting the current threat environment and organizational needs.
The meat of threat hunting is in auditing the existing IT infrastructure and security architecture. This is, objectively, the most complex part of the assessment and should be the most comprehensive.
A full audit of your existing monitoring tools identifies vulnerabilities and weaknesses. Assessing your security architecture will be sure that issues can be identified, the overall infrastructure has no holes, and that the most efficient solutions and tools for handling the threat landscape is in place.
Part of establishing good protection is ensuring that your security team has an adequate ratio of staffing and resources, including up-to-date monitoring tools and support.
Incorporate security performance evaluations into your threat hunting process. Clearly defined responsibility and reviewing what the pain points and places for improvement are for the response teams can help address shortfalls and vulnerabilities that occur when teams are overextended or underperforming.
Prioritize advances in tools and technology with every threat remediation activity. Newer security tools include incident response features that identify existing and impending threats. They arise from responsive industry specialization that looks into the consequences and weaknesses that come with technological growth. Attackers exploit weaknesses. Attack prevention is more complete with technologies as up-to-date with the current threat environment.
For example, the growth of APIs to keep business responsive to markets demanding rapid CI/CD means stronger protection at the API level (Layer-7 protection) is of new and paramount importance. Technology becomes more specialized as a technological landscape gets bigger.
Conducting a financial audit that aligns with your security audit can ensure critical financial resources are applied in the most cost-effective manner.
Evaluating the security budget and technology doesn’t mean “spend more”. It means evaluating whether money is being spent effectively in relation to the level of security you have. A budget review should evaluate:
It is crucial to question, the impact of CI/CD cycles. Rollouts that come at the cost of security can lead to high-cost recovery after an attack or breach.
Dispelling the myth that more security toys is better is also critical. The marketplace or a legacy of security solutions is not the same as having a fully defended infrastructure. In fact, more solutions piled onto one another can increase the attack surface for a cyberattacker.
Outsourced entities conducting your daily business, accessing your systems, carry risks. Audit hiring practices of third parties that have any potential security risk. Increasing the due diligence around hiring criteria, processes, and background checks can reduce company vulnerability to an inside job. It’s also important that hired third parties, like contractors, are part of security training and awareness.
Once this Risk Assessment has been completed, the next step in any Threat Hunting Remediation exercise is determining what to exactly hunt for and the frequency of that hunt.
After performing a risk assessment, you should have a documented list of the kinds of threats and risks to hunt for. You are now ready to apply the list to one of four threat hunting models.
Cyber Kill Chain is the more popular one to use in threat hunting remediation exercises, so we will take you through this example of threat hunting below. A Cyber Kill Chain threat hunting approach revolves around the sequential way cyberattacks happen. A cyberattacker usually launches a particular threat in a series of phases. Each phase is a point where the cyber attack vector could be mitigated if the right security controls are in place.
Cyberattackers spend time researching their potential target. They determine the target’s weaknesses and vulnerabilities and the most opportune ways in — the most covert backdoor possible.
After identifying the best backdoor possible, the cyberattacker creates a malware weapon to deploy at the target. With newer attacks, these can be harder to identify because they are designed to match target-specific vulnerabilities and weaknesses.
The tailored malware weapon is launched.
The malicious file in the malware weapon is now triggered. Exploiting the vulnerabilities and weaknesses of the target, whatever the attack’s aim, is in position — be that stealing data, harming software, et cetera.
The malware weapon creates an access point, or backdoor, into the target. Through this access point, the attack is able to further penetrate into the infrastructure.
At this stage, the cyberattacker has their hands on the target and can manipulate it to their own ends.
Once in location and installed, the cyberattacker can start taking action. This is the end of the hack, resulting in the theft of passwords, ransomware, data exfiltration, data leakage, or even the destruction of data.
Now that you’ve run a risk assessment and chosen a threat hunting model you can understand what stages in the model represent the most risks and start putting counter-measures in place.
Create a general hypothesis of what you expect to unveil in a threat hunting exercise. These should be easy to determine based on the findings of the risk assessment and application of those findings to the model.
Using our vulnerable network server example, one hypothesis could be: if a fileless based attack is launched, it would totally wipe out the memory banks of the network servers and destroy their processing capabilities.
Test hypotheses with all available threat hunting tools. Collect the resulting data for review.
Examine data for any anomalies and malicious patterns in the datasets that have been previously identified.
One method of threat hunting is to use these identified anomalies and malicious attacks to reconstruct the tactics, techniques, and procedures (TTPs) employed in cyberattacks. If no anomalies are detected, you can potentially determine no systems have been compromised.
After completing all manually helmed threat hunts with the tools at hand, look to automation. First, determine which steps can be expedited with automated threat hunting tools.
Once you’ve hunted down threats, you have to determine how to resolve them.
If a cyberattack is detected, determine where it is in its lifecycle. That will determine your next course of action. For example, if malicious patterns and anomalies show a cyberattack is in its beginning stages, your incident response team can handle the threat before it does damage.
If no threat is detected, you can start the threat hunting planning cycle again for a new exercise.
Each threat hunting remediation exercise should be followed by a post-game evaluation to, and determine if it was successful or not. Establish realistic data-driven metrics that can measure real indicators of success around threats, like the turnaround time for responding to incidents.
Examples of security performance metrics to track are:
Monitoring the volume of incidents by severity establishes a running tally of the total number of previously known and unknown incidents.
Over time, this provides context as to how well security defenses are working.
A running tally of the total number of compromised hosts in the IT Infrastructure is an especially useful metric when threat hunting on endpoint security tools. It is highly effective for revealing setting misconfigurations.
Dwell time shows how long discovered security threats were active in your IT Infrastructure. Dwell time has three areas that add detail and insight::
These various times allow you to evaluate where remediation resources should be put or fixes should be made to technology, processes, or teams.
This is the total number of vulnerabilities discovered based on the hunting exercises being conducted.
The total number of identified and corrected IT-related insecure practices allows for internal measures to quickly up security health. Unaddressed, insecure practices can accidentally leave a backdoor open for future attacks.
False Positive Rate of Transitioned HuntsAutomation is critical to reducing the rate of false positives. Not only is it a waste of your security team’s time to manually tune, but it’s impossible to sort through high, repetitive numbers of false positives. Unassuaged volumes of false positives create too much noise around identifying real threats and vulnerabilities. There is no foreseeable time when data is going to slow down or lighten, so adding automation is key to keeping pace with security needs.
There are several steps in applying risk assessment results to the model to prepare for staring threat hunting activities.
The exact frequency will be limited by the available resources. However, it’s critical to do different threat detection tests as often as possible.
During the last few years being ambitious, just graduated and looking for an opportunity for fresh start, I’m faced with the situation of losing myself in a brainstorm of ideas. I have to admit that… Read more
I was on my way to book club (the Greener Reader book club), we were reading Lagoon by Nnedi Okorafor. Interesting, if erratic, alien “first contact” book set in Nigeria. I was early, and I’d seen a… Read more
Two weeks ago I was on the airplane heading home from an emotional 2 day visit with my ailing dad in Denver. I got on the plane feeling a bit mentally weary but armed with a lifetimes worth of new… Read more