The rise of cyber hunting
Kristin Lovejoy, president, Acuity Solutions
Organizations across all industries need to change their mindset in how they approach security. Last year, according to an M-Trends report, it took an average of 205 days for a company to detect a breach, with 69 percent of respondents learning about it from a third party and 31 percent discovering it themselves. Clearly, companies need to get better at detecting and investigating malicious activity, as a single breach could cause irrefutable damage, including an average financial loss of $3.79 million as well as a hit to their brand and reputation.
Instead of waiting to find out about a breach and then spending months investigating, companies need to become proactive to quickly figure out where the threats are within their environment and eradicate them before they can cause impact. They can achieve this by dedicating part of their response team to actively hunting on an ongoing basis. Companies need to employ these cyber hunters to find trails of malicious activity within the network that bypass traditional AV and post-analyzer tools. Ideally, 80 percent of the team should be hunting and 20 percent responding.
So why are few companies today taking action to more rapidly investigate and contain threats when they recognize that the majority of new malware is unique to their organization? Because cyber hunting is a process that can be intensely manual and time consuming. However, there have been advances in machine learning and automation that can help reduce time spent investigating a breach from months to minutes.
Leading organizations are now adopting machine-learning-based technologies...
Let's take a look at the four steps that need to be taken and some best practices to conduct a successful cyber hunting mission:
Build a baseline: To be an effective cyber hunter you need to know your own environment in terms of identifying and assessing critical assets. You're going to hunt for attackers in the areas in or from which they can actually do some harm. It's also important to understand the trigger events – like disclosure of an acquisition, divestiture or launch of new business line or geographic entity. These activities can act as magnets for adversaries who are looking for soft targets.
Map the kill chain: You need to understand what tactics, techniques and procedures (TTPs) adversaries will use to come after you. These TTPs can be used to tune the technologies used to detect attacks.
Actively hunt: To actively hunt for the attackers, start by running detection technologies (tuned to recognize TTPs) that look to the network to see if there is any anomalous activity. In addition to network-based analysis, look to “beachheads” – the endpoints – that are potential vectors for bad actors to move laterally. Consider using additional techniques to draw out the enemy, such as honeypots and un-scheduled administrative password changes. In the case of trigger events which you know may draw an attack, monitor key network segments or hosts.
Obviously, this phase of the cyber hunting mission is not exactly efficient if done manually. Organizations tend to use a number of signature-based capabilities to identify “know knowns.” Leading organizations are now adopting machine-learning-based technologies to close the gap. Machine learning not only drives a more accurate search-and-discovery process by enabling better identification and analysis of known and unknowns (i.e., zero day and polymorphic malware) across more traffic, but it can also learn from its environment and re-train onboard analytics to recognize events and anomalies specific to a given company or environment. Over time, this increases the fidelity of detection activities and creates an instance of a detection engine that can't be reverse engineered.
Investigate and respond: While the process for incident investigation is generally well known and often practiced, there are new technologies associated with hunting and response platforms that allow for more efficient inspection and triage of threats. New technologies can package logs, PCAP files, post-secondary analyzer (sandbox) results, relevant threat intelligence feeds and detection engine results into a “forensic package” that can be used to enable analysis and drive action via connections to tools within your existing infrastructure – like your SIEM or next-generation firewall. Finally – and this should go without saying – once you've eradicated the attackers, deploy any necessary countermeasures and then continuously monitor and improve on an ongoing basis.
The rise of cyber hunting as a security operations function will help organizations detect threats faster, with more accuracy, and to respond before they can cause harm.
Kristin Lovejoy is the president of Acuity Solutions.