As the Chief Cybersecurity Officer for Carbon Black, I am witnessing a brave new world in cyberspace. Global cyber insurgencies continue unabated with reports of wide-scale data breaches and politico-hacking happening quickly and often. Personal data and financial information is regularly being hijacked. The energy sector is increasingly vulnerable to risk, with the recent cyberattack on the Energy Services Group (ESG) knocking systems offline.
Here at Carbon Black we firmly believe that decreasing dwell time of these insurgencies is imperative in 2018. In order to achieve this goal, organisations must embrace the threat hunt. The extradition of Russian elite cybercriminal Nikulin is a historic example of this. As a member of the Russian cyber-militia, he had been an influential member for close to a decade. He leveraged his expertise beyond monetary gain to show homage to the regime as a politico-hacker.
It is crucial that every organisation sets up a threat hunt team. The team must be multidisciplinary with experience in e-forensics and penetration testing. These teams must play chess while possessing deep knowledge of geopolitics (understanding the motivation for a cyberattack is paramount.)
It is also paramount to assemble a team of operators who understand that the solution to identifying an active compromise on the network requires knowledge of not only technical solutions (endpoint monitoring, passive network monitoring, memory augmentation), but also knowledge of current exploits, vulnerabilities, threat actor methodology and tactics, techniques and procedures (TTPs).
Firstly, your organisation must develop a threat profile. This will help a hunter know where to prioritise hunting (and ultimately where to start hunting). Secondly, you must apply streaming analytics to unfiltered data. This will allow hunters to sort information faster and enable tools to do the target acquisition for the team. This results in a force multiplier to your hunters. Analytics will predict future attacks via attack origin to survey the root cause of attacks. As a result, teams can anticipate and focus on the organisation’s defensive weaknesses.
As your team gels, you can then develop rapid-response protocols. Deciding when to reveal oneself is critical as counter incident response measures and destructive attacks are becoming the norm. To uphold the security of your organisation through effective threat hunting, it is important the team undertakes the following steps:
- Assess threat intel from IPs, domains and hashes applied to historical data.
- Query similar threads that are not identical matches in historical data.
- Anomaly detection through continuous analysis of unfiltered data from the endpoint.
A threat hunt is most effective when employing both active measures (agents deployed to endpoints) as well as passive measures (netflow, packet capture appliances). User-entity behaviour analytics must be employed as it is critical to baseline “normal” network and host behaviour in a threat hunt; contextualising normal behaviour is the most effective way of determining where an adversary might lie in wait.
A hunter must position themselves on the “high ground”, defined by greater situational awareness. Specifically, the hunter must analyse threat intel from customer IPs, domains and hashes applied to historical data. From that vantage, one must search for similar threads that are not identical matches in historical data. Successful anomaly detection requires continuous analysis of unfiltered data from the endpoint.
Step I: Go Historical. – take in tactical threat intel of domains, hashes, and IPs and be able to search the last 30 days. Hash values may have low false positive rates but they are easy for an attacker to change. Domains and IPs may have a ton of false positives.
Stage II: Move up the pyramid of pain – change the threat-intel language to move toward TTPs (action or behaviour). Time is a critical component.
Stage III: Moving to anomaly-based hunting – algorithmic threat hunting; this involves analysing changes in behaviour versus similarities to previously seen.
Threat hunt teams should evaluate users with higher levels of access to a network’s “crown jewels” and subsequently deploy deception grids around these users and hosts. It is important to remember, static defences without massive mobile support died with the Maginot Line. Intrusion suppression is now the name of the game. Happy threat hunting.