What a brave new world! As global cyber insurgencies continue unabated, it is essential to decrease dwell time, and in order to achieve this goal we must embrace the hunt.
Every organisation should stand up a threat hunt team. The team must be multi-disciplinary with experience in e-forensics and penetration testing. These teams must play chess while possessing deep knowledge of geopolitics (understanding the motivation for a cyber attack is paramount.)
It is also paramount to assemble a team of operators who understand that the solution to identifying an active compromise on the network requires knowledge of both technical solutions (endpoint monitoring, passive network monitoring, memory augmentation), and knowledge of current exploits, vulnerabilities, threat actor methodology and TTPs.
First develop a threat profile. This will help a hunter to know where to prioritise hunting (and ultimately where to start hunting). Then apply streaming analytics to unfiltered data, which will allow hunters to sort information faster and enable tools to do the target acquisition for the team.
This results in a force multiplier to the hunters. Analytics will predict future attacks via attack origin to survey the root cause of attacks, and as a result teams can anticipate and focus on the organisation's defensive weaknesses.
As the team gels, develop rapid-response protocols. Deciding when to reveal oneself is critical as counter incident response measures and destructive attacks are becoming the norm. Key defensive measures include:
1. Assess threat intel from IPs, domains and hashes applied to historical data.
2. Query similar threads that are not identical matches in historical data.
3. Anomaly detection - requires continuous analysis of unfiltered data from the endpoint.
A threat hunt is most effective when employing both active measures (agents deployed to endpoints) and passive measures (netflow, packet capture appliances). User-entity behaviour analytics must be employed as it is critical to baseline 'normal' network and host behaviour in a threat hunt; contextualising normal behaviour is the most effective way of determining where an adversary might lie in wait.
Hunters must position themselves on the high ground, which is defined by greater situational awareness. Specifically, the hunter must analyse threat intel from customer IPs, domains and hashes applied to historical data. From that vantage one must search for similar threads that are not identical matches in historical data. Successful anomaly detection requires continuous analysis of unfiltered data from the endpoint.
Stage I: Go Historical. Take in tactical threat intel of domains, hashes and IPs and be able to search the past 30 days. Hash values may have low false positive rates but they are easy for an attacker to change. Domains and IPs may have a ton of false positives.
Stage II: Move up the pyramid of pain. Change the threat-intel language to move toward TTPs. (action or behaviour). Time is a critical component.
Stage III: Move to anomaly based hunting. Algorithmic threat hunting; changes in behaviour versus similarities to previously seen.
Hunters should evaluate users with higher levels of access to a network's 'crown jewels' and subsequently deploy deception grids around these users and hosts. Remember, static defences without massive mobile support died with the Maginot Line. Intrusion suppression is now the name of the game. Happy hunting.