Hunting for Security Threats
You need to protect your information resources. You install firewalls and session border controllers to block intrusions. You perform analysis of the behavior of people and systems to determine if breaches have occurred. These are all important measures to take, but have you ever considered hunting for threats rather than trying to deal with them as they occur?
The global median time for a security breach to be discovered has reduced from 146 days in 2015 to 99 days 2016 -- a major improvement. But this still leaves 99 days of vulnerability. A recent report on cyber attack trends from Mandiant, a FireEye company, covers threats to various industries on a global scale. One portion of the report that I found particularly interesting is a discussion of threat intelligence.
Defensive detection and incident response are necessary for security. A business has to assume that a breach will occur in its infrastructure and/or the organization itself. Businesses need to focus on hunting threats and developing accurate and factual answers to whether a breach as occurred. Threat intelligence is another element that provides a proactive security condition that supports threat hunting. Threat intelligence offers organizations a means to develop and maintain a baseline of threat profiles. A threat profile is a data-driven technique that alerts organizations and their security teams to who, what, where, when, and how attacks will most likely occur.
Migrating from Reactive to Proactive Defenses
Cyber threat intelligence (CTI) is starting to emerge and take a prominent role within security operations. CTI is being leveraged through analysis of malicious network trends, analysis of threats affecting an organization's vertical market, organizations operating in similar global locations and/or carrying similar assets, or a hybrid of all of these. The threat analysis enables more efficient tactical operations in terms of hunting, identifying, prioritizing, and responding to threats. The graphic below from the report outlines the intelligence flow.
Threat Profile -- This is the baseline of the relevant threats received by an organization, which includes what activities are occurring, the access targeted, and visibility into the operations.
Threat Modeling -- This is understanding the attacker's capabilities relative to your organization. The idea is to increase the measures that can be taken to improve the defensive posture as it is linked to the organization's concerns. This leads into the defense planning.
Tactical Prioritization Schemes -- The threat profile provides a clear picture of the threats with the highest impact. This leads into three areas: automated workflows, responsive efficiency, and hunt planning.
At this time, threat hunting is a human-focused process where security staff searches through data to locate evidence of a breach. Threat hunting is different than alert-driven investigations. A human, not an automated system, generates the breach leads to pursue.
The Mandiant report attributes the increase in hunting operations taking place at organizations to three things: the evolution of opportunistic attacks, enhanced security operation center visibility, and a collective experience increase amongst practitioners.
Threat actors are humans and exhibit behavioral patterns that can be used to identify the origin of the breach, identify the attacker, and determine the motivations, methods, or toolset used. Through these correlations, actionable data that can be used to identify, respond to, and prevent future attacks.
Attacker techniques can be hard to identify because of their reliance on compromising legitimate user accounts. These techniques are focused on gaining entry and avoiding the use of malware. Traditional detection mechanisms that are typically performed by computers can easily fail at detecting these techniques. Unfortunately there can be a number of false positive alerts, so a human-centric approach is required.
Threat hunting offers the capability to detect these scenarios. Threat analysts can perform manual searches and aggregations comparing data to known normal activities in order to locate intruders based on attributes such as the time of day or the expected user behavior -- for example, if the user logs into multiple machines at an unusual hour. Advanced security organizations should invest in threat hunting. Traditional machine-centric detection tools don't work effectively when these scenarios occur.
Threat hunting has become accessible to less experienced analysts as training and tools have become available. The report observed "an increase in the number of talent acquisition requests for threat hunting expertise from security mature organizations." More resumes now claim to have threat hunting experience. Threat hunting is a skill where the training and education markets are meeting this demand.