Story image

Make the pre-emptive strike against cyberattacks with threat hunting

23 Jul 18

Enterprise organisations up to speed on the current cyber threat landscape know that it’s not a matter of if they will be breached, but when.

Most solutions available in the market are reactive point solutions, and companies are increasingly looking for a proactive approach that can stop attacks before damage is done.

In a 2018 survey of 461 cybersecurity professionals, Crowd Research Partners found that respondents spent much more time (60% of the time) reactively investigating security incidents through activities such as alert triage than they spent proactively seeking out threats (only 40% of the time).

As such, organisations with mature security operations are starting to implement formalised threat hunting teams.

Threat hunting starts with the assumption that bad actors have already breached perimeter defences and are operating inside the environment.

The goal is to proactively detect malicious activity by forming hypotheses about how attackers may have penetrated defences, which systems are compromised, and what data they may have accessed.

However, it can be difficult to execute without the ability to mine network traffic within a realistic timeframe to return useful results.

Highly accurate, highly fresh data is critical for detecting and disrupting active attack activities.

Real-time network traffic analytics (NTA) can generate authoritative, indexed and complete data to serve as a trusted source of information and a high-fidelity starting point for threat hunting. With a high-confidence indicator that malicious actors are active, hunters can “pull the thread” to uncover related activities, intended activities, and opportunities for interception and containment.

The challenge today has been gaining real-time visibility into post-compromise or late-stage attack activities. Attackers have bypassed (and usually deactivated) endpoint detections and hidden their actions as normal traffic to sneak through firewalls without triggering alerts. Detections sparked by IDS/IPS and SIEMs are too slow or too drowned to gain attention. However, threat hunters have a new option for gaining visibility and starting points for their hunting based on observed network activity.

ExtraHop Reveal(x) collects raw network traffic, mining it in real time at 100 Gbps per appliance and automatically discovering client and server assets, and distilling petabytes of traffic per day into manageable and meaningful, structured and indexed data.

The ExtraHop platform performs two critical roles in threat hunting: automated threat detection and active hunting by security operators.

The real-time approach feeds advanced behavioural analytics with high-confidence detections. These findings are based on authoritative network data, and they link directly to transaction records and relationships that allow security teams to proactively find and explore suspicious activity and behaviours in an efficient and timely manner. It also immediately detects some irregularities that hunters will see as worth an investigation. Optional matching with external threat intelligence can help hunters leverage other industry research on emerging and known threat indicators.

The comprehensive dataset created by the ExtraHop platform is available to security operators in an intuitive, visual user interface with a flexible workflow, allowing different teams or individuals to optimise the platform according to their needs.

This intuitive user interface also has a low learning curve, allowing new operators to be effective in a short period of time with minimal training, especially valuable to security teams with high turnover rates.

Automated threat detection

ExtraHop Reveal(x) utilises machine learning to continuously monitor all critical assets for security anomalies. These behaviour-based alerts do not require any configuration by security teams.

The ExtraHop platform builds baselines for new devices as soon as they are discovered by the system, providing continuous and complete coverage for dynamic environments.

Automatic anomaly detection provides security teams with a better understanding of what is abnormal in an environment, even if they may not have deep familiarity with specific applications.

These anomalies serve as effective incident investigation start points, include context to help staff determine the level of severity of the event, and provide paths to guide an operator into the detailed metrics and transactions which characterise the anomaly.

Active hunting

ExtraHop is also used as an interactive detection platform by security teams within networks that are suspected of being actively compromised or containing payloads associated with advanced persistent threats.

Data analyzed by Reveal(x) can be explored using natural search language to uncover asset types, groups, user activities, IP interactions, and other interactions and pivot points that hunters commonly use. In addition, the live activity map shows relationships between devices. Various metrics and time-based searches also help hunters track down and contextualize suspicious events as part of the attack sequence.

Threat hunting is an emerging practice born out of a need to detect more sophisticated threats that evade perimeter defences and passive monitoring. Wire data is an unbiased, real-time source of situational intelligence that has not been previously made available to cyber protection teams. The ExtraHop platform unlocks the value of wire data and greatly increases the level of visibility for threat hunting efforts.

You can see the interface below:

Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
What disaster recovery will look like in 2019
“With nearly half of all businesses experiencing an unrecoverable data event in the last three years, current backup solutions are no longer fit for purpose."
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.