Story image

Successful threat hunting requires curation & collaboration

05 Aug 2019
Twitter
Facebook

Article by ThreatQuotient APJC regional director Anthony Stitt.

Many organisations are harnessing the benefits of technology to enhance their business, yet the reality is that their systems are often compromised as a result. This has become both normal and expected, as should be the process of detecting and removing these compromises, otherwise known as ‘threat hunting’. Without this crucial capability, compromised systems escalate into breaches when attackers are left to infiltrate and operate freely. 

Data breach costs continue to rise each year, with the latest Ponemon Study has found the average cost of a data breach up 6.4% to an average of $3.38 million. Mean-time-to-detection (MTTD) has also risen to 197 days, up from 191. The faster hackers can be found and removed, the lower the risk of a comprise escalating into a full-blown breach becomes.

The 2018 SANS Incident Response Survey found threat hunting is now one of the top three areas of focus for improving incident response that organisations plan to make within the next year. Frameworks, like the Targeted Hunting integrating Threat Intelligence methodology, are emerging from concerned and motivated communities. MITRE ATT&CK is also increasing in popularity as a framework, because it describes the tactics, techniques and procedures (TTPs) that attackers leverage. 

The positive news is that many organizations already have the technology required for threat hunting, with SIEMs and threat intelligence a starting point. A malware sandbox is also another great addition, as it allows an organization to generate its own threat intelligence from suspicious files, with Endpoint Detection and Response (EDR) tools useful for conveniently searching across many endpoints. 

Threat hunting is often as straightforward as using threat intelligence to look for indications of compromise (IoCs) by searching logs. Threat intelligence typically comes from external sources, with numerous free and paid services of threat intelligence available, including from antivirus vendors. However, a rich area for threat hunting, that many organisations often overlook, is their own intelligence from attacks they’ve seen or managed.

Employee users are frequently labelled as being one of the main infection vectors because they open files and click on malicious links, yet these same end users are also adept at spotting scam and phishing emails. Providing a place for employees to send these emails for extracting threat indicators provides a great resource of highly relevant threat intelligence. Whether it be from malware files, URLs, email addresses or keywords, these can all be leveraged to see if others are being targeted. 

A mature threat hunting capability should automate the process of collecting intelligence and searching for atomic IoCs, like discrete IP addresses, domains and file hashes. Unfortunately, security teams are challenged by high volumes of logs from every system within their information and communications technology (ICT) infrastructure. Even a modest threat intelligence program has millions of indicators from commercial and open sources, industry groups and security vendors.

Without prioritisation and contextualisation this becomes a further distraction for security teams. Understanding what is important to your organization is crucial to effective prioritization and allows the focus to be on investigating high-risk indicators.

To help with prioritization, many threat intelligence providers publish ‘global’ risk scores based on their own research, visibility and proprietary methods. However, what is valid to one company may not be relevant to another. An organisation should have its own prioritization process based on contextual parameters like industry, geography and business to reduce noise and improve effectiveness. 

Frameworks like MITRE ATT&CK describe threat actor TTPs, although detecting them is not as straightforward as detecting atomic indicators. TTPs can only be inferred from atomic indicators, so threat hunting benefits from an extra initial step, where a hypothesis about an attacker is formulated. For instance, MITRE defines a malicious spearphishing attachment as a technique to gain initial access. The hypothesis could surmise that any employee spearphished with an email containing a malicious attachment is only one of many under attack.

The threat hunt could then focus on taking a known spearphishing attempt and searching for any other staff affected by the same or similar attacks. In this virtuous cycle, a TTP is inferred from a known attack to extract atomic indicators to help search across the organization. Forcing attackers to change TTPs has a significantly higher cost for them and may result in their disinterest and dropping their focus on your business.

Attacks may span multiple systems, which means analysts must be able to conduct investigations collaboratively. Traditionally, this has been difficult and time consuming to practically initiate because teams and tools are often siloed. This is especially problematic in an emergency, where gaps between functional groups slow an investigation. Teams need a physical or virtual collaboration space to work together, as even in the calmer environment of a threat hunt, employees from different groups will likely need to coordinate with one another. 

The intelligence gathered from external sources such as sandbox samples, reports, suspect emails and threat hunting missions, ultimately starts to pile up over time. With the right processes and systems, this can instead become a library, where everything is catalogued and cross-referenced, rather than a cluttered mess.

Spreadsheets, ticketing systems, emails and document management systems are all methods to control this information, however, the challenge is doing this at speed and scale. A dedicated system designed to collect, catalogue, curate and automate threat intelligence is a natural solution for any threat hunting team looking to improve effectiveness. 

By working together, security teams can pinpoint adversary TTPs to find malicious activity, reducing MTTD and the impact of an attack. Teams will also have the benefit of seeing colleagues’ work, which can be turned into best practice or knowledge to accelerate parallel investigations. Threat hunting should be a continuous process, with new data and learnings constantly added to this library, and intelligence re-evaluated or re-prioritised to support proactive threat hunting. 

Threat hunting is fast becoming a crucial pillar of security operations. The right platform will offer the automation and collaboration teams require to move faster through the threat hunting process and reduce the cost of a data breach. 

Story image
20 Aug
HCL - the Global IT company with a growing A/NZ presence
We look at the local role of the massive corporation in ANZ IT departments.More
Story image
22 Aug
SecurityScorecard launches custom security ratings feature
Custom Scorecard allows enterprise leaders to better isolate and focus on cybersecurity risk issues by business units and/or subsidiaries.More
Story image
15 Aug
Popular enterprise printers riddled with security risks
Researchers from NCC Group analysed different aspects of six mid-range enterprise printers manufactured by HP, Ricoh, Xerox, Lexmark, Kyocera, and Brother. More
Story image
Yesterday
Sophos report sheds light on Aussie cybersecurity landscape
“Security is hard. We all know it. Sophos survey highlights the constant challenge presented by the evolving security landscape and never ending search for skills and best practices to help organisations overcome these threats.”More
Link image
Report: Fortinet releases latest analysis of the cyberthreat landscape
Learn about the latest cyber-threat trends from the newest release of the Fortinet Threat Landscape Report, including remote desktop protocol vulnerabilities and why cybersecurity automation is part of a comprehensive cyber hygiene practice. Download it for FREE.More
Story image
14 Aug
Broadcom set to own Symantec’s enterprise security business for $10.7B
"M&A has played a central role in Broadcom's growth strategy and this transaction represents the next logical step in our strategy following our acquisitions of Brocade and CA Technologies," says Broadcom CEOMore