Cyber threat hunting

Last updated

Cyber threat hunting is a proactive cyber defence activity. It is "the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions." [1] This is in contrast to traditional threat management measures, such as firewalls, intrusion detection systems (IDS), malware sandbox (computer security) and SIEM systems, which typically involve an investigation of evidence-based data after there has been a warning of a potential threat. [2] [3] Threat analyst Lesley Carhart stated that there is no consensus amongst practitioners what threat hunting actually entails. [4]

Contents

Methodologies

Overview

Recently, the world has seen a rise in the number and severity of cyber attacks, data breaches, malware infections, and online fraud incidents. According to cyber security and ai company SonicWall, the number of ransomware attacks grew by 105% globally. Major corporations around the world have fallen victim to high-profile data breaches, with the average cost of a data breach now estimated at $4.24 million, according to IBM. [5]

Cyber threat hunting Methodologies

Threat hunting has traditionally been a manual process, in which a security analyst sifts through various data information using their own knowledge and familiarity with the network to create hypotheses about potential threats, such as, but not limited to, lateral movement by threat actors. [6] To be even more effective and efficient, however, threat hunting can be partially automated, or machine-assisted, as well. In this case, the analyst uses software that leverages machine learning and user and entity behavior analytics (UEBA) to inform the analyst of potential risks. The analyst then investigates these potential risks, tracking suspicious behavior in the network. Thus, hunting is an iterative process, meaning that it must be continuously carried out in a loop, beginning with a hypothesis.

The analysts research their hypothesis by going through vast amounts of data about the network. The results are then stored so that they can be used to improve the automated portion of the detection system and to serve as a foundation for future hypotheses.

The Detection Maturity Level (DML) model [7] expresses threat indicators can be detected at different semantic levels. High semantic indicators such as goal and strategy or tactics, techniques and procedures (TTPs) are more valuable to identify than low semantic indicators such as network artifacts and atomic indicators such as IP addresses. [8] [9] SIEM tools typically only provide indicators at relatively low semantic levels. There is therefore a need to develop SIEM tools that can provide threat indicators at higher semantic levels. [10]

Indicators

There are two types of indicators:

  1. Indicator of compromise - An indicator of compromise (IOC) tells you that an action has happened and you are in a reactive mode. This type of IOC is done by looking inward at your own data from transaction logs and or SIEM data. Examples of IOC include unusual network traffic, unusual privileged user account activity, login anomalies, increases in database read volumes, suspicious registry or system file changes, unusual DNS requests and Web traffic showing non-human behavior. These types of unusual activities allow security administration teams to spot malicious actors earlier in the cyberattack process.
  2. Indicator of Concern - Using Open-source intelligence (OSINT), data can be collected from publicly available sources to be used for cyberattack detection and threat hunting.

Tactics, Techniques and Procedures (TTPs)

The SANS Institute identifies a threat hunting maturity model as follows: [11]

Dwell Time

The dwell time either indicates the entire span of a security incident (initial compromise until detection and full cleanup) or the 'mean time to detect' (from initial compromise until detection). According to the 2022 Mandiant M-Trends Report, cyberattackers operate undetected for an average of 21 days (a 79% reduction, compared to 2016), but this varies greatly by region. [12] Per Mandiant, the dwell time [13] can be as low as 17 days (in the Americas) or as high as 48 days (in EMEA). [12] The study also showed that 47% of attacks are discovered only after notification from an external party.

Example Reports

Example Threat Hunting

Threat Hunting Methodologies

Inside the Network Perimeter

Outside the Network Perimeter

See also

Related Research Articles

An exploit is a method or piece of code that takes advantage of vulnerabilities in software, applications, networks, operating systems, or hardware, typically for malicious purposes. The term "exploit" derives from the English verb "to exploit," meaning "to use something to one’s own advantage." Exploits are designed to identify flaws, bypass security measures, gain unauthorized access to systems, take control of systems, install malware, or steal sensitive data. While an exploit by itself may not be a malware, it serves as a vehicle for delivering malicious software by breaching security controls.

<span class="mw-page-title-main">SANS Institute</span> American security company

The SANS Institute is a private U.S. for-profit company founded in 1989 that specializes in information security, cybersecurity training, and selling certificates. Topics available for training include cyber and network defenses, penetration testing, incident response, digital forensics, and auditing. The information security courses are developed through a consensus process involving administrators, security managers, and information security professionals. The courses cover security fundamentals and technical aspects of information security. The institute has been recognized for its training programs and certification programs. Per 2021, SANS is the world’s largest cybersecurity research and training organization. SANS is an acronym for SysAdmin, Audit, Network, and Security.

Threat modeling is a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified and enumerated, and countermeasures prioritized. The purpose of threat modeling is to provide defenders with a systematic analysis of what controls or defenses need to be included, given the nature of the system, the probable attacker's profile, the most likely attack vectors, and the assets most desired by an attacker. Threat modeling answers questions like "Where am I most vulnerable to attack?", "What are the most relevant threats?", and "What do I need to do to safeguard against these threats?".

Proactive cyber defense, means acting in anticipation to oppose an attack through cyber and cognitive domains. Proactive cyber defense can be understood as options between offensive and defensive measures. It includes interdicting, disrupting or deterring an attack or a threat's preparation to attack, either pre-emptively or in self-defence.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

Trellix is a privately held cybersecurity company that was founded in 2022. It has been involved in the detection and prevention of major cybersecurity attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.

An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

Security information and event management (SIEM) is a field within computer security that combines security information management (SIM) and security event management (SEM) to enable real-time analysis of security alerts generated by applications and network hardware. SIEM systems are central to security operations centers (SOCs), where they are employed to detect, investigate, and respond to security incidents. SIEM technology collects and aggregates data from various systems, allowing organizations to meet compliance requirements while safeguarding against threats.

In computer security, a threat is a potential negative action or event enabled by a vulnerability that results in an unwanted impact to a computer system or application.

<span class="mw-page-title-main">Information security operations center</span> Facility where enterprise information systems are monitored, assessed, and defended

An information security operations center is a facility where enterprise information systems are monitored, assessed, and defended.

Mandiant, Inc. is an American cybersecurity firm and a subsidiary of Google. Mandiant received attention in February 2013 when it released a report directly implicating China in cyber espionage. In December 2013, Mandiant was acquired by FireEye for $1 billion, who eventually sold the FireEye product line, name, and its employees to Symphony Technology Group for $1.2 billion in June 2021.

Malware analysis is the study or process of determining the functionality, origin and potential impact of a given malware sample such as a virus, worm, trojan horse, rootkit, or backdoor. Malware or malicious software is any computer software intended to harm the host operating system or to steal sensitive data from users, organizations or companies. Malware may include software that gathers user information without permission.

Threat Intelligence Platform (TIP) is an emerging technology discipline that helps organizations aggregate, correlate, and analyze threat data from multiple sources in real time to support defensive actions. TIPs have evolved to address the growing amount of data generated by a variety of internal and external resources (such as system logs and threat intelligence feeds) and help security teams identify the threats that are relevant to their organization. By importing threat data from multiple sources and formats, correlating that data, and then exporting it into an organization’s existing security systems or ticketing systems, a TIP automates proactive threat management and mitigation. A true TIP differs from typical enterprise security products in that it is a system that can be programmed by outside developers, in particular, users of the platform. TIPs can also use APIs to gather data to generate configuration analysis, Whois information, reverse IP lookup, website content analysis, name servers, and SSL certificates.

Endpoint security or endpoint protection is an approach to the protection of computer networks that are remotely bridged to client devices. The connection of endpoint devices such as laptops, tablets, mobile phones, and other wireless devices to corporate networks creates attack paths for security threats. Endpoint security attempts to ensure that such devices follow compliance to standards.

Cyber threat intelligence (CTI) is a subfield of cybersecurity that focuses on the structured collection, analysis, and dissemination of data regarding potential or existing cyber threats. It provides organizations with the insights necessary to anticipate, prevent, and respond to cyberattacks by understanding the behavior of threat actors, their tactics, and the vulnerabilities they exploit. Cyber threat intelligence sources include open source intelligence, social media intelligence, human Intelligence, technical intelligence, device log files, forensically acquired data or intelligence from the internet traffic and data derived for the deep and dark web.

A blue team is a group of individuals who perform an analysis of information systems to ensure security, identify security flaws, verify the effectiveness of each security measure, and make certain all security measures will continue to be effective after implementation.

Deception technology is a category of cyber security defense mechanisms that provide early warning of potential cyber security attacks and alert organizations of unauthorized activity. Deception technology products can detect, analyze, and defend against zero-day and advanced attacks, often in real time. They are automated, accurate, and provide insight into malicious activity within internal networks which may be unseen by other types of cyber defense. Deception technology seeks to deceive an attacker, detect them, and then defeat them.

Endpoint detection and response (EDR), also known as endpoint threat detection and response (ETDR), is a cybersecurity technology that continually monitors an "endpoint" to mitigate malicious cyber threats.

Cybersecurity engineering is a tech discipline focused on the protection of systems, networks, and data from unauthorized access, cyberattacks, and other malicious activities. It applies engineering principles to the design, implementation, maintenance, and evaluation of secure systems, ensuring the integrity, confidentiality, and availability of information.

ANY.RUN is a cybersecurity company that provides an interactive malware analysis sandbox and threat intelligence services for real-time analysis and investigations of malware and phishing threats. The platform is designed for use by cybersecurity professionals, researchers, and IT specialists, providing tools for interactive analysis of malicious software and behavior and threat intelligence services.

References

  1. "Cyber threat hunting: How this vulnerability detection strategy gives analysts an edge - TechRepublic". TechRepublic. Retrieved 2016-06-07.
  2. "MITRE Kill Chain" . Retrieved 2020-08-27.
  3. "Threat Intelligence Platform on War Against Cybercriminals" . Retrieved 2019-02-17.
  4. Carhart, Lesley. "OT Threat Hunting: More Critical Than Ever". SANS Institute . Retrieved 2024-11-22.
  5. "The Future of Cyber Security and AI: Protecting Your Digital World". Blue Big Data. Retrieved October 13, 2023.
  6. "Cyber Threat Intelligence (CTI) in a Nutshell". Medium.com. Retrieved 2020-07-27.
  7. Stillions, Ryan (2014). "The DML Model". Ryan Stillions security blog.
  8. Bianco, David (2014-01-17). "The Pyramid of Pain". detect-respond.blogspot.com. Retrieved 2023-07-01.
  9. Bianco, David. "The Pyramid of Pain". SANS Institute. Retrieved 2023-07-01.
  10. Bromander, Siri (2016). "Semantic Cyberthreat Modelling" (PDF). Semantic Technology for Intelligence, Defense and Security (STIDS 2016).
  11. Lee, Robert. "The Who, What, Where, When and How of Effective Threat Hunting". SANS Institute. Retrieved 29 May 2018.
  12. In the Mandiant M-Trends report, dwell time "is calculated as the number of days an attacker is present in a victim environment before they are detected", which corresponds to the 'mean time to detect'.