RSA Conference 2021-Many organizations that have implemented cyber threat hunting have not reaped all the benefits, either because they lacked the required skills or because they did not fully incorporate it into their cyber security plan.
Tim Bandos, CISO and Vice President of Managed Security Services at Digital Guardian, said common mistakes companies make include underestimating the time required and failing to obtain top-down support. Bandos hosted a conference on best practices for threat protection at this week’s RSA Conference.
Bandos said: “Threat detection is a key component of the overall cyber security strategy, whether it is done internally or through a managed service provider.” Without waiting for an event to happen, threat hunting provides a way for organizations to set traps and monitor the environment. Look for suspicious activities to actively discover potential problems. He said: “But unless it is a formal part of your plan, you will not succeed.”
In recent years, there has been a growing interest in proactively looking for threats to stay ahead of new and emerging threats. Security researchers describe it as providing a way for organizations to try to detect threats that may have passed or bypassed intrusion detection and prevention controls. The idea of threat hunting is to assume that a violation has occurred, and then use the same techniques that the attacker may have used to track all the different ways that may have occurred. The point is not just to focus on known threats, but to discover new threats.
Gartner has previously described cyber threat hunting as very useful, especially for organizations that have maximized their alert classification, detection and response processes, and are seeking to further improve their security status.
Bandos said that threat hunting is something that organizations need to continue to use MITRE’s ATT&CK framework and other resources as a starting point. The framework provides different techniques and sub-technologies that threat actors usually use as part of the attack chain. Security teams can learn a lot by searching for signs of any technology used to enable or obfuscate malicious activity in their environment. He said: “You can actually study one of these technologies in depth throughout the week,” he said.
Similarly, organizations can filter from the logs in their endpoint environment, or they can profile all accounts that may have been created in the past week, and separate legitimate accounts from potentially more suspicious accounts to learn a lot.
Successful threat hunting requires an understanding of new and emerging attacker strategies, techniques, and procedures. Similarly, this also requires them to be willing to constantly look back on old technologies, because attackers tend to stick to tactics that they are familiar with and have worked for them.
In order to conduct effective threat hunting, security teams need to have reliable data sources, such as security information and event management systems with centralized logs from multiple sources. Even logs from individual environments (such as endpoint detection and response, antivirus tools, network and data loss prevention (DLP) systems) are sufficient for threat hunting. Once the data source is defined, threat hunters need to use different techniques to search for the data source.
For example, the goal might be to look for signs of credential dumps in the environment. He said: “You want to summarize all the threat intelligence about credential dumping procedures and commands, and build a manual around the logs that you will actively look for.” The same method can be applied to each of the different types listed in frameworks such as MITER ATT&CK. Attack technique.
He said: “I will first focus on a specific technology, and then explode from there to a point where specific artifacts can be collected from every endpoint in the environment, and then search for this data.” “That’s when you start to improve in threat hunting Functions in space.” As an example, he pointed out the application compatibility cache stored on all computers. The cache contains records of all processes running on a particular computer. The organization can only conduct the entire hunting activity around this data source.
The right combination of skills
To do this, threat hunters need a solid understanding of security architecture, asset security, application security, and other basic knowledge. They also need a certain level of incident response skills, including log analysis, malware analysis, forensics, and threat intelligence processing. In addition, according to Bandos, threat hunters must be analytical, patient and ruthless. He said that this job can be tedious, and people who don’t have the right attitude will quickly get frustrated.
One challenge of threat hunting is to measure success. Sometimes it is not clear that nothing happened in the threat search exercise, because the exercise itself was not carried out correctly, or because there was actually nothing to reveal. Especially in smaller environments, threat hunters usually may not discover any new or hidden threats.
However, in larger environments with thousands of endpoints, threat hunting can often find artifacts that may have been missed by intrusion detection and prevention controls. When dealing with threat hunting internally, the person in charge of the analysis usually wears multiple hats. Bandos said that although this is not a bad thing in itself, it is important not to treat threat hunting as a part-time job.
Bandos said: “The most serious mistake is to assume that something is legal.” Security analysts (especially inexperienced security analysts) can usually view certain activities or log data and ignore them because it seems It’s normal. He added: “Bad actors have done a great job merging and staying on the production line.”
Jai Vijayan is an experienced technical journalist with more than 20 years of experience in the field of IT trade news. He was recently a senior editor at Computerworld, responsible for information security and data privacy issues for the publication.In his 20-year journey…View the full bio