The year so far has been a busy one – crypto mining is happening more frequently, the volume of cyberattacks is growing and cybercrime continues to be extremely well-funded. To top it off, with the number of devices being used, cybersecurity has never been more complicated.
We’re seeing organizations of all sizes falling victim to intelligent attacks and at the 2018 SecTor event in Canada last week there was an underlying theme – the need for a proactive approach to breach detection.
Keren Elazari, Israeli security analyst and author highlighted that today, organizations must not be complacent but instead build a strong security culture that supports investment into cybersecurity skills, threat intel and threat hunting. Similarly, Matthew Maglieri, CISO of Ashley Madison’s parent company, Ruby Life Inc. and ex-Mandiant consultant, stressed that while ultimately, it’s extremely difficult to prevent a targeted data breach, it is possible to achieve security resilience. Attackers usually lie undetected for three months and Maglieri stressed that organizations should create offensive risk management programs to reduce the potential impacts of these breaches.
While we don’t agree that organizations should be ‘offensive’ per-se (unless you are actually policing), we do think a “lean-forward” approach is needed to raise detection capabilities. So how can you reduce dwell time from multiple months to days, hours or even minutes? By building a proactive threat detection approach that includes threat hunting.
Rather than waiting passively for a threat to reveal itself, a threat hunter will proactively find it. It’s an approach that is being adopted by larger, more mature organizations and the right tools and the right data is needed to make it possible. To effectively hunt for threats, an organization needs granular visibility of metadata, not just logs, across their endpoints, network and cloud environments and have this information available for retroactive analysis. The key to threat hunting (besides having the expertise) is the data and your ability to query it, pivot, and group it together to aid an investigation. Here’s the low down on what you need:
Good data on what’s happening in your network
Network Traffic Analysis is important for threat hunting as it’s the source of the data that can provide visibility of everything coming across the network and also provide invaluable metadata gathered from capturing and breaking down sessions. Why metadata? It provides crystal clear context and can be indexed more effectively, allowing you to quickly search and find the information you think will support your hypothesis.
Here are some considerations to make when scoping out a Network Analysis solution –
- What kind of data will be received? Metadata provides the context which will make all the difference in your ability to hunt threats quickly and accurately.
- How long is the data stored for? Organizations don’t typically conduct daily hunts – you may want to group alerts over a long period of time to investigate various hypotheses.
- Does the solution allow you to easily search data for key characteristics? You do not want to be scanning through tens of thousands of logs.
Visibility and response across endpoints
A good endpoint detection and response solution will increase visibility across the endpoints in your organization and significantly reduce response time to threats that are lurking on systems. An EDR solution should enable organizations to monitor all activity such as process actions, logged in users, registry writes, file system activity and even memory in real time. By applying threat intelligence to this data - it’s possible to detect threats much faster and respond to them extremely quickly.
- Considerations when scoping out an EDR solution –
- Does it work when the endpoint is on the network and off it? Remember to make sure your remote endpoints are covered.
- Does it enable you to detect threats retrospectively? For instance, if a threat went undetected and by-passed traditional preventative defenses – are you able to apply updated threat intelligence that identifies the threat one week later… and find it?
- Can you create response workflows to automatically kick off remediation, analysis or response actions?
Set up an alarm system
Deception can also be used to aid threat hunting and reduce the time an adversary dwells on your network. It provides the first true signal of an infected asset and a threat hunter can use to quickly begin the investigation process.
The goal of deception is to detect attacks that have infiltrated an organization’s network by confusing and misdirecting the attacker, all the while building an understanding of what assets have been compromised. Gaining information on an attacker’s TTPs is very useful in conducting a hunt.
Considerations when scoping out a Deception solution –
- Does the solution automatically discover and classify assets?
- Does the solution automatically create decoys and breadcrumbs?
- Do the lures and breadcrumbs automatically adapt to a changing network?
- Can you apply the solution to a cloud environment?
Ultimately there isn’t a silver bullet that can ensure every single adversary is caught and is caught quickly. But an organization can dramatically mitigate the risk associated with a breach by adopting a ‘lean forward’ approach. With the right data, and the right technology – it is possible to implement proactive threat detection methods such as threat hunting and reduce dwell time.