Cybots Alliance | Cyber Security

Continuous Threat Hunting ​

Cyber threat hunting is an active cyber defence activity. It is the practice of proactively searching for cyber threats that are lurking undetected in a network. Cyber threat hunting digs deep to find malicious actors in your environment that have slipped by your initial endpoint security defenses....After sneaking in, an attacker can stealthily remain in a network for months as they silently collect data, look for confidential material, or obtain login credentials that will permit them to move across the environment. Once an adversary is successful in evading detection and an attack has penetrated an organization’s defenses, many organisations lack the advanced detection capabilities needed to stop the advanced persistent threats from remaining in the network. That is why threat hunting is a powerful weapon of any defense strategy. Threat hunting is in contrast to traditional threat management measures, such as firewalls, intrusion detection systems (IDS), malware sandbox (computer security) and SIEM systems, which involve an investigation of evidence-based data after there has been a warning of a threat. On average, cybercriminals spend about 191 days inside a network before being discovered, and that is more than enough time to cause serious damage. In contrast to a forensic investigation, which is designed to work out what went wrong after an attack, threat hunting aims to track down these waiting attackers and stop them in their tracks before they have the chance to cause any significant damage. Even though your automated security tools and tier 1 and 2 security operations center (SOC) analysts should be able to deal with roughly 80 percent of threats, you still need to worry about the remaining 20 percent, which is more likely to include advanced persistent threats (APTs) that can cause significant damage. Threats that are unsophisticated, automated or untargetted should be easy to detect or block, but those that carefully evade the tools designed to stop them typically come from advanced persistent attackers — groups or individuals who directly target your organisation and network. Compared to a basic hacking attempt, an APT demands significantly more effort and attention from the SOC and response team. Threat hunting is becoming increasingly important and vital as companies seek to stay ahead of the latest cyber threats and rapidly respond to any potential attacks.

Read more

Threat Hunting Methodologies

Threat hunters assume that the adversaries are already in the system, and they initiate investigation to find unusual behaviour that may indicate the presence of malicious activity. In proactive threat hunting, this initiation of investigation typically falls into three main categories:

1. Hypothesis-driven investigation

Hypothesis-driven investigations are often triggered by a new threat that is been identified through a large pool of crowdsourced attack data, giving insights into attackers’ latest tactics, techniques, and procedures (TTP). Once a new TTP has been identified, threat hunters will then look to discover if the attacker’s specific behaviours are found in their own environment.

2. Investigation based on known Indicator of Compromise (IOC) or Indicator of Attack (IOA)

Indicator of compromise - An indicator of compromise (IOC) tells you that an action has happened and you are in a reactive mode. This type of IOC is could by looking inward at your own data from transaction logs and or SIEM data. Examples of IOC include unusual network traffic, unusual privileged user account activity, login anomalies, increases in database read volumes, suspicious registry or system file changes, unusual DNS requests and Web traffic showing non-human behavior. These types of unusual activities allow security administration teams to spot malicious actors earlier in the cyber attack process. Indicator of Concern - Using Open-source intelligence (OSINT), data can be collected from publicly available sources to be used for cyber attack detection and threat hunting. Tactical threat intelligence which catalogs known IOCs and IOAs could be used as to investigate new threats. These would then become triggers that threat hunters could use to uncover potential hidden attacks or ongoing dangerous activity.

3. Advanced analytics and machine learning investigations

This approach combines date analysis and machine learning to sift through a huge amount of information in order to discover irregularities which may indicate potential malicious activity. These anomalies become hunting leads that are analysed by skilful analysts to identify potential threats. All three approaches are human-powered effort that combines threat intelligence resources with advanced security technology to protect an organisation’s systems and information.

Threat Hunting Steps

The process of proactive cyber threat hunting typically involves three key steps: a trigger, an investigation and a resolution.

Step 1: The Trigger

When a trigger happens, it would point threat hunters to a specific system or an area of the network for further investigation when advanced detection tools identify strange actions that may show malicious activity. Oftentimes, a hypothesis about a new threat can be the trigger for proactive hunting. For example, an alert security team may search for advanced threats that use tools like fileless malware to escape existing defenses.

Step 2: Investigation

During the investigation phase, the threat hunter uses technology such as EDR (Endpoint Detection and Response) to take a dive into potential malicious compromise of a system. The investigation would continue until either the activity is considered benign or a complete picture of the malicious behaviour has been created.

Step 3: Resolution

At this phase, relevant malicious activity intelligence would be communicated to the operations and security teams so they can respond to the incident and mitigate threats. The data about both malicious and benign activity is then gathered to be fed into automated technology to improve its effectiveness without further human intervention. Throughout this process, cyber threat hunters would be gathering as much information as possible about an attacker’s actions, methods and goals. They would also analyse collected data to determine trends in an organisation’s security environment, eliminate current vulnerabilities and make predictions to enhance security in the future.

safar-safarov-1509081-unsplash

Should You Enlist a Managed Threat Hunting Service?

The concept of threat hunting is important and crucial. Yet, the challenge is to actually source personnel who can conduct the exercise properly and regularly. The best threat hunters are those that are battle-tested with relevant experience in warring cyber adversities.
Unfortunately, there is a major skills shortage in the cybersecurity industry when it comes to threat hunting, meaning that seasoned hunters are expensive. That is why many organisations would turn to managed services, who can deliver deep expertise and 24×7 vigilance at a more affordable cost.
Below, let’s explore what to look for in a threat hunting service:

What is Required to Start Threat Hunting?

A top threat hunting service takes a three-pronged approach to attack detection. Together with skilled security professionals, it includes two other components necessary for successful hunting: vast data and powerful analytics.

Advantages of Managed Services

Needless to say, the human brain is still the most effective detection engine, even though every new generation of security technology is able to detect a higher number of advanced threats. Automated detection techniques are predictable, and today’s attackers are very aware of this and have developed techniques to evade or hide from automated security tools. Human threat hunters, definitely, are an absolutely critical component in an effective threat hunting service.
Since proactive hunting depends on human interaction and intervention, success would depend on who is hunting through the data. Intrusion analysts must have expertise to identify sophisticated attacks, and they also must have the needed security resources to respond to any discovery of unusual behaviour.

The service must have the ability and capacities to gather and store granular system events data so as to provide absolute visibility into all endpoints and network assets. With the use of a cloud infrastructure, a good security service then aggregates and perform real-time analysis on these large data sets.

Lastly, a good threat hunting solution should be able to cross-references internal organisational data with the latest threat intelligence about external trends and deploys sophisticated tools to analyse and correlate malicious actions.
All of this takes a measurable amount of time, resources and dedication — and most organisations are not adequately staffed and effectively equipped to mount a continuous 24/7 threat hunting operation. Fortunately, there are managed security solutions that have the appropriate resources — the necessary people, data and analytical tools — to effectively hunt for unusual network activity and hidden threats.
If adding threat hunters to your current team or training existing personnel is not an option, many companies are also considering managed services to reap benefits such as “hunting health checks” without adding HR overheads. Getting started is one of the toughest parts of hunting, so employing a managed service might be beneficial to help launch a program that involves both a manual and a semi-automated scanning of systems.
Cybots Alliance is able to bring together all three prongs in a 24/7 security solution that proactively hunts, carefully investigates and aptly advises on threat activity in an organization’s environment.
Our experienced team of hunters sift through endpoint event data from across Cybots Alliance’s worldwide client community to swiftly identify and stop highly sophisticated attacks that would otherwise go undetected.
Our proactive managed hunting finds breaches days, weeks or even months before they would have been uncovered by conventional automated-only methods, successfully limiting the opportunity for attackers to coordinate data exfiltration operations that ultimately lead to mega breaches.
Cybots Alliance can help you detect and respond to cyber incidents around the clock. To find out more about the powerful security advantage that we can offer you, do contact us.

The Threat Hunting Advantages​

Hunting is used to stop the current attackers. Threat hunting is used to discover hidden threats (e.g., malware) lurking in the background and to identify perpetrators who are already invading the organisation’s systems and networks. It can help to proactively identify adversaries who have already breached the defenses and found ways to establish a malicious presence in the organisation’s network.
Threat management remains the top challenge for SOCs. Threat hunting’s course of action is searching through networks for indication of abnormal behaviour caused by potential attacks; this involves a human-driven process designed to look for the threats that automated systems or conventional detection methods might miss out. Ad-hoc hunting can identify a strange activity or attack pattern that might already be present in an IT environment, and then, identify it more swiftly. And the quicker active threats are identified and communicated to an incident responder who will have the expertise and knowledge to quickly attend to the threat and neutralise it before more dangerous damage to network and data occurs, the better the outcome.
Threat hunting also permits a security team better insight into an incident, from understanding its scope to identifying the causes and forecasting the impact. An active approach, analysing computer network traffic in search of malicious content with intent to investigate potential compromises and improve cyberdefenses, can help gather important data to look into after-the-fact incidents. This will help in extracting lesson-learned tips and correcting possible challenges.
Threat hunting is not only an excellent strategy to intercept possible advanced persistent threats (APTs) or other external attacks that can leave an organisation handicap to data breaches. It also gives IT analysts a much better overview picture of the current state of the organisation’s security, and its expected resilience to a variety of potential attacks. Through threat intelligence, it is possible to further anticipate identification of a specific threat, providing analysts and incident responders with actionable intelligence: information which is analysed, contextualized, timely, accurate, relevant and predictive.
Threat hunting allows early detection of advanced threats (hidden, unknown, and emerging), and thus for cybersecurity personnel to secure and defend their environments. Thanks to the deep insight into the systems and the ways a threat found their way in, a good threat-hunting session also offers more needed information to improve the defenses of a company.
Once the decision is made to begin implementing threat hunting in-house, a company needs to employ professionals with skills and knowledge that go beyond basic IT. A threat hunter needs to be an expert in IR, forensics, cybersecurity or network engineering and security analytics as well as network protocols, malware management and reverse engineering. Moreover, they will have to be creative and possess critical-thinking and problem-solving skills, as well as much of the know-how and abilities that malicious hackers possess. These professionals normally have a passion for learning and keeping abreast of the newest cybersecurity trends. They will need to have advanced communication skills to communicate findings and write effective technical reports that non-technical management personnel can understand. An organisation can only benefit from these additions to the IT team.
An efficient threat-hunting platform includes important tools and is essential for security operations centers (SOCs). Tools like Security Information and Event Management (SIEM) software products or an Intrusion Detection System (IDS) may be used to help identify anomalies, leading to more efficient identification of threats and giving the ability to counteract them. This will help prevent or minimise further damages. A good platform, however, also includes fast and effective ways to transform raw data coming from a variety of sources into usable information. It can even save time for analysts by freeing them from having to manually correlate events; it can aggregate “feeds” coming from different sources in order to create actionable intelligence data.
Threat hunting’s power is that it is human-driven, proactive, iterative and analytical. This combination of key tools, repetitive careful monitoring and behaviour-pattern searching, together with the analysts’ ingenuity and ability to examine and evaluate data, means a reduction in false positives and time-wasting.
Threat hunting offers a quicker response and a proactive approach, which normally means less possibility for malicious intruders and threats to damage to an organisation, its systems and data.

To Future You.

Ready to see how Cybots can help you prevent more threats?