For organizations whose cyber defenses may have been going the way of one dimensional, threat hunting has breathed new life into sputtering security programs.
Broadly defined as the manual practice of applying tools, tactics, procedures and intelligence to uncover advanced network attacks that have slipped past existing defenses, threat hunting is surging in popularity.
Able to easily bypass traditional, signature-based security, persistent attackers are using stealthy means to fly under the radar and travel unrestricted across corporate databases, networks and applications – and you need to assume they are already inside yours.
So how do you find them?
While actions such as log and event analysis (automated threat detection) and technologies like endpoint detection and response (EDR) have emerged to help organizations become more proactive at flagging and rebuffing these sophisticated foes, threat hunting pushes the needle even further forward with a human-driven component. Trained personnel pursue attackers while leveraging many of the same capabilities and thought processes that the adversaries use themselves.
Even if your ultimate security goal may be to pre-empt the mega breach, threat hunting is out to discover anything out of the ordinary that could indicate something is amiss in your environment – in the process vastly growing visibility into your network, reducing risk and expanding security maturity. Oftentimes, this means unearthing something that is far less deleterious – and far less thought about – than an advanced persistent threat actor, but critical nonetheless, as non-routine activity of any kind may affect your organization’s operations and bottom line.
What your team may discover on a threat hunt (or via powerful security operations center-backed experts hunting on your behalf) could range from an honest mistake to a spiteful employee to a full-blown hacker incident. As an accountable and responsible security professional, you should want to know about all of them.
1) Hackers “Living off the Land”
As simple as it is to find fault with the current state of security, many businesses are making things more onerous than ever on network intruders to succeed. You may be surprised to learn that this reality has forced miscreants to turn to self-sustainable practices. A tactic known as “living off the land” has grown in popularity in recent years among all types of malicious hackers and typically involves them using tools already approved and installed by your IT team – for instance, PowerShell, a legitimate admin tool used to automate tasks – and using them to run exploits (especially fileless attacks), harvest credentials and traverse the network.
2) Unusual User Behavior
Threat hunts can also turn up anomalous user activity, which may hint at possible threats involving a rogue insider. Actions that could indicate a wayward employee include multiple requests to escalate privileges, large data exfiltration at odd hours, late-night logins and the mass downloading or deletion of files – all of which are uncharacteristic of their normal duties and potentially indicative they are planning, for example, to switch jobs or exact revenge on the business.
3) Old or Unused Machines
In an era of technology sprawl, it may be easy to lose track of active workstations and other systems, which still introduce risk to a company. One of Trustwave’s threat hunters told me about one case in which his team identified IP addresses within a network that were behaving strangely. The hunters turned that information over to the customer, which took three weeks to physically identify the offending machines – they were stored away, apparently unknowingly, in a cabinet somewhere.
4) Policy Breakers Cutting Corners
The insider threat doesn’t always involve malice – sometimes an employee is trying to do the right thing, albeit “overlooking” security policies and ramifications. Going back to the earlier PowerShell example, a worker in accounting may have discovered the tool to be useful for automating reporting but is unaware that attackers may be also able to leverage it to run malicious scripts.
5) Shadow IT
There are plenty of ways to invite malicious content or data-leakage risks into your organization, and the proliferation of web- and cloud-based software has opened that door even wider. While many employees (including C-level executives) are installing applications, often citing their desire to use them to improve productivity, they usually end up being unmanaged and grow a business’ attack surface. Sometimes, a user’s motivation for such a download isn’t as work-focused: Our aforementioned threat hunter recently turned up a “Pokemon Go” mining operation in which a member of the IT team was using several systems to “catch” the animated creatures.
With the knowledge of what a threat hunt helps bring to the surface, you can immediately take risk-reducing actions within your organization. Remember, it’s not always the APT adversary who can bring you down.
Dan Kaplan is manager of online content at Trustwave and a former IT security reporter and editor.