An overview of Threat hunting
Threat hunting, a relatively new approach to identifying malicious actors within the network, is quickly becoming a standard practice.
Why is threat hunting an emerging discipline in information security?
Conventional systems just can't stop a significant number of intrusion attempts.
According to Verizon's Data breach investigations report, a significant portion of intrusions are caused by phishing, and credential stealing.
36% of breaches in the 2021 Verizon DBIR report involved phishing and 25% of them used stolen credentials for hacking.
The malicious actors then dwell within the system, and use privilege-escalation and lateral movement tactics to ensure their persistence. They will use malware and other such tools to ensure that they can stay hidden and persist in their mission.
Information security professionals cannot just be reactive to system alerts any longer, because that won't work in preventing malicious actors from infiltrating, and developing persistence in a system.
As information security professionals, we have to conduct innovative proactive hunts to ensure that their network traffic is validated with any specific business need. If there is no explanation for a particular connection, or pattern of traffic to exist, they should then enter incident-response mode.
The ideal goal of Threat hunting is to reduce the dwell-time of malicious actors in a network to about 24 hours.
Adversaries value persistence
Persistence in networks is absolutely critical for modern threat actors like advanced persistent threats, cyber-criminals, ransomware operators. Aiming to reduce the dwell-time helps set up infosec organizations to optimize for, and measure actual goals that contribute positively to protecting the business.
While some people might think that is a terrible goal, it is pragmatic, actionable, and measurable with respect to real-world scenario of threats.
It would be great to have a detection within the millisecond of intrusion, but it is practically impossible. So, optimizing for reducing the dwell time, mitigates the burst radius so to speak, of an intrusion or attack.
Additionally, it is better to have our own detection happen, than the FBI coming in, or some other industry expert informing us of our failure.
Threat Intel will only get you so far
Threat intelligence is helpful, but only up to a point. That is because threat actors may dwell in systems for extended periods of time without performing a single action. They may also use yet undiscovered zero-days to perform their mission. It is also not a fair expectation for an incident-response team to be up-to-date with the very latest in threat intelligence, especially when a lot of the providers are proprietary and commercial vendors.
Having signatures of malware also doesn't matter that much, any more. Sunburst / Nobelium, the incredibly sophisticated supply-chain attack, was digitally signed malware.
Sunburst level adversary detection should be our minimum standard
Our minimum bar for threat hunting should be to detect advanced threats like Sunburst, since it has to be assumed that any threat actor will seek to emulate the tactics and procedures that Nobelium employed.
Our next article will cover strategies for threat hunts, and constructing threat hunt playbooks for teams.