Cb Connect 2018 | Power of You | Register Now

Suppressing the Adversary via Threat Hunt Teams

March 27, 2018 / Tom Kellermann

What a brave new world. Global cyber insurgencies continue unabated. Decreasing dwell time is imperative in 2018.  In order to achieve this goal, we must embrace the hunt. 

Every organization should stand up a threat hunting team. The team must be multidisciplinary with experience in e-forensics and penetration testing. These teams must play chess while possessing deep knowledge of geopolitics (understanding the motivation for a  cyberattack is paramount.)

It is also paramount to assemble a team of operators who understand that the solution to identifying an active compromise on the network requires knowledge of not only technical solutions (endpoint monitoring, passive network monitoring, memory augmentation), but also knowledge of current exploits, vulnerabilities, threat actor methodology and TTPs.

Develop a threat profile. This will help a hunter know where to prioritize hunting (and ultimately where to start hunting). Apply streaming analytics to unfiltered data. This will allow hunters to sort information faster and enable tools to do the target acquisition for the team. This results in a force multiplier to your hunters. Analytics will predict future attacks via attack origin to survey the root cause of attacks. As a result, teams can anticipate and focus on the organization’s defensive weaknesses.

As your team jells, develop rapid-response protocols. Deciding when to reveal oneself is critical as counter incident response measures and destructive attacks are becoming the norm.

  1. Assessing threat intel from IPs, domains and hashes applied to historical data.
  2. Query similar threads that are not identical matches in historical data. 
  3. Anomaly detection – requires continuous analysis of unfiltered data from the endpoint.

Threat hunting is most effective when employing both active measures (agents deployed to endpoints) as well as passive measures (netflow, packet capture appliances). User-entity behavior analytics must be employed as it is critical to baseline “normal” network and host behavior in a threat hunt; contextualizing normal behavior is the most effective way of determining where an adversary might lie in wait.  

A hunter must position themselves on the high ground. The high ground is defined by greater situational awareness. Specifically, the hunter must analyze threat intel from customer IPs, domains and hashes applied to historical data. From that vantage one must search for similar threads that are not identical matches in historical data. Successful anomaly detection requires continuous analysis of unfiltered data from the endpoint. 

Step I: Go Historical. –take in tactical threat intel of domains, hashes, and IPs and be able to search the last 30 days. Hash values may have low false positive rates but they are easy for an attacker to change.  Domains and IPs may have a ton of false positives.

Stage II: Move up the pyramid of pain– change the threat-intel language to move toward TTPs.  (action or behavior). Time is a critical component.

Stage III:  Moving to anomaly based hunting–  algorithmic threat hunting; changes in behavior versus similarities to previously seen.

Hunters should evaluate users with higher levels of access to a network’s “crown jewels” and subsequently deploy deception grids around these users and hosts. Remember, static defenses without massive mobile support died with the Maginot Line. Intrusion suppression is now the name of the game. Happy hunting.

TAGS: Carbon Black / Carbon Black. Threat Hunting / Tom Kellermann