June 3, 2016
Proactively Counter Cyber Attacks and Incidents with Hunt Teaming
June 3, 2016
-Identify the indicator of compromise through logs, VA scan reports, etc.
-Track movement of attacker in the network from one system to other system, which is called Pivoting.
-Measure connections, which are longer and beyond the average time on the network
-Look at protocols used by attacker like web surfing, DNS, C&C to establish communication channels, etc.
-Research users who are concurrently logged into multiple systems, and assume that credentials are compromised
-Evaluate longer than normal URLs could be from attackers sending malicious code and data into an environment
-Deep dive through persistent malware, back-door entries, other abnormal behaviors and heuristic analyses
-Identify the port and network of Data exfiltrationii.) Act and Protect: Once we’ve identified the IOC’s within environment, act proactively before the security is breached. An organization can prioritize patches, policies and implement stringent security controls along with calibrating SOP’s (Standard Operating Procedures). iii.) Hunting: Hunting includes questions and hypotheses. During this process, SOC teams hold discussions with various stakeholders and application owners, since traffic traverses among many application, servers and environment. This must include heuristic analyses of logs, traffic behavior, recent attacks and current vulnerabilities. They will analyze the hows, wheres, whens, and by what methods. This requires spending a lot of time searching for things that are elusive and/or entrenched. iv.) Learn: This must be continuous. Learning from existing incidents is one of the key aspects that prompts focus on critical areas before adversaries exploit the system. “Hunt Teaming” is an exercise and facilitates a big paradigm shift in detecting cyber-attacks and breaches.The approach is to analyze like an attacker, uncover anomalies and then “think out of box” to respond unknown attacks. The advantages to an organization availed with Hunt Teaming is not only detecting known and unknown attacks beforehand, but also improvement in/awareness of:
- Incident response times
- Calibration of SOPs and reports
- Shadow IT
- DOS/DDOS attacks
- Malicious insiders
- Logic Bombs
- Authorization Creep
- Provisioning and Deprovisioning of user access