During the past few years, industry has witnessed a major change in the working environment of users: desktop-centric organizations have evolved to using many more personal, handheld devices. This enhances user mobility and ease of doing business.Related to the increase and variety of devices, industry has encountered various attacks such as APT, DOS/DDOS, data exfiltration, etc. The major compromises were exploiting the existing vulnerabilities through bots, C&C and social engineering attacks…and a long list of others.Additionally, as per SANS Institute research, more than 80% of breach victims learn of a compromise from third-party notifications rather than internal security teams. It’s not that the victim's organization didn’t have security controls; they had all sorts of security controls and round-the-clock security monitoring. What is Hunt Teaming?
All attacks were targeted, so it’s imperative to know about the IOC (Indicator of Compromise) within organization and then prioritize as per the quantitative and qualitative risk. That’s where “Hunt Teaming” comes into the picture.An organization should not rely solely on security controls in the environment. They need to go further and deep dive into the network traffic behaviors, unusual traffic, IP probes, port scans, vulnerability assessments, penetrating testing etc. to understand the loopholes within their environment.“Hunt Teaming” is an emerging trend and considered a proactive self-defense, rather than just depending upon the static technologies present in the tech environment. In a traditional model, we have a SOC (Security Operations Center), which primarily relies on security alerts/incidents generated by device alerts from antiviruses, IPS/IDS and firewalls, or SIEM for that matter.Attackers use various covert channels to avoid identification. By the time the victim realize that they were compromised on their network, the attacker goes away while using scrubbing tool to erase their log details.Hunt Teaming is somewhat different and fills an imperative gap of the SOC by identifying IOC’s (Indicators of Compromise) within organizations. In Hunt Teaming exercises, an organization (Small/Medium or Large) should follow the four steps below to ensure early detection of loopholes. i.) Be Ready with Useful Data:
The first step in Hunt Teaming is to be armed with data beforehand. Here’s a sample of use cases:
-Identify the indicator of compromise through logs, VA scan reports, etc.
-Track movement of attacker in the network from one system to other system, which is called Pivoting.
-Measure connections, which are longer and beyond the average time on the network
-Look at protocols used by attacker like web surfing, DNS, C&C to establish communication channels, etc.
-Research users who are concurrently logged into multiple systems, and assume that credentials are compromised
-Evaluate longer than normal URLs could be from attackers sending malicious code and data into an environment
-Deep dive through persistent malware, back-door entries, other abnormal behaviors and heuristic analyses
-Identify the port and network of Data exfiltration ii.) Act and Protect:
Once we’ve identified the IOC’s within environment, act proactively before the security is breached. An organization can prioritize patches, policies and implement stringent security controls along with calibrating SOP’s (Standard Operating Procedures). iii.) Hunting:
Hunting includes questions and hypotheses. During this process, SOC teams hold discussions with various stakeholders and application owners, since traffic traverses among many application, servers and environment. This must include heuristic analyses of logs, traffic behavior, recent attacks and current vulnerabilities. They will analyze the hows, wheres, whens, and by what methods. This requires spending a lot of time searching for things that are elusive and/or entrenched. iv.) Learn:
This must be continuous. Learning from existing incidents is one of the key aspects that prompts focus on critical areas before adversaries exploit the system. “Hunt Teaming” is an exercise and facilitates a big paradigm shift in detecting cyber-attacks and breaches.The approach is to analyze like an attacker, uncover anomalies and then “think out of box” to respond unknown attacks. The advantages to an organization availed with Hunt Teaming is not only detecting known and unknown attacks beforehand, but also improvement in/awareness of:
- Incident response times
- Calibration of SOPs and reports
- Shadow IT
- DOS/DDOS attacks
- Malicious insiders
- Logic Bombs
- Authorization Creep
- Provisioning and Deprovisioning of user access
Thanks for reading this and good luck!