Suppressing the Adversary via Threat Hunt Teams

save
Share and earn Cybytes
Facebook Twitter Google+ LinkedIn Email

What a brave new world. Global cyber insurgencies continue unabated. Decreasing dwell time is imperative in 2018.  In order to achieve this goal, we must embrace the hunt. 

Every organization should stand up a threat hunt team. The team must be multidisciplinary with experience in e-forensics and penetration testing. These teams must play chess while possessing deep knowledge of geopolitics (understanding the motivation for a  cyberattack is paramount.)

It is also paramount to assemble a team of operators who understand that the solution to identifying an active compromise on the network requires knowledge of not only technical solutions (endpoint monitoring, passive network monitoring, memory augmentation), but also knowledge of current exploits, vulnerabilities, threat actor methodology and TTPs.

Develop a threat profile. This will help a hunter know where to prioritize hunting (and ultimately where to start hunting). Apply streaming analytics to unfiltered data. This will allow hunters to sort information faster and enable tools to do the target acquisition for the team. This results in a force multiplier to your hunters. Analytics will predict future attacks via attack origin to survey the root cause of attacks. As a result, teams can anticipate and focus on the organization’s defensive weaknesses.

As your team jells, develop rapid-response protocols. Deciding when to reveal oneself is critical as counter incident response measures and destructive attacks are becoming the norm.

  1. Assessing threat intel from IPs, domains and hashes applied to historical data.
  2. Query similar threads that are not identical matches in historical data. 
  3. Anomaly detection – requires continuous analysis of unfiltered data from the endpoint.

A threat hunt is most effective when employing both active measures (agents deployed to endpoints) as well as passive measures (netflow, packet capture appliances). User-entity behavior analytics must be employed as it is critical to baseline “normal” network and host behavior in a threat hunt; contextualizing normal behavior is the most effective way of determining where an adversary might lie in wait.  

A hunter must position themselves on the high ground. The high ground is defined by greater situational awareness. Specifically, the hunter must analyze threat intel from customer IPs, domains and hashes applied to historical data. From that vantage one must search for similar threads that are not identical matches in historical data. Successful anomaly detection requires continuous analysis of unfiltered data from the endpoint. 

Step I: Go Historical. –take in tactical threat intel of domains, hashes, and IPs and be able to search the last 30 days. Hash values may have low false positive rates but they are easy for an attacker to change.  Domains and IPs may have a ton of false positives.

Stage II: Move up the pyramid of pain– change the threat-intel language to move toward TTPs.  (action or behavior). Time is a critical component.

Stage III:  Moving to anomaly based hunting–  algorithmic threat hunting; changes in behavior versus similarities to previously seen.

Hunters should evaluate users with higher levels of access to a network’s “crown jewels” and subsequently deploy deception grids around these users and hosts. Remember, static defenses without massive mobile support died with the Maginot Line. Intrusion suppression is now the name of the game. Happy hunting.

The post Suppressing the Adversary via Threat Hunt Teams appeared first on Carbon Black.

Share this post and earn Cybytes
Facebook Twitter Google+ LinkedIn Email
Follow
87 Followers
About Carbon Black, Inc.
Carbon Black is the leading provider of next-generation endpoint security. Carbon Black’s Next-Generation Antivirus (NGAV) solution, Cb Defense, leverages breakthrough prevention technology, “Streaming Prevention,” to instantly see and stop cyberattacks before they execute. Cb Defense uniquely combines breakthrough prevention with market-leading detection and response into a single, lightweight agent delivered through the cloud. With more than 7 million endpoints under management, Carbon Black has more than 2,500 customers, including 30 of the Fortune 100. These customers use Carbon Black to replace legacy antivirus, lock down critical systems, hunt threats, and protect their endpoints from the most advanced cyberattacks, including non-malware attacks.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel