Prioritization
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Difficulty
Intermediate
Video Transcription
00:00
>> Welcome to Lesson 1.4 of Threat Hunting Fundamentals.
00:00
In the last lesson, we dove into
00:00
David Bianco's Pyramid of Pain and our take on it.
00:00
We laid out reasons why
00:00
our approach to detection is focused
00:00
on knowledge of adversarial behaviors
00:00
as described in attacks,
00:00
tactics, techniques, and procedures.
00:00
In this lesson, we'll talk about how to
00:00
prioritize your hunting development efforts to
00:00
focus your limited resources on things that have the
00:00
most potential to provide
00:00
lasting benefit for your situation.
00:00
To start, it's wise to ensure that you and
00:00
your organization have a clear understanding
00:00
of purpose for your hunting activities.
00:00
Having a clear and shared purpose helps to align
00:00
your team and your stakeholders to strategic priorities.
00:00
It enables you to optimize your limited resources,
00:00
identify the parts of
00:00
your environment and malicious behaviors to focus on,
00:00
and also helps you measure your progress as you go.
00:00
We're all dealing with limited resources,
00:00
time, money, bandwidth, storage, processing.
00:00
Given those limited resources,
00:00
it makes sense to think through the technologies you're
00:00
using and the scenarios you're concerned about.
00:00
Let's prioritize the techniques that are relevant
00:00
to our business and the technologies we use.
00:00
In time, things will change and we should periodically
00:00
check back in on our filtering decisions
00:00
and update them if needed.
00:00
Adversaries are constantly seeking
00:00
new ways to accomplish their goals and evade detection.
00:00
We need to be sure we're keeping up.
00:00
Our own systems are also changing frequently.
00:00
As functionality, software,
00:00
and devices are added and updated,
00:00
we need to make sure we're including
00:00
the associated analytics and data collection plans.
00:00
Keep in mind that community knowledge, best practices,
00:00
and ideas are also
00:00
frequently being updated in response to
00:00
adversary evolution in technology change
00:00
and new discoveries of
00:00
existing adversaries and technology.
00:00
We need to stay aware of
00:00
those changes and keep our filtering
00:00
up-to-date to ensure we
00:00
continue to include relevant analytics and monitoring.
00:00
In many cases, it will be appropriate to
00:00
filter based on technology.
00:00
Which technologies are in your environment?
00:00
For example, if you don't use industrial control systems,
00:00
then the techniques associated with
00:00
ICS are not likely to be relevant for you,
00:00
and you can filter them out along with
00:00
their hypotheses and analytics
00:00
and data collection requirements.
00:00
Just keep in mind that you might have
00:00
more technologies in your environment
00:00
than you first think.
00:00
For example, even if you have
00:00
a relatively small network with Windows hosts,
00:00
the routers, switches, servers,
00:00
and firewalls might be running Linux or Cisco.
00:00
Your team might bring in their own mobile devices or
00:00
laptops which might not run windows.
00:00
Are there IoT devices in your environment?
00:00
Do you have capabilities hosted in the Cloud?
00:00
Be sure to think it through.
00:00
Note the versions and
00:00
configurations of your software as well,
00:00
since those can influence
00:00
which techniques or sub techniques apply.
00:00
As you progress through this process,
00:00
you might uncover technologies in
00:00
your environment that you hadn't realized were there.
00:00
Which means you'll want to revisit
00:00
this prioritization to ensure those are included.
00:00
In addition to considering
00:00
the technologies your business uses,
00:00
think about what it takes for your business to succeed.
00:00
What kinds of failure scenarios could disrupt it?
00:00
With a clear understanding of business objectives and
00:00
how those map to cyber systems and functions,
00:00
you can further prioritize your hunt.
00:00
Analyze which systems store or process
00:00
sensitive information and which
00:00
accounts have access to it.
00:00
Those could be likely targets of an adversary seeking to
00:00
steal intellectual property or
00:00
holds your information for ransom.
00:00
What would the impact be if an adversary
00:00
modified that information without
00:00
your knowledge or shared it with a competitor?
00:00
Are there any single points of failure for your business?
00:00
Which systems or functions would have
00:00
a negative impact on
00:00
your business if they were disrupted?
00:00
How would an adversary cause
00:00
those failure scenarios to occur through cyber actions?
00:00
Which systems would they need access to?
00:00
Which account accesses would be useful
00:00
or necessary for the adversary to have?
00:00
What are the paths from the Internet or from
00:00
an insider through your environment
00:00
that would enable an adversary to achieve those goals?
00:00
Which attack techniques would an adversary be
00:00
most likely to employ along those attack paths?
00:00
Finally, what does
00:00
the cyber threat intelligence indicate are
00:00
the top threats to your business or business sector?
00:00
Are there certain techniques more commonly used against
00:00
your type of business or by
00:00
adversaries known to be interested in your business?
00:00
Answering these questions can
00:00
help you prioritize techniques.
00:00
Finally, consider how you
00:00
might filter based on malicious behavior.
00:00
Conduct a SOK assessment.
00:00
Do some purple teaming,
00:00
conduct evaluations of your current defensive posture
00:00
relative to attack techniques,
00:00
and get an understanding of your gaps.
00:00
If you have defensive gaps for some of the techniques
00:00
identified based on your technologies
00:00
and business needs,
00:00
those are great candidates for prioritization.
00:00
Within those techniques, which are
00:00
good candidates for detection in your environment?
00:00
Are the techniques likely to be detectable?
00:00
Will you be able to distinguish malicious use of
00:00
those techniques relative to
00:00
the benign background activity
00:00
that's going on in your environment?
00:00
Keep in mind that some analytics are excellent
00:00
for getting the initial detection of malicious activity.
00:00
But you might need others to flush out the context of
00:00
that activity and help distinguish
00:00
malicious from benign actions,
00:00
or to one cover the full scope
00:00
of the adversaries campaign.
00:00
What other mitigations or detections in
00:00
your current defensive posture could help to
00:00
complement your efforts to
00:00
fill the gaps you've identified?
00:00
Are there any techniques for
00:00
which the broader community has
00:00
already developed good mitigation or detection solutions?
00:00
Be sure to leverage those as much as possible.
00:00
In addition to using
00:00
CTI about your business specifically,
00:00
take note of commonly used techniques across the board.
00:00
They could be relevant to your environment as well.
00:00
After answering the questions in the previous slides,
00:00
you'll be able to develop
00:00
a clear and shared purpose
00:00
for your current hunting activities.
00:00
For example, you might have
00:00
decided to focus on hunting for evidence of
00:00
lateral movement in your engineering department
00:00
or spearfishing indicative of APT3.
00:00
These example purpose statements illustrate how you might
00:00
narrow your current focus down to a subset of behaviors,
00:00
threat actors, and parts of your environment.
00:00
Let's dive a little deeper on the example of hunting for
00:00
persistence consistent with APT3.
00:00
Let's say the cyber threat intelligence indicates
00:00
that APT3 is targeting our business sector.
00:00
We could break that down into
00:00
smaller areas of focus by filtering
00:00
the APT3 persistence techniques documented in attack to
00:00
those applicable to Windows
00:00
since that's the platform our company uses.
00:00
Now we're looking at eight techniques or sub-techniques.
00:00
When we consider our business needs,
00:00
we might decide that our top priority for
00:00
this hunt will be
00:00
the systems used by our product developers,
00:00
which contains sensitive information that could
00:00
give our competitors a head-start
00:00
if they had access to it.
00:00
We can then assess our current defensive posture
00:00
relative to those eight techniques across those systems.
00:00
Checking which mitigations are already in place,
00:00
the data we're currently collecting,
00:00
and how that's being analyzed already.
00:00
We might find that the biggest defensive gap is
00:00
currently in detecting the scheduled task sub-technique.
00:00
By starting with a strategic purpose
00:00
and applying our knowledge of our CTI,
00:00
the technologies in our environment, our business needs,
00:00
and our current defensive posture,
00:00
we've narrowed down our focus to one sub-technique.
00:00
Of the hundreds of techniques and
00:00
sub-techniques documented in attack matrices,
00:00
how do you prioritize your resources?
00:00
The first step we recommend is to
00:00
identify the technologies present in
00:00
your environment so you can narrow down the set of
00:00
attack matrices and platforms
00:00
that are relevant to your situation.
00:00
Second, we found that is very
00:00
valuable to think clearly about your business,
00:00
the failure scenarios or
00:00
disruptions you're concerned about,
00:00
and how those are dependent on cyber.
00:00
That mapping of impacts to cyber can help identify
00:00
the cyber systems and functions that
00:00
represent your crown jewels.
00:00
Once identified, you can determine
00:00
attack paths through your environment that
00:00
could create this negative impacts and discover
00:00
the attack techniques and adversary is likely to
00:00
implement to navigate those paths.
00:00
You might find that there are
00:00
certain techniques associated with a lot of risk to
00:00
your business and are worth
00:00
spending resources defending against.
00:00
Third, you likely already have mitigations and
00:00
detections in place that are
00:00
effective against some of these techniques.
00:00
A SOK assessment can help you understand
00:00
your current defensive posture and identify gaps to fill.
00:00
Attack evals can provide information on
00:00
how different products map to attack techniques.
00:00
Adversary emulation and purple teaming can test
00:00
your current defenses and
00:00
further illuminate the gaps that need filling.
00:00
Once you've narrowed down the list of
00:00
techniques to those that
00:00
are relevant to your environment,
00:00
impactful to your business,
00:00
and are currently poorly defended,
00:00
you might find that you have
00:00
a more manageable list of techniques to focus on.
00:00
However, as noted in previous med courses,
00:00
not all attack techniques are
00:00
equally amenable to detection.
00:00
Look for techniques that are
00:00
detectable in your environment,
00:00
those that are likely to have few false alarms,
00:00
and for which you might be able to
00:00
collect the right data to detect.
00:00
Finally, you might want to prioritize
00:00
techniques that are used by multiple groups of interest.
00:00
If you can effectively
00:00
defend against a commonly used technique,
00:00
you're more likely to get
00:00
a better return on your investment of resources.
Up Next
Methodology Overview
Module 1 Knowledge Check
Developing Hypotheses
Hypotheses Considerations
Finding Low-Variance Behaviors
