What is Next Generation Threat Hunting?
By Jason Colyar - Fortune 100 Senior Threat Hunter - February 18, 2020
The FBI recently reported that in 2019, cybercrime cost businesses $3.5 billion, a number they say is likely grossly underestimated. Another study from Accenture that spanned 11 countries across 16 industries found that the complexity of attacks is also increasing. As a result, the average cost of cybercrime for an organization grew from $1.4 million to $13.0 million. The stark reality is that as threat actors advance their techniques, our traditional and conservative methods of defense are no longer as effective as they once were.
Being reactive to a compromise or breach in 2020 can incur steep financial, repetitional, and legal losses. From breaches experienced by Equifax to over 25 cities in the United States being held hostage by ransomware in 2019, this evolving threat landscape presents a pressing need to be proactive when it comes to cyber defense. Throughout this evolution, one expression rings true: an ounce of prevention can be worth a pound of cure.
The average cost of cybercrime for an organization grew from $1.4 million to $13.0 million. – Accenture
What is Threat Hunting?
Historically, information security has been based on reactive analysis, which can be thought of as the cleanup effort that occurs after a device or network is compromised. During reactive analysis, analysts watch for alerts or incidents and then respond to the call. Like police and firefighters acting as first responders to society's emergencies, reactive security analysts are the first responders of the digital world.
Threat hunting is the practice of performing proactive analysis to preempt an attack or catch cybercriminals in the act. Instead of relying on traditional security products and their signatures to detect and alert them of infections that are already existent, threat hunters proactively search for specific techniques, methods, and behaviors that threat actors and hackers have utilized to breach organizations or government entities in the past. Where IT Incident responders are like first responders, threat hunters are like special agents in the field who manually take the initiative to find threats unknown to antivirus vendors and security control providers.
Threat Hunting Techniques
There are a variety of hunting methodologies and frameworks; however, the most common approaches to threat hunting typically include the following steps:
- Discovery – Find new attack techniques and indicators of compromise
- Informing - Use threat intelligence data streams for hunting
- Hypotheses – Imagine how and where an attack might be taking place in your organization
- Investigating – Use your intelligence data and tools and skillset to prove or disprove your hypotheses
- Identification of Threats – Use an attack framework to discover enemies in your vertical
- Identification of Techniques – Find specific attacks that enemies in your vertical use
- Training – Remain up to speed on best practices with good threat hunting training.
Two popular resources that provide best practice guidance on threat hunting include the MITRE ATT&CK framework and resources from the Information Access Sharing Center (ISAC).
MITRE ATT&CK framework is a U.S. federally funded research effort that maps out all stages of known cyber-attacks and gives examples of each phase in a cyber-attack.
It also provides valuable data on present threat actors and Advanced Persistent Threats (APT), categorizes the groups, and lists the attack types and techniques that have been proven to be associated with them. They even take it a step further to list what verticals, industries, and countries the attackers target. By harvesting this information, you can create a list of attackers that pose a true threat to your company. From there, analysts can compile a list of known attacks and techniques used by those attackers, formulate a hypothesis, and investigate. Other threat detection tools discussed in the next section can also support this effort.
The Information Sharing and Analysis Centers (ISAC) communities were created to address the lack of information sharing across industries and entities. ISAC exists to be a community for specific industries to share their experiences, breaches, artifacts, investigations, and lessons learned in confidence with the goal to improve security through cooperation and collaboration holistically. Members of ISAC have the benefit of being able to curate intelligence pertinent to threats that directly affect their organizations or industries. From there, analysts can begin to look for attacks recently discovered and take action.
Let's say, for example, that yesterday a bank that is a fellow member in the FS-ISAC (Financial Services Information Sharing Access Center) was breached. Today they're sharing the technical details of the attack so that your team can initiate a hunt within your enterprise to see if they've been impacted or breached. An added benefit of ISACs is that often you will gain information prior to it being shared with news outlets or authorities, making it a treasure trove of data for proactive analysts. For companies with a limited budget and resources, this can be an affordable way of gathering intelligence to fuel both reactive and proactive investigative efforts.
How core elements of threat hunting techniques have evolved over time
In the past, threat hunting was conducted by searching for obvious indicators of compromise, such as files, executables, and artifacts that are proven evidence of malware. While this has helped many companies discover breaches, new threats require better approaches.
- Traditional Indicators of Compromise: Hunting for indicators of compromise or evidence of infection is often a first step a threat hunter or incident response analyst may take to be more proactive in their analysis. As time progressed and the impact of incidents became more detrimental to companies, security teams have learned that by the time the malware is on a device, they are already late. This led to the necessary evolution of threat hunting techniques shifting from searching for indicators of compromise to a greater focus on indicators of attack.
- New Indicators of Attack: Indicators of attack include computer tactics, behaviors, and prerequisites to actual compromise as cited by the Cyber Kill Chain & MITRE ATT&CK frameworks. The differentiator in hunting for indicators of attack is that you have the chance to stop an attacker in their tracks, often in real-time, just as they are trying to compromise your network. This enables more proactive security management than solely relying on antivirus or indicator of compromise hunting, which notify you after the threat is present. Another reason why hunting for indicators of attack supersedes the value of former techniques is that advanced attackers often craft their own malware or buy it through dark retailers. Then, much like an enterprise, they design a framework and playbooks for how to go about information gathering, social engineering, and breaching a company's defenses. Once inside, attackers have systematic methods for delivering malicious software and moving laterally within the organization, establishing back doors for persistent access to the devices compromised and exfiltrating or removing sensitive data. Since the methods are often successful, well thought out, and followed procedurally, threat hunters have had success in spotting attackers by searching for these behaviors.
- Updated Indicators of Risk: Another method that is not new, but, plays a significant role in bolstering security posture is hunting for indicators of risk. This is a common practice in organizations whether performed by on-staff teams or outsourced to vendors and is also known as vulnerability scanning and management. By scanning assets continually, searching for risks within your organization, and prioritizing the patching and fixing of vulnerabilities discovered, you begin to lessen your attack surface. Your attack surface consists of the devices and infrastructure in your organization that are susceptible to attack. An example of this is the Server Message Block (SMB) port vulnerability that is required for WannaCry Ransomware to compromise a device and spread to other computers in the network. Many companies impacted by the viral ransomware attack had this exploitable vulnerability on their network and had not fixed it at the time of the attack. If you have technology constantly hunting for gaps like this and notifying your team so that they can be fixed, your chances of being impacted are much less.
- Threat Intelligence: One supplemental asset to threat hunting techniques is threat intelligence. Threat intelligence pertains to finding, validating and curating information about cybercrime, groups, attacks, and the artifacts associated with them. With threat intelligence feeding a threat hunting program, the analytic hunters have a verbose volume of attack data to form hypotheses. With this insight, they can hunt for evidence of suspicious activity and attacks. By proactively looking for indicators of compromise, risk, and attack, companies have a greater chance of success in preventing more complex risks that usually evade traditional signature-based technology. For example, hunters can find malware that does not leave artifacts and often is not detected by any antivirus software, also known and "file-less" malware. Account hijacks are another example where proper threat hunting techniques can discover if a user's credentials are stolen. Otherwise, a company may not know for months that an intruder is impersonating a legitimate user on the network.
The Power of Next-Gen Threat Hunting Techniques
According to research conducted in 2019 by IBM, the average time to detect a breach is 206 days or almost seven months. Furthermore, it takes an average of 73 days to recover from a breach. A solid threat hunting program can cut this breach time down from almost seven months to potentially days or minutes.
A report from Bricata also disclosed that 62% of respondents said improving the detection of advanced threats was the top benefit of hunting in their organizations.
Breakdown of ROI timeline realized by companies:
- (10%) said immediately,
- (19%) said within days
- (11%) said others
- (23%) said within months
- (16%) said within a year
- (21%) said two or more years
- as a table or chart to stand out on webpage)
Improving Threat Hunting with User Behavioral Analytics and Machine Learning
Next-generation threat hunting technology is helping automate the threat hunting process. Hard to detect attacks, such as credential theft and file-less malware, can be detected and prevented more accurately with next-generation threat hunting technology. These solutions leverage machine learning and user behavior analytics to detect anomalous behavior that traditional technology usually cannot. Here are a few examples:
- Stolen credentials - Through next-gen hunting techniques that incorporation user behavioral analytics, a company can potentially detect when a legitimate user has had their account taken over. For example, threat hunting technology can detect when a finance department manager begins manipulating server database logs and file directories. Or, in the social media department, when a user based in Cleveland is found logging in from Spain, Australia, and the Netherlands at the same time. Or when a service desk support technician begins exporting company legal documents, contracts, or design schematics.
- File-less malware - File-less malware often goes undetected; however, there are processes that these types of attacks leverage that can sound an alert through next-gen technology. For example, by finding the common PowerShell methods often utilized by file-less malware or looking for other indicators of attack, this risk can be proactively mitigated.
- Privileged account abuse - User behavior analytics solutions powered by artificial intelligence and machine learning can also be effective in detecting when an account user gives themselves unauthorized privileged access to system resources. This is a common action cyber attackers take and then attempt to cover up. Finally, by utilizing metadata and greater context around user transactions, next-gen solutions can detect anomalies like a user accessing files and accounts that someone in their role typically does not.
Ultimately, through a combination of user behavior analytics and machine learning technology, companies can establish a proper insider threat detection program to monitor user activity proactively, identify abnormalities, and respond to attacks. An insider threat detection program can also be pivotal in providing greater security for the most valuable and highly targeted accounts such as executive-level employees, accounts payable managers, and more. When these attacks occur at the leadership level, detection in hours or minutes, as opposed to the average 206 days, can make or break the very survival of a company.
62% of companies say threat hunting is reducing breach detection times. – Bricata
With cybercrime at an all-time high and criminal attack techniques growing in sophistication, the losses associated are record-breaking. Businesses are currently going up against an advanced adversary that is intelligent, unseen, and many times silent. Security controls and more conventional methods still hold great value in providing a layered defensive. However, a proactive approach to threat hunting powered by machine learning and user behavior analytics, as found in Veriato Cerebral, is necessary to ensure that your organization is prepared to not only survive but strategically prevent these attacks.