Explore Our Latest Insights on Artificial Intelligence (AI). Learn More.
AI: Governance and Oversight – Navigating the New Frontier of Financial Services
by Mark Turner, Richard Taylor, Richard Kerr
Wed, Sep 28, 2022
Explore Our Latest Insights on Artificial Intelligence (AI). Learn More.
Proactive threat hunting is a cyclical, proactive and hypothesis-driven process that assumes an undiscovered breach of an unknown type has already occurred. There is no precipitating incident or roadmap; no high-fidelity detection rules have been triggered. As noted in NIST Special Publication 800-53, “The objective [of threat hunting] is to track and disrupt cyber adversaries as early as possible in the attack sequence and to measurably improve the speed and accuracy of organizational responses.” Public and private sector organizations should view proactive threat hunting as an “enhanced security requirement.”
“If you can simply write a rule, write a rule. But then you don’t need to hunt,” – Anton Chuvakin, Former Vice President and Distinguished Analyst at Gartner, now senior security advisor for the office of the CISO at Google Cloud.
In contrast, reactive threat hunts focus on known threats. Hunts are typically triggered by a security incident or set of high-risk alerts. Investigators are often mid-tier Security Operation Center (SOC) analysts responsible for triaging and investigating alerts, root cause analysis, incident response, and consolidating logs in a security information and event management (SIEM) system. This essential work can be highly stressful due to the large daily volume of false positive alerts. Chronic alert fatigue is widespread, leading analysts to start ignoring many of the alerts.
Expert threat hunters possess elite skills in surfacing anomalous cyber activity, detecting gaps in the security infrastructure and identifying ways attackers can exploit these gaps to compromise an organization’s operational integrity. Their extensive red team experience enables them to think like adversaries, intuit their objectives and see through their attempts to evade detection. Thanks to their intimate familiarity with their organizations’ digital estate and business processes, they excel at leveraging the latest threat intel and crowdsourced attack data to efficiently sift through vast stores of network, endpoint and cloud security data for artifacts of an ongoing attack. Overall, they excel at deductive reasoning, malware analysis, data science and communicating their findings in actionable terms meaningful to business and IT leaders alike.
Threat hunters utilize a variety of data sources, tools and techniques to uncover threats.
Threat intelligence, also known as cyber threat intelligence (CTI), is a formal process for collecting and correlating data about attempted or successful intrusions from multiple internal and external sources. SIEMs often incorporate data from threat intelligence feeds to help automate rule creation. While inherently a reactive medium, threat intelligence furnishes hunters with a rich repository of TTPs and IoAs for proactive investigations.
Kroll’s 2021 State of Incident Response report surveyed 500 security and risk leaders at large organizations—those with more than $500 million in revenue—on matters related to their cyber security programs, specifically threat detection and incident response, and respondents are keenly aware of the risks:
How does one hunt for an unknown unknown? What tools and data are needed? How is success gauged? We asked members of our threat hunting leadership team to share their experiences in the field. Here are some highlights.
Actors utilize many techniques in their attempts to evade detection. One method is to rename their tools and malware. Consequently, it’s customary to search for executable files with odd names or in odd locations running on endpoints. For example, on one assignment, the threat hunting team found a file named s.exe. That violates normal file naming conventions, so a term frequency search was run to determine the prevalence of the file in the client’s environment. Multiple instances were found on finance department systems. Next, a sample of the file was detonated in a sandbox. The file turned out to be an instance of Rclone, a legitimate file management tool used in ransomware attacks to exfiltrate data. Ultimately, the initial compromise was traced to the system of a finance clerk who had succumbed to phishing exploit. The threat hunting team succeeded in locating and helping neutralize the ransomware before it could spread and detonate.
During one monthly assignment, Kroll threat hunters discovered an employee in the IT department using work assets to mine cryptocurrency. Here’s a condensed account of the hunt and its aftermath.
The client asked the team to focus on potential threats of loss or damage to its proprietary design and engineering data. Employees in several departments were allowed to use USB drives, which can be infected with malware or used to exfiltrate data. Therefore, the team hypothesized that a USB exploit could be underway. They began by analyzing EDR data collected in the SIEM for evidence of unusual USB activity or strains of USB-related malware. As it happened, this didn’t yield results because the compromised system was on a network segment without EDR installed.
Instead, the team located a suspect machine in the IT department by ingesting and analyzing NetFlow logs. These showed an employee’s system communicating with several cryptocurrency hauling services. Further analysis found the employee was running cryptojacking executables from an lnk file in the thumb drive storage volume. Also found were links in his search history to sites on the dark web showing how to cryptojack without being detected.
The team carefully assembled and preserved the necessary forensic data to provide the client with evidence for possible prosecution. The hunt team concluded its assignment by creating a detection rule flagging the cryptocurrency mining pools the employee had been using. That would help reduce the possibility of a similar attack in the future.
If a significant ongoing breach had been discovered, the team would have immediately notified the client and activated an incident response team. In this case, the client’s general counsel handled the matter in the normal course of doing business.
First and foremost, it’s essential to distinguish proactive threat hunting from other investigative methods. With the elite skills required in short supply, it’s no surprise that most threat hunts today are reactive. That’s a problem because bad actors constantly introduce new TTPs explicitly designed to evade detection.
The survey responses and case study demonstrate the critical importance of collecting and preserving log and telemetry data for root cause analysis and threat hunting. Yet, this continues to be a significant problem for many organizations. One cause is the sheer volume of data that must be ingested, correlated, and analyzed daily. Another is that actors often attempt to cover their tracks with Indicator Blocking and other techniques that impair or prevent access to investigative data. To reduce risks, organizations must do everything possible to preserve and make this data available at scale.
SIEM and Security Orchestrations and Response (SOAR) solutions are helpful in partially automating data management, alert triage, and incident response playbooks. However, these tools still rely on detection rules that sophisticated actors routinely circumvent due to their intrinsic limitations. If rules are overly specific, they can miss crucial clues of a cyberattack. If overly broad, they can impair routine business processes and deluge SOC teams with spurious alerts. Most importantly, they cannot detect evidence of attacks that have never been seen before. That goal can only be achieved with proactive threat hunting.
Learn more about Kroll’s end-to-end cyber security services or call our Cyber Incident Response Hotline to request immediate assistance.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.
Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.
Safely perform attacks on your production environment to test your security technology and processes.
by Mark Turner, Richard Taylor, Richard Kerr
by Ken C. Joseph, Esq., Ana D. Petrovic, Jonathan "Yoni" Schenker, Jack Thomas, Justin Hearon
by Ken C. Joseph, Esq., Jonathan "Yoni" Schenker, Ana D. Petrovic
by Nicole Sette, Joe Contino