Successful threat hunting requires curation & collaboration
Article by ThreatQuotient APJC regional director Anthony Stitt.
Many organisations are harnessing the benefits of technology to enhance their business, yet the reality is that their systems are often compromised as a result. This has become both normal and expected, as should be the process of detecting and removing these compromises, otherwise known as ‘threat hunting’. Without this crucial capability, compromised systems escalate into breaches when attackers are left to infiltrate and operate freely.
Data breach costs continue to rise each year, with the latest Ponemon Study has found the average cost of a data breach up 6.4% to an average of $3.38 million. Mean-time-to-detection (MTTD) has also risen to 197 days, up from 191. The faster hackers can be found and removed, the lower the risk of a comprise escalating into a full-blown breach becomes.
The 2018 SANS Incident Response Survey found threat hunting is now one of the top three areas of focus for improving incident response that organisations plan to make within the next year. Frameworks, like the Targeted Hunting integrating Threat Intelligence methodology, are emerging from concerned and motivated communities. MITRE ATT&CK is also increasing in popularity as a framework, because it describes the tactics, techniques and procedures (TTPs) that attackers leverage.
The positive news is that many organizations already have the technology required for threat hunting, with SIEMs and threat intelligence a starting point. A malware sandbox is also another great addition, as it allows an organization to generate its own threat intelligence from suspicious files, with Endpoint Detection and Response (EDR) tools useful for conveniently searching across many endpoints.
Threat hunting is often as straightforward as using threat intelligence to look for indications of compromise (IoCs) by searching logs. Threat intelligence typically comes from external sources, with numerous free and paid services of threat intelligence available, including from antivirus vendors. However, a rich area for threat hunting, that many organisations often overlook, is their own intelligence from attacks they’ve seen or managed.
Employee users are frequently labelled as being one of the main infection vectors because they open files and click on malicious links, yet these same end users are also adept at spotting scam and phishing emails. Providing a place for employees to send these emails for extracting threat indicators provides a great resource of highly relevant threat intelligence. Whether it be from malware files, URLs, email addresses or keywords, these can all be leveraged to see if others are being targeted.
A mature threat hunting capability should automate the process of collecting intelligence and searching for atomic IoCs, like discrete IP addresses, domains and file hashes. Unfortunately, security teams are challenged by high volumes of logs from every system within their information and communications technology (ICT) infrastructure. Even a modest threat intelligence program has millions of indicators from commercial and open sources, industry groups and security vendors.
Without prioritisation and contextualisation this becomes a further distraction for security teams. Understanding what is important to your organization is crucial to effective prioritization and allows the focus to be on investigating high-risk indicators.
To help with prioritization, many threat intelligence providers publish ‘global’ risk scores based on their own research, visibility and proprietary methods. However, what is valid to one company may not be relevant to another. An organisation should have its own prioritization process based on contextual parameters like industry, geography and business to reduce noise and improve effectiveness.
Frameworks like MITRE ATT&CK describe threat actor TTPs, although detecting them is not as straightforward as detecting atomic indicators. TTPs can only be inferred from atomic indicators, so threat hunting benefits from an extra initial step, where a hypothesis about an attacker is formulated. For instance, MITRE defines a malicious spearphishing attachment as a technique to gain initial access. The hypothesis could surmise that any employee spearphished with an email containing a malicious attachment is only one of many under attack.
The threat hunt could then focus on taking a known spearphishing attempt and searching for any other staff affected by the same or similar attacks. In this virtuous cycle, a TTP is inferred from a known attack to extract atomic indicators to help search across the organization. Forcing attackers to change TTPs has a significantly higher cost for them and may result in their disinterest and dropping their focus on your business.
Attacks may span multiple systems, which means analysts must be able to conduct investigations collaboratively. Traditionally, this has been difficult and time consuming to practically initiate because teams and tools are often siloed. This is especially problematic in an emergency, where gaps between functional groups slow an investigation. Teams need a physical or virtual collaboration space to work together, as even in the calmer environment of a threat hunt, employees from different groups will likely need to coordinate with one another.
The intelligence gathered from external sources such as sandbox samples, reports, suspect emails and threat hunting missions, ultimately starts to pile up over time. With the right processes and systems, this can instead become a library, where everything is catalogued and cross-referenced, rather than a cluttered mess.
Spreadsheets, ticketing systems, emails and document management systems are all methods to control this information, however, the challenge is doing this at speed and scale. A dedicated system designed to collect, catalogue, curate and automate threat intelligence is a natural solution for any threat hunting team looking to improve effectiveness.
By working together, security teams can pinpoint adversary TTPs to find malicious activity, reducing MTTD and the impact of an attack. Teams will also have the benefit of seeing colleagues’ work, which can be turned into best practice or knowledge to accelerate parallel investigations. Threat hunting should be a continuous process, with new data and learnings constantly added to this library, and intelligence re-evaluated or re-prioritised to support proactive threat hunting.
Threat hunting is fast becoming a crucial pillar of security operations. The right platform will offer the automation and collaboration teams require to move faster through the threat hunting process and reduce the cost of a data breach.