Do you have what it takes to be a great cyber detective who can sniff out cyber threats?
The Australian Cyber Security Centre (ACSC) has developed prioritized mitigation strategies to help cybersecurity professionals in Australian organizations to mitigate incidents caused by various cyber threats. It lists ‘threat hunting’ as one of strategies.
Recently, threat hunting also received formal recognition by the National Institute of Standards and Technology (NIST) in the United States as a cybersecurity control. While threat hunting has gained momentum over the past decade, many cybersecurity professionals would tell you that it is “nothing new”. However, this has not stopped threat hunting from being one of the most talked about enhancements to most organizations’ cybersecurity programs today.
A ‘threat hunter’ is someone who proactively and iteratively discovers current or historical threats that evade existing security mechanisms, and uses that information to improve cyber resilience in organizations.
What it takes to hunt threats
The essential technology and analytical skills needed to be an effective threat hunter that can help to safeguard organizational networks, servers, applications, web environment and cloud infrastructure include:
- Understanding the importance of the totality of the operating environment
Threat hunters should tailor their activities to the priorities set by the organization. This process frequently involves analysing the outputs of risk modeling, threat intelligence and detection engineering.
Threat hunters should be raising questions about how threat detection is conducted within an organization. Tabletop exercises and risk/vulnerability assessments are a terrific way to understand of the steps and pathways an adversary would take within the environment to accomplish their goals. In most cases this involves escalating privileges and lateral movement.
Things threat hunters need to think about: Do the controls provide telemetry around credential theft events? What about suspicious activity in-memory? If they cannot detect these events, then their ability to threat hunt is hampered before they even start.
- Identifying the indicators of compromise in organizational systems
The term “indicators of compromise” (IOCs), has two primary meanings: one broad and one more specific.
In the broad sense, indicators of compromise are pieces of evidence on hosts, endpoints, network or in logs that tell the threat hunter that their organization has been compromised. In the other more-specific granular way, IOC is used is to mean Internet Protocol (IP) addresses, hash values, domain names and other specific values that are known to be associated with a threat. Finally, IOCs can also include unusual network traffic and file changes and the presence of malicious code.
- Executing against a constantly-evolving technology backdrop
Organizations are constantly changing to newer, better, faster tech solutions; in turn, threat actors change their tactics, techniques and procedures.
It is therefore important that threat hunters choose an approach that can keep pace. Taking an agile approach is recommended. The Japanese strategy called Kanban is a good starting point for right-sizing hunts, limiting work-in-progress and helping to manage ‘blockers’.
- Investigating trends in quantitative data using statistical analysis
One of the key things threat hunters need to understand is how to identify anomalous activity within a dataset. They should be able to identify patterns and relationships in quantitative data to spot activity such as credential misuse or suspicious data transfers. This includes both on-premises and cloud assets.
A few of the more common statistical analysis techniques to be employed include clustering, grouping and stack counting as well as visualizations like box plots and line/bar charts. Threat hunters should set aside a few hours weekly to sharpen their data analysis skills to ensure they have all the best tools at their disposal.
To be a great threat hunter, one has to possess an understanding of the importance of network security, enjoy managing secret key material and be able to identify anomalous account usage.
Threat hunters need to know what suspicious activity looks like, and how an attacker can use access to an on-premises environment to pivot to cloud- and even web- infrastructure.
Overall, the skills required to be a threat hunter have not changed that much in the past five years, but the volume and scope of the threats have grown exponentially.
The crux of the role of threat hunter is all about formulating or identifying a hypothesis, extrapolating the data that is needed to test it, and then executing against it.