Intrusion detection, incident response, and digital forensics - these are all essential stages of managing a cyberattack. While different in nature, they all share one thing: they come after an attack has breached your systems.
Unfortunately, few companies have the luxury of damage mitigation. In fact, it is believed that no less than 1 in 8 companies goes out of business because of data breaches. And even if small and medium enterprises are hit worst, large companies often face hundreds of millions in breach-related payouts.
Worse still, the surge in remote work and remote systems management caused by the Covid-19 outbreak has brought an increase in ransomware and phishing attacks. Your company now faces the immense challenge of having multiple access points, geographically scattered and with different levels of protection.
But can’t endpoint and network security provide a line of defense? They can, but only against regular malware and non-targeted attacks. In other words, these solutions can only protect you against known attack vectors, and not so much against Advanced Persistent Threats and other well-cloaked dangers. In fact, APTs have become so prevalent that they are now a priority for 55% of all SOCs, according to a 2019 Cybersecurity Insiders threat hunting report.
Since flawless detection is impossible and alert fatigue is ever-present, you need a specialized process that can stop APTs in their tracks.
Introducing Threat Hunting
Threat hunting, a relatively new term, has now started to catch wind, with 77% of security professionals being aware of it, according to the Cybersecurity Insiders report.
Threat hunting consists of proactive detection and, when possible, the isolation of vulnerabilities and potentially compromised systems. Threat hunting focuses on Advanced Persistent Threats and any malware meant to blend into your cyber environment and dwell there for long periods. TH is a combination of advanced security and threat intelligence with the strong analytical skills of a dedicated team.
Threat hunting digs deeper than the average endpoint and network security defenses and creates a realistic picture of your company’s security landscape. It can be used to minimize exposure to external threats, improve response times and accuracy, and to reduce the overall number of breaches and attacks.
Threat Hunting Prerequisites
Sadly, while Threat Hunting is an effective way to fight threats before they become breaches, SOCs spend only 38% of their time on proactive detection, and only 32% perform it constantly. So, what would it take for your security team to be proficient at threat hunting?
First of all, you need full visibility into the security infrastructure of your enterprise or client: network, endpoint, hardware (from server status to IoT device telemetry), and user access. After you’ve painted a clear picture of your defenses, you need an overview of the entire security ecosystem: it’s time to get a Threat Intelligence solution in place.
Once you have both, you need to establish a dedicated team. In case of large enterprises, this can be an internal team, but most of the time you’ll need the experience of an external security provider.
The last part consists of establishing a hunting interval (“as often as possible” is ideal) and a threat hunting framework. This framework will establish clear KPIs, as threat hunting can cost a lot of time and money. For example, finding an APT or hidden malware may not be an ‘’indicator of success’’ (especially if you’re too late), but finding a vulnerability and patching it definitely is.
How Threat Hunting Occurs
Assuming you’ve got the right set of protection and detection tools and a great team, the hunt can begin. Threat hunting always starts with a lead. A lead is a hypothesis about a malicious activity that can come from suspicious network or software activity, from abnormal user behavior or from a risk assessment.
For example, if you see an increased number of logins to a vital system, all with power user credentials, you may assume that some are malicious. To be certain, though, you need to know what regular logins look like, as well as when and how often legitimate users access the system.
Once you’ve established your hypothesis, it’s time to investigate. This is the part where your team searches for patterns and indicators of compromise (artifacts generated by malicious activities, including logins from suspicious IPs, in our case). If there are no visible traces of misconduct, you may also use indicators of concern (information supplied by TI).
Also, if a certain scenario keeps repeating itself, a fully automated investigation would be best. In fact, constantly comparing user and system behavior to itself is far more efficient than investigating them at set intervals.
The next step is centralizing data and testing systems. In our ‘’unusual logins’’ scenario, if your investigation reveals they were indeed performed from a suspicious IP, you should: see if the IP classes have been blacklisted, if there’s any TI about them, or if they generate traffic anywhere else in the company. Also, you should see if you can replicate the incident using existing systems - it might just be an IP recognition error!
The next part is action, which can consist of anything from patching the vulnerable system to changing access credentials or temporarily shutting down a system. It depends on your verdict, which is why threat intelligence is so useful: it can give you better context on the extent of the damage.
Finally, logging your actions and creating a risk report is vital, even if you haven’t found a real exploit or traces of an attack. It will certainly help you in your future hunts.
How Threat Intelligence Blends In
Threat Intelligence can be used in each of these stages, as it can offer valuable information about existing threats and indicators of concern, as well as timely information about what can and cannot affect your particular infrastructure. Therefore, by having a TI solution at hand, you can save a lot of time on false positives and prevent alert fatigue.
Bitdefender's Threat Intelligence solution offers global insight into unique, evasive malware, APTs, zero-days, and C&Cs that are hard to catch and that SOC analysts often lack visibility into.
The data is coming from a combination of extensive knowledge repositories, open sources, traps, honeypots, and botnet monitoring, and is backed by a prolific collaboration with industry partners and reputable law enforcement agencies.
Furthermore, our threat intelligence platform allows consumption of the data in STIX 2.0 format via a dedicated TAXII server, allowing MSSPs, MDRs, and enterprises with a SOC to gain easy access to accurate security data