A Threat Hunt Tale
The human domain is complex and unpredictable, and as a result the logic behind certain behaviors are also complex. The problem that many detection systems try to resolve is the automated detection of these complex behavior actions. Some of the actions are obvious (i.e. ports scan), but others are less detectable, particularly when is coming from the internal network such as valid credentials used for wrong purposes.
To make the issue a little more difficult, not all analysts use the same techniques or methods to achieve their goals. For example, a nation state actor could have a set of known techniques tactics and procedures (TTPs) that could potentially be detected. If the TTPs changed, what new course of actions would the analyst take? Or even more frustrating, what if an insider was operating in the grounds of a company policy to steal data? The detection line grows and might even be non-existent in the case of an insider leaking information until the damage is done.
Threat Modeling
Introducing the Threat Hunting Maturity Model
Threat Hunting
Threat hunting can be defined as the act of persistently capturing, tracing, and eradicating cyber adversaries as early as possible in the Cyber Kill Chain. The earlier you locate and track the adversary in the chain the less impacting activities he will carry on to the network. The organization IR team can benefit by obtaining better visibility and uncovering the organization’s weaknesses, early detection of threats, and damage control to name a few. Real Threat Hunting is the area that goes above any automated detection capabilities of an organization.
To recap; it is the point where the human analyst makes the decision call on whether or not there has been a compromise. Is also good to mention here that the more manual the detection area, the more skilled the Hunter task must be.
Not all hunts can produce indicators of compromise (IOCs), but when possible, it is the area where the human Hunter leverages automation and deep learning to assist with both behavioral and atomic types of detection. For the biggest return, hunting and incident response need to work together.
When possible, IOCs should be worked back into the automated detection system. Future alerts and detection patterns would trigger the IR process and not necessarily the Hunter. One such means to identify active adversaries is with the application of Active Defense, or Offensive Countermeasures.
To be continued…