Modern-day cyberattacks keep growing in sophistication and sheer volume. This dynamic makes it virtually impossible to detect and block all attacks using the traditional methods of comparing incoming requests to known attack signatures. To effectively operate in this new aggressive cyberthreat environment, it is paramount that IT operations, developers, and DevSecOps adopt a proactive defense mindset. Threat hunting is all about having that powerfully proactive mindset. The underlying goal of threat hunting is to detect, evaluate, and mitigate threats before they can impact core operational functions.
In this post, we will suggest a methodology of remediating threats based on the technique called Threat Modeling.
Threat Hunting Methodology
From a 1000-foot view, threat hunting methodology is not hard. As with most critical situations, your time is scarce and the information is insufficient. The methodology follows an Assess, Prioritize, Address flow.
It goes something like this:
- Understand new threats
- Assess potential impact, or risk, of the new threats
- Model the threats to determine where they may impact the software or the business process and prioritize risks
- Implement protection measures and mitigating controls
- Assess how effective the protection is
- Repeat periodically as the threat landscape and your infrastructure change
Lets dive in.
New Generation of Threats for Cybersecurity
Only one thing about tomorrow is certain: the cybersecurity threat landscape is under siege by a new, more sophisticated and challenging type of attacker than ever before. They are different than previous generations of hackers. New attacks will be stealthier and grow more covert every year. New threat vectors are coming, adding to a growing tally of variants from existing threats. Newer forms of phishing attacks, ransomware, social engineering, and even cryptojacking will proliferate — to name only a few. The key difference in the way attacks are launched than in previous years is in the modus operandi of the new hacker. Sophomoric attacks, like “Smash and Grab” campaigns, are gone. The new cyberattacker is patient and deliberate.
The new cyberattacker takes their time to select a target (or victim) and study it completely for any unknown weaknesses and vulnerabilities. They determine the best possible backdoor in which they can enter into their target and stay in for longer periods of time than ever before. If the earlier cyberattacker could be likened to cat burglars, then the new cyberattacker could be likened to a cartel.
A cyberattacker may not stay in the confines of their target for months on end. They may leave and penetrate it again later via the backdoor that they left ajar. The point is that they now have the ability to go undetected for long periods of time. Rather than trying to take what they want all at once, they bleed their victim bit by bit.
The long game of residing in a hack, means businesses and corporations need to maintain the highest levels of alertness to track down the most covert cyberattackers before even the beginning stages of an attack can occur. A constant regimen of Threat Hunting activities by your IT security staff is a winning strategy.
Understand What Is Vulnerable
Threat and Vulnerability Management
Not all assets are vulnerable to all threats. First, you need to make sure your most critical assets are protected. Implement a classification schema in order to determine what is most at risk in your existing IT Infrastructure. All assets need to examined. But, in this case, you are using a top-down approach by classifying items that are at extremely high risk down to those assets that are least at risk.
Determine the identification mechanisms implemented (or planned for implementation) for employees or other parties trying to gain access to shared network resources.
Examples of identity management mechanisms are password managers, two-factor authentication (2FA), and biometrics (like fingerprint or voice recognition).
Security Awareness Training and Education
Evaluate the comprehensiveness of employee awareness and training in security best practices and policies. Everyone in the company plays a role in protecting IT resources — from on-premise use to mobile devices and laptops. Firmly relay the need for compliance and clearly explain the policies surrounding noncompliance or improper use of company resources.
Auditing your security awareness and training should include looking at internal traffic. Check that high-traffic areas are being properly secured and used with appropriate rights and permissions.
The line between work-life and personal time blur in the age of smartphones and remote work. Ensure that user practices, technology, and companywide policies are aligned is not solely in the hands of an isolated security team.
Periodic scrutiny of existing security policies that support security awareness and compliance is critical. Check whether security is being enforced. Address any weaknesses. Regular updates should be released, reflecting the current threat environment and organizational needs.
Incident Response Plan
Your company should have an Incident Response Plan, which needs to be regularly updated and reviewed as part of threat hunting and remediation.
- Update frequency of the Incident Response Plan
- Adoption and practice in real time
- Employee contact information roster is correct
- Effectiveness of the communications subcomponent
Review Existing Protections
The meat of threat hunting is in auditing the existing IT infrastructure and security architecture. This is, objectively, the most complex part of the assessment and should be the most comprehensive.
A full audit of your existing monitoring tools identifies vulnerabilities and weaknesses. Assessing your security architecture will be sure that issues can be identified, the overall infrastructure has no holes, and that the most efficient solutions and tools for handling the threat landscape is in place.
Part of establishing good protection is ensuring that your security team has an adequate ratio of staffing and resources, including up-to-date monitoring tools and support.
Incorporate security performance evaluations into your threat hunting process. Clearly defined responsibility and reviewing what the pain points and places for improvement are for the response teams can help address shortfalls and vulnerabilities that occur when teams are overextended or underperforming.
Emerging Security Technologies
Prioritize advances in tools and technology with every threat remediation activity. Newer security tools include incident response features that identify existing and impending threats. They arise from responsive industry specialization that looks into the consequences and weaknesses that come with technological growth. Attackers exploit weaknesses. Attack prevention is more complete with technologies as up-to-date with the current threat environment.
For example, the growth of APIs to keep business responsive to markets demanding rapid CI/CD means stronger protection at the API level (Layer-7 protection) is of new and paramount importance. Technology becomes more specialized as a technological landscape gets bigger.
Conducting a financial audit that aligns with your security audit can ensure critical financial resources are applied in the most cost-effective manner.
Evaluating the security budget and technology doesn’t mean “spend more”. It means evaluating whether money is being spent effectively in relation to the level of security you have. A budget review should evaluate:
- Are the tools I have the most up-to-date?
- Are there new options that expose and prioritize new vulnerabilities or solutions?
- Is our internal CI/CD impacting our security?
It is crucial to question, the impact of CI/CD cycles. Rollouts that come at the cost of security can lead to high-cost recovery after an attack or breach.
Dispelling the myth that more security toys is better is also critical. The marketplace or a legacy of security solutions is not the same as having a fully defended infrastructure. In fact, more solutions piled onto one another can increase the attack surface for a cyberattacker.
Third-Party Entities, Technology, and Services
Outsourced entities conducting your daily business, accessing your systems, carry risks. Audit hiring practices of third parties that have any potential security risk. Increasing the due diligence around hiring criteria, processes, and background checks can reduce company vulnerability to an inside job. It’s also important that hired third parties, like contractors, are part of security training and awareness.
Once this Risk Assessment has been completed, the next step in any Threat Hunting Remediation exercise is determining what to exactly hunt for and the frequency of that hunt.
Select a Threat Model to Use
After performing a risk assessment, you should have a documented list of the kinds of threats and risks to hunt for. You are now ready to apply the list to one of four threat hunting models.
Four threat hunting models:
- Cyber Kill Chain (Lockheed Martin)
- Attack Lifecycle (Fireye)
- Cyber Attack Model (Gartner)
- ATT&CK Lifecycle (MITRE)
The Cyber Kill Chain Model
Cyber Kill Chain is the more popular one to use in threat hunting remediation exercises, so we will take you through this example of threat hunting below. A Cyber Kill Chain threat hunting approach revolves around the sequential way cyberattacks happen. A cyberattacker usually launches a particular threat in a series of phases. Each phase is a point where the cyber attack vector could be mitigated if the right security controls are in place.
7 phases of cyberattack in the Kill Chain Model:
Cyberattackers spend time researching their potential target. They determine the target’s weaknesses and vulnerabilities and the most opportune ways in — the most covert backdoor possible.
After identifying the best backdoor possible, the cyberattacker creates a malware weapon to deploy at the target. With newer attacks, these can be harder to identify because they are designed to match target-specific vulnerabilities and weaknesses.
The tailored malware weapon is launched.
The malicious file in the malware weapon is now triggered. Exploiting the vulnerabilities and weaknesses of the target, whatever the attack’s aim, is in position — be that stealing data, harming software, et cetera.
The malware weapon creates an access point, or backdoor, into the target. Through this access point, the attack is able to further penetrate into the infrastructure.
Command and Control
At this stage, the cyberattacker has their hands on the target and can manipulate it to their own ends.
Actions on Objective
Once in location and installed, the cyberattacker can start taking action. This is the end of the hack, resulting in the theft of passwords, ransomware, data exfiltration, data leakage, or even the destruction of data.
Fixing, Patching and Compensating Controls
Now that you’ve run a risk assessment and chosen a threat hunting model you can understand what stages in the model represent the most risks and start putting counter-measures in place.
1: Create and test a threat hunting hypothesis
Create a general hypothesis of what you expect to unveil in a threat hunting exercise. These should be easy to determine based on the findings of the risk assessment and application of those findings to the model.
Using our vulnerable network server example, one hypothesis could be: if a fileless based attack is launched, it would totally wipe out the memory banks of the network servers and destroy their processing capabilities.
2: Collect relevant information and data
Test hypotheses with all available threat hunting tools. Collect the resulting data for review.
Examine data for any anomalies and malicious patterns in the datasets that have been previously identified.
One method of threat hunting is to use these identified anomalies and malicious attacks to reconstruct the tactics, techniques, and procedures (TTPs) employed in cyberattacks. If no anomalies are detected, you can potentially determine no systems have been compromised.
3. Lather, Rinse, Repeat
After completing all manually helmed threat hunts with the tools at hand, look to automation. First, determine which steps can be expedited with automated threat hunting tools.
Automated threat hunting tools intelligently use human and technological resources. Security teams are wasted on performing the same necessary tests over and over manually if there is a better, automated option. If the same threat hunting exercise needs to be repeated again a later time, automate as much as possible. Manual processes should only be used for new hunting exercises.
Once you’ve hunted down threats, you have to determine how to resolve them.4. Creating Security Solutions
If a cyberattack is detected, determine where it is in its lifecycle. That will determine your next course of action. For example, if malicious patterns and anomalies show a cyberattack is in its beginning stages, your incident response team can handle the threat before it does damage.
If no threat is detected, you can start the threat hunting planning cycle again for a new exercise.
How Effective was a Threat Hunting Exercise?
Each threat hunting remediation exercise should be followed by a post-game evaluation to, and determine if it was successful or not. Establish realistic data-driven metrics that can measure real indicators of success around threats, like the turnaround time for responding to incidents.
Examples of security performance metrics to track are:
- Number of incidents by severity
- Number of compromised hosts
- Dwell time
- The number of identified vulnerabilities
- Corrected and identified insecure practices
- False-positive rate of transitioned hunts
Incidents by Severity
Monitoring the volume of incidents by severity establishes a running tally of the total number of previously known and unknown incidents.
Over time, this provides context as to how well security defenses are working.
A running tally of the total number of compromised hosts in the IT Infrastructure is an especially useful metric when threat hunting on endpoint security tools. It is highly effective for revealing setting misconfigurations.
Dwell time shows how long discovered security threats were active in your IT Infrastructure. Dwell time has three areas that add detail and insight::
- Time between infection and detection
- Time from detection until to investigation
- Time between investigation and remediation
These various times allow you to evaluate where remediation resources should be put or fixes should be made to technology, processes, or teams.
This is the total number of vulnerabilities discovered based on the hunting exercises being conducted.
Corrected and Identified Insecure Practices
The total number of identified and corrected IT-related insecure practices allows for internal measures to quickly up security health. Unaddressed, insecure practices can accidentally leave a backdoor open for future attacks.
False Positive Rate of Transitioned HuntsAutomation is critical to reducing the rate of false positives. Not only is it a waste of your security team’s time to manually tune, but it’s impossible to sort through high, repetitive numbers of false positives. Unassuaged volumes of false positives create too much noise around identifying real threats and vulnerabilities. There is no foreseeable time when data is going to slow down or lighten, so adding automation is key to keeping pace with security needs.
Putting it all together
There are several steps in applying risk assessment results to the model to prepare for staring threat hunting activities.
- Apply your prioritized list of risks and vulnerabilities, made in the risk assessment, to your selected threat hunting model.
- Determine the kinds of activities that a cyberattacker could target as threat vectors for the identified risks, specific to your company.
- Map the risks and cyberattacker opportunity activities to the phases of the threat hunting model.
Ex:) If the Network Servers in your IT Infrastructure is most at risk, determine the kinds of actions or activities a cyberattacker would take to attack them. Then, place them at the different phases of the threat hunting model accordingly.
- Calendar routine threat hunting remediation activities. Based on risk level, rotate through regular threat hunts for each at-risk IT asset.
The exact frequency will be limited by the available resources. However, it’s critical to do different threat detection tests as often as possible.