Threat Hunting with TTPs : Hunting of the Hunter

By

Image : heimdalsecurity
Threat hunting is a proactive process in cyber security that searches for security risks concealed within an organization’s network, data, and endpoints. It entails diving deeply into the IT environment to identify threat actors and attack vectors. If an external attacker or insider can elude initial network defense systems,  they may remain undetected within the network, performing data collection, stealing passwords, eavesdropping on communications secretly, or using network resources for initiating other attacks. Therefore threat hunting is essential for your defense strategy to stop Advanced Persistent Threats (APTs) from remaining in your network. 

Threat hunting involves three steps.

1. Trigger: 

A trigger alerts the threat hunter when the threat detection system discovers an unusual behavior indicating malicious activity. This causes the threat hunter to intimate further investigation on the event to verify if it's an incident to act upon

2. Investigation: 

The treat hunter investigates the event to assess a system’s vulnerability and malicious activity.  The investigation continues until it is clear that the activity is not harmful or finds malicious behavior and vulnerability. 

3. Resolution: 

The security team reacts to the incident, contains and eradicates the threat, and recovers to cause minimize risks.

Threat hunting focuses on the specific behaviors, attack patterns, and operational techniques used by threat actors. It is a process based on intelligence,  data, and research.  Organizations hire threat hunters who are highly knowledgeable on the current threat landscape. Their role is to take proactive measures to defend the organization from threats.

Each security threat is associated with the behavior of the threat actor, which depends on the Tactics, Techniques, and Procedures (TTP) used. Analyzing TTP is essential to understand the attacker's motive and ultimate goal. 

Tactics:

Tactics are strategies that attackers use to access systems. They describe at a high level how the cyber attack would be carried out from the beginning to the end. For example, hackers might use social engineering to obtain confidential information to attack a website.

Techniques:

Techniques are the tools or intermediate methods used by the hacker to exploit a vulnerability in a system. Phishing via email attachments is a common social engineering technique.

Procedures:

Procedures are detailed descriptions of how the hacker will achieve their purpose. The attacker will target the secretory of the CEO, with spear phishing to send a link by email to download and install a computer speed-up software, which also installs a backdoor to log in to her machine remotely, to access sensitive emails.

A security team can hunt down, identify and neutralize attacks, only if they have adequate knowledge about the TTP used by attackers. Knowing the tactics of a criminal can help security teams to detect cyber attacks at the initial stages as well as help predict future ones. 

TTP follows its own life cycle: 

  • When you identify a potential attack, immediately prioritize its risk level, and determine if there are similar incidents that occurred in past, then focus your investigation on them to identify possible attack vectors.
  • Your threat intelligence gathering can help determine which of your systems is most likely to be the target of the attack. 
  • Use monitoring, mitigation, and neutralization procedures to defend the target. 
  • Understanding the latest TTP ensure better network security and endpoint protection from attackers using Threat Intelligence.

Threat hunters think like threat actors. They engage in creative and analytic thinking; stay informed on the newest threats through open source intelligence methods such as scanning the dark web, newsletters, forums, and joining chatrooms.

MITRE ATT&CK, Common Vulnerabilities and Exposures (CVE), and National Vulnerability Database (NVD) are primary sources for threat hunters.


When you are alerted of a security event, ask yourself:

  • How will a potential hacker attempt to intrude organization's network?
  • What are the attack techniques used by cybercriminals in past incidents?
  • Which endpoints are the most accessible entry point?
  • What are the vulnerabilities that may exist in those endpoints?
  • What would be the final goal of the attack?
  • What motivates the threat actor to attack?
  • What would be the likelihood of an attack?

Threat hunting requires collecting threat data. There are various security tools to build threat models representing the entire organization's attack surface and analyze data to uncover anomalies, in different threat scenarios.

Security Information & Event Management (SIEM) 

SEIM tools provide real-time monitoring and analysis of systems for managing security operations. You can use SIEM logs to create insights on security threats by combining AI and ML to predict potential threats.

Known IOCs to determine IOAs

IOCs (indicators of compromise) provide digital evidence of a data breach. You can use known IOCs in the MITRE ATT&CK framework for threat hunting.

A few common IOCs are:

  • Scanning of network hosts 
  • Irregular network traffic
  • Extensive DNS requests
  • A large number of file requests
  • Unauthorized privilege escalation
  • Unrecognized IP addresses
  • Multiple failed logins
  • The surge in database access
  • Unusual changes to system files

IOCs lead to identifying Indicators Of Attack (IOAs), which are indicators of a potential future attack. IOAs adapt to the incoming data, which is highly important in proactive TTP hunting.

Execute the Security Plan

Threat hunting requires around-the-clock attention. It should constantly update the threat intelligence lifecycle and analyze potential threats to defend the organization's information and systems.

Usually, threat hunting systems encompass tools such as :

  • Anti-virus (AV)
  • Endpoint detection and response (EDR)
  • Extended detection and response (XDR)
  • Security Information and Event Management (SIEM)
  • Intrusion detection systems (IDSs)
  • Intrusion prevention systems (IPSs)
  • Cyber threat intelligence (CTI)

Threat hunting systems look for IOAs or unusual behavior in the systems, network traffic, or log files, to capture the source of data.  Threat hunting is best performed effectively on data collected at a central location. 

Threat hunting processes can be performed by an automated software as well as by humans.

Following are some threat hunting tools.

  • SolarWinds Security Event Manager with a wide range of log management.
  • VMWare Carbon Black Endpoint is based in the cloud.
  • CrowdStrike Falcon is a full security operations center (SOA)
  • Trend Micro Managed XDR A software and human threat hunting.
  • Cynet 360 is An innovative cloud-based cyber defense system.
  • Exabeam Fusion Offered is a cloud SEIM platform.

Threat hunting requires preparation by building knowledge through threat intelligence. Threat Intelligence is focused on the analysis, collection, and prioritization of data to improve your understanding of threats faced by the organization and assess risks. Threat hunting and threat intelligence are important processes in an organization's risk management strategy.

Niranjan Meegammana 

 

Comments

Post a Comment

Popular posts from this blog

ISO 27001 ISMS in a Nutshell

By
Image
Image : ISO The ISO 27001 certification is the most comprehensive  information security standard recognized globally. It ensures standardizing of your organisation's information security strategies to ensure confidentiality, integrity and availability of your systems and data to conduct your business effectively.  Gaining the certification is a journey with several milestones. It is a carefully planned systematic activity that transforms an organisation to a secure entity,  where everyone becomes a stakeholder in information security. Follow this processes to get to your goal successfully. Step 1. Obtain Management Support . This is the most critical requirement to achieve ISO 27001 status. Your ISMS project will definitely fail if it does not receive to management support. The management should provide, people, money and strategic direction for your ISMS to be a success story. In the sections below you’ll find some tips on how to convince your management, and how much the implemen
Read more

Best Practices for secure Software Development

By
Image
image : OpenSense Labs Are you aware of the  Solarwinds attack in 2020? The hackers exploited software vulnerabilities of Orion IT monitoring and management software used by thousands of enterprises and government agencies. This hack triggered a larger scale supply chain incident which affected thousands of organizations, including the U.S. government. The attackers infliltrated the Solarwinds network, and infected the software used for Network monitoring before it shipped to customers.This insident and many more warn us on the importance of building secure software.  Secure software development is a methodology used for creating robust software by incorporating security practices into every stage of the software development life cycle (SDLC). It begins at planning stage before a single line of code is written, and continue through the life cycle. A bug fixing at implementation stage cost six times than fixing it during design stage. Every new feature added, may carry series of vulnera
Read more

How easily the data breaches occur? 5 ways to be aware of.

By
Image
Data breaches can occur at any unexpected moment. Unless you do not detect it fast, cybercriminals will have more time to exfiltrate information and cause bigger damage. On average it takes up to 30 days and costs $1 million to address a data breach incident stated 2021 Cost of a Data Breach Study. However, it could be more if you wait longer. Unfortunately, some took 6 months to respond.      Better safe than be sorry! Be prepared against data breaches.  There are 5 ways for your organization to avoid data breaches. Here is how. 1. Weak and stolen credentials  The most simplest way hackers use for data breaches is stealing passwords. Many people use predictable passwords like ‘Password1’ and ‘123456’. With them, cybercriminals don't even need to hack into a system to steal your sensitive data.  There are many tools that can help a cybercriminal to crack passwords. They run millions of popular credentials to break into your system. This requires you to have a strong password policy
Read more