"Cyberhunting" actively looks for signs of compromise within an organization and seeks to control and minimize the overall damage. These rare, but essential, breed of enterprise cyber defenders give proactive security a whole new meaning.
Check out the accompanying webinar: http://www.hosting.com/resources/webinars/?commid=228353
3. Threat Hunting Terminology
Adversary
Customer
Capability
or Capacity
Victim
Infrastructure
Sergio Caltagirone, Andrew Pendergast and Christopher Betz,
“The Diamond Model of Intrusion Analysis,”
Active Response, July 2013
(The end beneficiary of the
hack, breach, intrusion, etc.)
(The hacker or operator)
(The theoretical tools, techniques,
methods, exposures or
vulnerabilities to be exploited)
(The physical or logical
communication platform
used to achieve the goal )
(The company, server, person,
account, etc. that is the )
4. Threat Hunting Styles
Victim-Centered: The most common approach in Enterprise security. Focused on
monitoring the hosts and the networks to identify malicious infrastructure and capabilities.
Capability-Centered: Focused on identifying features of a capability in order to find
other elements related to the adversary’s operation. Common in AV vendor reports.
Infrastructure-Centered: Focused the malicious infrastructure used in the attacks with
the goal of mapping owned infrastructure, pivoting to identifying other victims and
uncovering additional capabilities used in the attacks.
Other Styles: There are other styles of threat hunting, but they are either outside of the
cyber realm (socio-economic-centered), in the realm of LEAs (adversary-centered), or
focused on technologies and services which can be more in the theoretical research
camp (e.g. fuzzing, 0-day exploit hunting, etc.).
5. So, What is Cyber Threat Hunting?
It is the human-driven search for one or more phases of a cyber attack conducted by an
adversary, using tools, information and investigative techniques. It is NOT waiting for an
alert to be fired from a piece of technology.
• Threat intelligence (data about known threats)
• Behavioral analytics (data about suspicious activity)
• Complete Situational Awareness (data about the environment)
• Intuition, hunches and hypotheses (human judgment)
• Security tools that produce consumable data (contextual answers)
6. Five Levels of Capability**
Level 1: Initial
- Relies primarily on automated alerting
- Little or no routine data collection
Level 2: Minimal
- Incorporates threat intelligence indicator searches
- Moderate or high level of routine data collection
Level 3: Procedural
- Follows data analysis procedures created by others
- High or very high level of routine data collection
Level 4: Innovative
- Creates new data analysis procedures
- High or very high level of routine data collection
Level 5: Leading
- Automates the majority of successful data analysis procedures
- High or very high level of routine data collection**David Bianco, “A Simple Hunting Maturity Model,
” Enterprise Detection & Response blog, Oct. 15, 2015
7. Example Threat Hunt: Victim-Centered
Hypothesis: System is potentially compromised.
Trigger: SSH traffic visualization indicates low volatility communications during data browse.
Tools: rapidPHIRE Cyber Intelligence Platform. Inspects network traffic using a combination of threat
intelligence, behavioral analytics and vulnerability data, combined with full-stack network operational data
collection (i.e. security and operational observations).
8. Sufficient Data and Tools?
Threat Intelligence? Yes. rapidPHIRE uses over 40 global threat intelligence feeds as well as
private threat intelligence specific to the network being monitored.
Behavioral Analytics? Yes. The rapidPHIRE Cyber Intelligence Platform uses a combination of Bro
policies for IP session-based analysis, as well as machine learning and anomaly detection of
network communications at a higher altitude (i.e. network communications level).
Situational Awareness? Yes. rapidPHIRE collects all operational data communications on every
active device on the monitored network, identifying the MAC, IP, hostname, active user credentials
on the system, and tracks all application communications in and out, thus learning function.
Additionally, rapidPHIRE is aware of theoretical vulnerabilities of each system discovered.
Consumable Data? Yes. The rapidPHIRE solution tells a rich visual story and provides quick
answers, allowing for threat hunters to pivot through the data very quickly.
9.
10.
11.
12. Windows Vista Laptop
(no extended support from
Microsoft on system)
Swiss C&C Platform
CVE-2015-0016: Score 9.3
Total compromise of
system integrity and
protection. Entire system
may be compromised.
Pivot from Victim
(contextual indicators)