Long before the 2013 cyber attack against Target that hacked more than 41 million of the company's customer payment card accounts, cyber criminals had already learned they could make a killing by going after credit card terminals.
Consider the experience of a big global financial institution we worked with - sorry, no names - that provided credit card terminals to retail outlets but whose valuable information was getting siphoned off overseas without triggering any alert or indicator of a compromise.
One day they finally discovered that traffic was beaconing to a country in which this institution did not do business. The subsequent threat hunt turned up an even more ominous discovery: the beaconing included a regular large file upload that included information relating to credit card terminals & its owners, used at thousands of retail and convenience stores
When Symantec got called into the investigation, we were able to recreate these file uploads to identify exactly what had been exposed: Information relating to the owners of the terminals, including firmware version, software version, the amount of money each terminal had transacted on a daily basis - as well as personal information of the credit card terminal owners, including its physical location.
The episode provided a simple lesson in the value of proactive threat hunting. Even though the company in the above example lost some data, it could have been a lot worse. Indeed, this massive breach may not have been exposed for months and only after causing significant damage.
Companies that are more proactive tend to be in pretty good shape because they are taking a proactive view of security. They’re not passively waiting around for alerts. So, let’s talk about a few rules of the road as we consider how proactive threat hunting can improve your security posture.
Defining the Challenge
First, some context. Let’s acknowledge that despite progress registered by some industry initiatives, we still find a troubling time lag between breach detection and response. Microsoft announces zero days, but the reality is that insecurities are often in the wild for - literally - months. Research finds that the average time to detection is 206 days while the time to response ranges between 21 and 35 days. That leaves organizations in unnecessary danger to attackers out to steal valuable IP and data. Every minute counts; indeed, the faster an organization can close its window of exposure, the smaller the ultimate cost it will incur.
Why Threat Hunting isn’t Incident Response
Don't confuse the two. There’s a fine line between threat hunting and active incident response. The standard security operations model is: Set up alerting, receive alerts, triage alerts and respond to alerts if needed.
Threat hunting is different. Threat hunting begins with formulating a hypothesis of what behavior a threat actor would use if they had circumvented our defenses, and where critical assets or intellectual property exists. We then look for evidence to support our hypothesis. If evidence is found, the analyst then pivots, expanding understanding of the threat, and creating IOCs for future alerting.
Let’s expand on why incident response is reactive and why threat hunting is proactive. Incident response is by nature a reactive process. There is an incident and we respond to it. Threat hunting is forward-looking where defenders are scanning the horizon looking for emerging threats and preemptively stopping them before they become full-blown incidents.
Incident response, by nature, focuses attention on known threats with expected outcomes. Threat hunting is not just forward-looking. It involves taking a deeper dive into the situation and removing blinders that limit your field of view. It opens your analysis to threats that have evaded detection but are nonetheless ready to inflict damage.
Threat hunting exercises can help businesses to identify threats before they escalate and turn into full-blown security breaches. Uncovering poorly-managed security solutions is a byproduct of effective threat hunting – thus fortifying the organization from an actual attack.
Oftentimes, the hunts uncover things that the company thought it had defended against, but it turns out that they’re still quite vulnerable. For instance, perhaps some firewall rules got changed. Maybe a proxy setting or two weren’t optimized. And in our fast-emerging era of IoT, it’s hardly uncommon to find devices that are not properly configured for security.
Agent vs Network-based Hunting
Agent-based threats excel at things like looking for persistence in the registry or processes in memory. But, deploying agents can take weeks and even then, there are a subset of devices that can’t always be architected to ensure that a security agent gets installed. Devices that wind up deployed in IoT or SCADA installations are becoming a bigger security concern all the time. (In fact, we’re aware of recent attacks that were launched using vulnerable web cameras.)
Network threat hunting on the other hand has no reliance on the endpoint devices. Analysis begins almost as soon as a network recording solution is installed. Since it is looking at network traffic, it makes no difference what type of device the packets are coming from. It understands traffic from these often-unmonitored endpoint devices as easily as it understands a Windows workstation. The medical industry specifically has unique challenges in this area due to the amount of medical devices/equipment that have embedded operating systems connected to the Internet.
Threat Detection vs Threat Hunting
Traditional Security Operations is event-based. We have devices on our perimeter that are there to detect malicious activity. The same is true with the endpoint. We have agents watching, alerting to any malicious activity. The majority of these alerts are triggered based on known threats. Threat hunting is the next step to secure our infrastructures. In threat hunting, we look for anomalous events on both a macro and micro scale, identifying behaviors that on their own would look benign, but when compounded together, expose evidence of risk or a developing attack.
More Art than Science
So, what does a focused threat hunt look like? Threat hunting is more an art than a science. It rests on making the assumption that your defenses have been breached and then looking for supporting evidence to support - or disprove - our thesis. A threat hunt begins by identifying key egress points to monitor. Then, using network taps or packet brokers, a copy of traffic is sent to network capture appliances for analysis with a suitable network analytics & forensics tool, such as Security Analytics. The analyst, or hunter, begins analyzing network traffic looking for suspicious and unusual communications. On a simple scale, this can be anything from a large volume outbound DNS traffic to an endpoint sending unusual packets to an external host.
Call to Action
Threat Hunting can help companies deal with the complexity of finding and classifying data as it moves through the network, allowing admins to understand what's going in and out of their organization.
An obvious starting point to enable Threat Hunting would be for organizations to start by capturing network traffic, ideally 30+ days’ worth of traffic. With a recording device in place you now have a security camera or DVR for your network. It’s like a “Black Box Flight Recorder” to capture all network details whenever an incident requires deeper analysis and investigation. If you’re still building your own capability or need a partner to help, Symantec can offer advanced threat hunting, managed network forensics and sophisticated incident response services. Here are a few links you might check out: