Threat hunting: a recipe for people-powered defensive security
There’s a person behind every threat, even highly automated ones. And today’s attackers are always stepping up their game. While cyber security is a relatively new concern for organizations, defenders have much to learn from Stanley Baldwin’s 1932 maxim “the bomber will always get through.” F-Secure Senior Threat Hunter Arran Purewal expresses similar thoughts on how human attackers consistently beat the highly automated solutions too many companies rely on.
“Today’s cyber defenses often rely on high levels of automation. But human attackers are born ready to innovate and approach challenges creatively, which is why they can and will continue to beat automated defenses,” he says. “Prevention’s biggest failure is that it became too reliant on automation, which is an important learning for our industry as we encourage organization to adopt detection and response capabilities.”
Basing defenses entirely on automated security precautions has several shortcomings. Many teams become too reliant on responding to what’s “bad” and ignore what’s “unknown”. Unknown is how a new or innovative TTP (tactic, technique, and procedure) initially appear. Complacency with only responding to what’s known to be bad rather than proactively investigating unknowns and anomalies allows attackers using novel TTPs to fly underneath defenders’ radars.
“Developing new security capabilities that reproduce this approach won’t really add much value over conventional endpoint protection products, which we already know aren’t stopping targeted attacks” says Arran.
Offensive security’s value comes from its practitioners
Automation is often based on rules that dictate when something is bad, and what to do about it. But threats don’t play by those rules. That’s a painful lesson for organizations to learn from an attacker. And it’s why offensive security services such as red teaming give organizations such valuable insights.
Comparing the delivery of cyber defenses with offensive security services (such as red team tests) provides a telling contrast. Red team professionals will use automation as part of what they do, but the real results aren’t automatically produced. A vulnerability scan might be useful during a red team exercise. But it’s up to the red teamers to take things to the next step.
“The value of a red team test doesn’t come from doing a scan. It comes from an experienced professional using their skills and intuition to simulate how a capable attacker will exploit an organization’s security weaknesses – technical or otherwise,” explains Arran. “Defensive security hasn’t capitalized on the strengths of human ingenuity in the same way. But threat hunting gives defenders an effective way to address that shortcoming.”
In broad terms, threat hunting is the capacity to actively engage with defending people’s assets in their estates and networks through a constant evolution in understanding and mitigating offensive capabilities. In practice, these capabilities can provide a crucial edge in facing some of the attacks gaining popularity among advanced threat actors.
Trends in APTs and other advanced threat actors
Supply chain attacks have gained prominence in recent years. In a supply chain attack, adversaries compromise a supplier or company of smaller size who works with or provides services for the larger, target organization. Smaller companies have the security capabilities of larger enterprises. This weakness makes them great beachheads for attackers to use to pivot into their target’s systems.
2017’s NotPetya outbreak is perhaps the best example of this. The threat actor behind the attack compromised servers used to distribute software updates to a Ukrainian tax program, which they then used to spread the NotPetya ransomware/wiper. The intended targets were widely believed to be limited to Ukrainian companies, but the malware spread to organizations throughout the globe. Many now regard the incident as the most expensive cyber attack in history.
Another trend in targeted attacks is compromising non-Windows platforms. Many enterprises rely heavily on Windows. And historically, Windows has attracted the most threats, and also the most attention from security companies. Attackers have now caught on that the security industry has largely neglected threats to other platforms, making them ideal targets for new, novel TTPs. MacOS has become particularly attractive. In fact, late last year, a new type of in-memory Mac malware was attributed to North Korea-based Lazarus group.
These two trends pose very real challenges to organizations. Both can easily slip through automated defenses. But both exemplify attacks that threat hunting can help organizations mitigate.
Threat hunting season lasts all year long
Highly skilled, well-resourced attackers are shocking dedicated to their attacks. They can spend months or even years pursuing a single objective or target. In some cases, money is no object. They’ll employ whatever it takes to compromise their target. Everything from zero days, to social engineering, to on-premise attacks are in play for these threat actors.
Motivation is another factor that affect what attackers do. They might not be after money, although that’s certainly common. But defender’s need to be aware of how geopolitics, macroeconomics and other social/political developments shape threats.
Companies working in industries that are part of China’s 5-year plan need to prepare themselves for cyber espionage. Many companies working closely with the US government are playing catch-up with intel on Iranian cyber threats who became more active in the wake of Soleimani’s death.
Threat hunters are essentially researchers who are proactively studying networks to figure out how threats will compromise a system. And understanding the evolving threat landscape, including how its shaped by developments in tech, politics, economics, and even culture, is part of their job. It’s why they’re able to route out signs of a supply chain attack in progress, malware without executables, hijacked processes, or compromised accounts. They understand how to use automation and technology without becoming blind to its limitations.
Conventional endpoint protection products (EPP) are no longer enough to protect businesses. They still have their uses, of course. They do a good job combating many of the opportunistic threats that indiscriminately bombard businesses every single minute of every single day. Defenders would be overwhelmed were it not for the preventative capabilities offered by trusty EPP solutions. And automation is vital in making these products work. But in the detection and response era, security solutions need to capitalize on the best of both worlds.
Categories