How hunt operations can strengthen your security posture

Highly trained teams actively searching for evidence of hackers on the network can spot risks a security operations center might miss.

Shutterstock image: cyber eye.

There’s no question that federal agencies have expanding options today for sophisticated threat analytics, automated tools and security solutions to protect the growing complexity of their IT environments. However, it’s equally true that as the attack surface grows and malicious threat actors remain both creative and agile, threats will abound if not escalate.

The simple fact is, threats are launched by active, thinking, human attackers who continually adjust their vectors around the automated detection and mitigation methods we develop. A solid argument can be made that a strong proactive posture should include an equally agile, highly skilled team of security analysts that can ‘hunt’ through the IT environment looking for the telltale signs these attackers inevitably leave behind.

Hunt operations and compromise assessments are designed to do just that. For many security-conscious agencies and enterprises, they are becoming a regular part of proactive security program. Hunt operations can provide needed additional visibility to current risks that an agency’s security operations center (SOC) may not have.

The hunt is on: What is threat hunting?

Threat hunting is a search for evidence of an attacker in the network, even in the absence of an alert or indicator that an attacker has breached the network. Hunters approach their task with the mindset that the attackers are already in, and they must find the evidence to prove that hypothesis.

To confirm the hypothesis, hunters begin with an iterative scan of the network looking for indicators of compromise too abstract for vendor tools alone to pick up. The analysts also take input from vendor tools, in-house tools and attacker trends, then synthesize the data into a more in-depth assessment of the network. This move beyond accepting the output of a tool as gospel allows organizations to reintegrate the human element into the defensive process and achieve a more holistic picture of the organizational security posture.

While our adversaries use tools, they do not rely on them. When a virus family is discovered and the indicators are loaded into antivirus programs in their target, the attackers pivot to new tactics and new software. Our defenders should have that flexibility while choosing which computer artifacts to scan in the pursuit of new adversary tactics. Threat hunting is the model that allows SOCs to grow that flexibility. With the SOC constantly growing its number of sources for detecting compromise, the time between compromise and detection can be lowered significantly through Hunt Operations.

Building a practice around good people and equipping them with the information, access and tools necessary to effectively pursue compromise assessments gives an organization a proactive defensive unit working on their side. When a threat-hunting team engages a network over a long period of time, the team members build up familiarity with the network and the associated vulnerabilities. When combined with automation, this allows their investigations to evolve with new threats and ideas into a proactive defensive force.

Hunt operations methodology

Threat hunters don’t approach a compromise assessment planning to scan everything in the network; the data influx would overwhelm any team. Instead, each assessment covers a specific area with a specific attacker tactic in mind. The team first researches attacker trends to determine what those in the network may be doing. If attacker trends show network file shares are used to pivot from one host to another, then this assessment will look at file shares and determine if they have been used by unauthorized hosts or users. In doing this assessment, the team develops tools and methodologies for checking this aspect of the network. Once network file shares are scanned and assessed, the team documents the tools and methodologies and moves on to the next assessment.

Looking for everything each time a compromise assessment is run can overwhelm the team with data and tasks

After months of performing these assessments, there will be more areas to search and monitor than a team can feasibly perform. The next phase for a threat-hunting team is to begin the automation of past queries. Efforts are typically divided between developing new assessments to conduct and automating past assessments to simplify monitoring. Automation can be as simple as loading custom signatures into an intrusion detection system (IDS) or as complicated as building a custom script for queries. The team must decide what is appropriate to automate and how to enable monitoring to occur concurrently with assessing.

Making a big impact with small steps

Assessing threat hunting over the long term brings greater rewards than intensive short-term assessments. As the team conducts assessments and builds a body of work, the picture of the network and the vulnerabilities the organization is confronting becomes clearer. Vendor tools such as IDS and antivirus give insight into wide swathes of the network; a hunt team illuminates the areas that IDS and antivirus cannot see. Attackers know that the network will have IDS and antivirus, so they create exploits that do not trigger the tools. The hunt team focuses on flexible searches that looks for the attackers in those blind spots.

Use the results to feed SOC operations

The blind spots, once discovered, will be reported to the SOC and integrated into incident response plans. These integrations help incident response times and help the SOC stay in the loop as much as possible about the attack space on the network. When the SOC changes security procedures or equipment, they will notify the hunt team. The hunt team can perform assessments to see what security impacts the changes make and provide this information to the SOC for feedback. This feedback is not limited to changes; feedback about network configuration vulnerabilities and access control list misconfiguration, for example, can be sent to the SOC to help harden the network.

Seek, find, secure: Hunt operations a secure step for agencies

All organizations would welcome an ironclad cybersecurity ‘panacea.’ However, in the absence of that unobtainable utopia, hunt operations are a solid layer of additional protection for agencies to consider as a complement to the tools, processes, and policies they have in place. Hunt teams are a very proactive approach to finding the risks that may be in the network already and address them before those risks become the next major incident. It is conceivable that having a hunt operations capability could have changed or mitigated the results of the larger data breaches that affected the Office of Personnel Management, USIS and other government contractors.

For those agencies that have the in-house skill set to deploy their own hunt team, ongoing hunt operations can be an integral part of a proactive security program. For those that do not have the skillset in house, partnering with a skilled provider on a quarterly basis to target specific components within the enterprise environment can pay dividends in terms of peace of mind and greater overall security.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.