In advance of our upcoming webinar on “Threat Hunting Versus Compromise Assessments: What’s the Difference?” Dev Panchwagh spoke with the presenters, Delta Risk’s Andrew Cook and Infocyte Founder and Chief Product Officer Chris Gerritz. In Part I of this two-part blog series, the team discusses some of the common misconceptions around threat hunting and compromise assessments. Join our webinar on April 25 at 1 PM ET when we’ll share more insights on this topic.
Dev: What are some of the common misconceptions and objections you hear around threat hunting? Also, any advice to someone who needs to sell threat hunting up the chain to the C-Level? Or vice versa?
Andrew: One of the concerns we often hear is that finding issues through compromise assessments makes security teams and defenders look bad. They want compromise assessments to result in clean reports. Some places aren’t ready to take the hit if we find a serious issue. If we come in and find something, it may not look good for every line of defense before us.
However, what organizations need to realize is that it’s not necessarily any defenders’ fault in-between. Absolute prevention is impossible. There are a lot of reasons why organizations get breached and those organizations are a victim. They probably did their best. In the cases where organizations don’t believe they did their best, and they’re afraid of being exposed, we can help them get through the challenge of responding appropriately.
Chris: Andrew’s exactly right, security teams are concerned that you’re going to dig up a skeleton, and you’re going to put them out of a job. The question they ponder is, “Do I really want to bring in a third party to make myself look bad?”
We try to determine who in the organization and outside the organization would want a compromise assessment conducted from a third-party and independent perspective. For more mature organizations, the Chief of Security is generally not the one who wants to bring the third-party in because a compromise assessment is just being used as an audit to do their jobs. Unless an organization has a forward-leaning perspective, they’re not likely bringing in a third-party company.
Other companies are compliance-driven, and they want to do enough to pass inspection. A lot of times you’ll have the board, CFO, whoever signs off on risk, an IT risk manager, wanting to find the answer of whether the security team is doing everything they can. At that point, the IT risk managers and internal audit teams will mandate a third-party pen test or vulnerability test, and also look into compromise assessments.
Andrew: Organizations need to realize that there is a tremendous benefit to finding threats they missed as soon as possible from a trusted third-party. The whole point of compromise assessments is to shrink the dwell time of the attackers on your network. When organizations put off compromise assessments because they don’t want to discover a “skeleton,” the alternative is that something bigger will happen, and Brian Krebs will write a blog about it.
Threat actors can be on the network from days to even years before they’re detected. When they are detected, about half the time, that notification is coming from someone else. I’ve seen organizations find out they were compromised from the media, law enforcement, the hackers themselves, and Microsoft abuse reports. At that point, it’s a much bigger mess than when the problem is proactively handled. Compromise assessments increase the odds that the organization is the first to know and is in a much better position to respond.
Chris: It’s a lot easier to handle a breach when you’re the only ones who know about it. When it’s in the New York Times, it’s out of your control.
Dev: When it comes to technologies for threat hunting and compromise assessments, it’s not a one-size-fits-all application. Can you elaborate on any technology advancements you’ve seen, or newer technology and methodology recommendations you have?
Chris: When we talk to our customers about how they’re hunting for threats, their operations generally fall into three categories, and there are different methodologies for each.
The first category is using existing security tools, specifically a historical search, where you have existing data already coming in from log files or other sources. Organizations can use their existing skillsets to search that data. That historical search is what most people are doing, using their existing toolset. That’s the most basic method of threat hunting.
The two methodologies that are a little more in-depth involve incident responders using data analysis to pull together a forensic snapshot and create an incident response triage. That forensic analysis and incident response triage can be applied to hunting techniques to proactively look at the network and see what’s there. At the next level, you have behavioral analysis. In this instance, you’re collecting and piecing together logs to look for attacker patterns and discover threats you may have missed otherwise. Behavior analysis is the mainstay of behavior analytics.
Andrew: I always like to say that hunt is relative. It’s anything that’s better than what you’re doing right now, with the goal of finding malicious activity on your network. For more mature organizations, improving hunt methodologies can be costly because they may already have cutting-edge detection technology in place. Threat hunting for these organizations may mean thinking through how they can use their technology better or conducting more frequent internal compromise assessments on high-risk systems and enclaves.
In contrast, less mature organizations don’t need to go for the very best in hunting technology, people, and processes. But they do need to allocate more time and resources to finding what they may have missed on the network. There are likely free and cheap options that are better than what you are doing now. If you’ve increased your chances of catching cyber criminals on your network, I’d still call that hunting.
If we’re talking about specific steps, one option might be to get a new firewall that gives you additional insight into your data, for example. You can also send your teams for training to add skills around state analysis and forensics. You must always keep trying to improve your methods and technology to keep up with malicious actors.
Chris: Another thought on this, if you look at what Microsoft is doing internally around threat hunting, is that they define it a little more generally. The idea is to dedicate analytical resources for about a week’s worth of a hunt operation. These would be more resources than you would typically commit to a day-to-day operation. Also, I wouldn’t use the term “real-time hunting.” You need to look at historical data to piece together the whole picture of an attack.
In our next blog, we’ll look at threat hunting and compromise assessments in the cloud, and how that’s changing both technical requirements and techniques for IT and information security professionals.
Register now for our April 25 webinar, “Threat Hunting Versus Compromise Assessments: What’s the Difference?”