Once upon a time, security was about mitigating risks to an organization by following best practices and responding effectively to incidents when they arose.
This compliance and risk-based mindset is no longer enough: the past several years have seen escalating breaches and organized cyber-crime, showing that safety is now the exception and not the rule. A threat-based mindset is the only solution.
First, organizations asked themselves, “will we be attacked?” Later, “when will we be attacked?” Now the most logical question is: “when will we realize we’ve already been attacked?”
This is the philosophy behind cyber hunt: “the bad-guys are already here, and now we must find them.”
What is(n’t) Cyber Hunt?
Despite the fancy name, cyber hunt is a methodology that many organizations follow – in whole or in part – without actually calling it that. Simply put, hunting entails proactively searching for, anticipating, and eliminating threats to an organization’s security using tools, techniques and procedures designed to find and eradicate suspicious activity. Many of these tools are the same as those used by the adversaries themselves.
Unfortunately, a lot of misconceptions surround cyber hunt, and sometimes – like the Tao – it’s easier to explain by explaining what it’s not. For instance, cyber hunt is not…
1. Incident Response
With the number of breaches that have already occurred in 2019 alone, it’s easy to understand why organizations go searching for a band-aid. But the point of cyber hunt is to eliminate threats before they have consequences.
Fixing a security breach is reactive; cyber hunt is proactive.
2. Spy vs. Spy
The term “hunt” means “track and kill,” which lends itself to the impression that cyber hunt entails “hacking the hackers”. But while this notion may occasionally apply in government contexts, it does not apply in the commercial space.
First of all, laws apply to ethical hackers in the vast majority of cases. Secondly, cyber hunt is about tracking and eradicating threats, which means pushing malicious actors out of a system; it doesn’t mean going after them or “hacking back”.
3. Pen Testing
It’s easy to understand why pen testing gets mixed up with cyber hunt. The two practices overlap in many ways, and – as we will see – pen testing is part of the cyber hunt toolkit. Pen testing is useful for diagnostics and discovery, while novel threats and attack vectors generally lie outside the scope of effort. On the other hand, they do not lie outside the scope of cyber hunt.
How The Game is Played
At Securicon, we have refined our cyber hunt methodology for over a decade in conjunction with branches of the U.S military and public corporations. Every step of a full hunt is not always necessary – the point is to fit an organization’s unique security needs.
1. Mission Analysis
Unlike generalized areas of risk-management, cyber hunt is focused to identify and protect critical systems or assets that are essential to an organization’s success, such as financial systems, manufacturing systems and applications or Industrial Control Systems. With this understanding, our cyber hunt teams conduct thorough interviews to assess,
- Mission Objective – establishes the core functions and objectives of an organization. In the private sector, this is likely the successful delivery of a product or service.
- Key Terrain – applies to all systems critical for accomplishing the mission objective, including systems, applications, servers, firewalls, etc. Systems related to non-core functions such as company email are generally not considered key terrain.
- Threat Profile – every industry, business and government branch will have a history of threats which can be analyzed to identify the most vulnerable areas of an organization, and the style of attacks which it is likely to face. We also work to determine who likely threat-actors may be based on known adversarial intent and ability to exploit vulnerabilities specific to the organization we are supporting.
2. Vulnerability Analysis
Searching for threats begins by checking for known vulnerabilities. This is the area where pen-testing and cyber hunt intersect, although many sources of information will be considered including:
- Scans for anomalous network activity and other indicators of compromise
- “Dropped” files (signs of a system intrusion)
- Keyloggers, trojans, backdoors and other forms of malware
Some organizations will go so far as deploying a Red Team to simulate an actual attack on systems, which can take guesswork out of determining what can really be compromised.
The discovery of a vulnerability is only the first step in a longer process of aggressively seeking out threats. Items found during an initial sweep are often superficial in terms of risk factor but discovering them can lead down deeper rabbit holes, leading to the fun stage.
3. Monitor and Remediate
After threats are discovered, they are – of course – remediated. But the work of a cyber hunt team isn’t finished: if there was a motive to strike once, there will be a motive to strike once more, and systems will continue to be monitored.
Forensic analysis may be conducted on malware, network activity and other traces of an attack to find more information about the perpetrators. This information can be used to uncover more threats and identify them more quickly in the future.
A Level Playing Field
A rise in threat-oriented mentality is a result of the rise in cyber threats, which in turn has much to do with several trends, including:
- Political motives for cyber-terrorism
- Thriving black markets for personally identifiable information (PII)
- Increased availability and low cost of hacking tools and hardware
- Rise in organized, advanced persistent threats (APTs)
Yesterday’s landscape of threats mainly persisted of small-time black-hats, script kiddies and the occasional nation-state actor. Today, formidable threats can arise anywhere at any time.
We hear all about the attackers: it’s time to arm the victims. By using the tools and methods that create threats to eliminate them, cyber hunt finally levels the playing field for everyone.
Dave Carpenter leads a team of skilled security and risk management professionals. He has managed several major cybersecurity initiatives enhancing the overall security posture of our clients.
Prior to Securicon, Dave supported the Information Assurance team at Spirit Aerosystems, where he developed, implemented, and coordinated a Global Risk Management Program based on RMF, and was on the Business Management team for New Programs. Additionally, he was a Security Consultant at ICF International, creating and enforcing security and privacy policies, and TSA’s Registered Traveler Program.
David served in the U.S. Air Force, both Active Duty and Reserve. He serves in the Maryland ANG, managing, training, and equipping a Cyber Operations Force and recently led a Cyber Vulnerability and Analysis Hunt team.
Securicon offers comprehensive digital security and compliance solutions to organizations. Our services include penetration testing and social engineering assessments which are trusted by critical infrastructure companies across the U.S and other critical organizations to find vulnerabilities and maximize safety. In 2019, there’s no room to be lax about security – contact us today!