Risk

3/26/2015
10:30 AM
David J. Bianco
David J. Bianco
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Cyber Hunting: 5 Tips To Bag Your Prey

Knowing the lay of the land and where attackers hide is a key element in hunting, both in nature and in the cyber realm.

The days when Security Operations Center analysts could sit back and wait for alerts to come to them have long passed. A year of breaches and attacks at Fortune 100 banks, retailers, and government agencies have shown that traditional measures like firewalls, IDS, and SIEMs are not enough. While these measures are still important, today’s threats demand a more active role in detecting and isolating sophisticated attacks. It’s hunting season, so here are five tips to make your efforts more productive.

Tip 1: Embrace Big Data
Since hunting is a data-driven process, it is not surprising that the collection of large amounts of data is critical. You should be collecting logs from each of the three major security data domains (network transactions, operating system events, and application logs). This is potentially a lot of data, but you don’t have to do it all at once. Start with a subset of sources and then grow your data collection incrementally as your monitoring program matures. Authentication logs for operating systems and applications are a good place to start, as are some of the more common types of network transactions, like HTTP server and proxy logs and netflow records. Emails and employee data, like HR information and access privileges, can also be useful to detect internal threats and anomalies.

These datasets make for productive hunting, but may be more than your SIEM can handle. Given that advanced attacks can often evade observation for weeks or months, we often see organizations that want to store all this data for a year or more. To house and use it efficiently, you’re going to need some kind of big data platform like Apache Hadoop.

Tip 2: Ask questions
It’s important to remember that hunting is not an automated process; it’s driven by questions and hypotheses. One question might be “Is data exfiltration happening?” A starting hypothesis might be “If there is data exfiltration happening, it is most likely going on through this part of the network.” So, you may want to check to see whether there is any exfiltration going through that subnet, and then you might try to figure out what protocols the attacker would use and what that activity would look like in the logs. An adversary could steal data by FTPing it straight out or using HTTP to bypass possible firewall restrictions. A savvy hunter understands that the attackers can accomplish their goals in many ways and examines the data from several viewpoints to compensate.

Tip 3: Pivot… and then pivot again
Hunting consists of spending a lot of time searching for something that is elusive by nature. To locate entrenched threats, your hunt needs to be dynamic and adaptable. Plus, you need to be able to easily pivot from one dataset to the next to evaluate the full context of the attacker’s digital footprints. This might include moving from operating system events to netflow data and then to application logs. Your hunting toolset needs to be able to support this kind of nimble data exploration. Once you’ve identified an item of interest, you’ll also need to be able to quickly identify all the context associated with that item, including its relationships to other entities on your network, its historical activity, how it correlates with threat intelligence, or how it relates to non-technical data, like HR information.

Tip 4: Always have a strategy
Knowing the lay of the land and where attackers may hide is a key element to hunting. Kill chain mapping provides a useful framework to plan your hunting trips for maximum impact. Typically, you will want to focus on the last two phases of the kill chain (Command and Control and Act on Objectives) first, since the farther along the kill chain the adversary is, the worse the incident is for you. It is also where attackers typically leave the largest digital footprints, so starting your hunts near the end of the kill chain makes a lot of sense. Beginning with even a simple strategy like this can save you a lot of time that might otherwise have been wasted chasing leads that either don’t pan out or that you don’t have enough data to investigate properly.

Tip 5: Get your data science on
Making sense of Big Data is no easy task, and it’s no secret among security professionals that data science is becoming increasingly important in security efforts. In general, an enterprise is going to want to keep as much data as it will be able to store. If you want to actually capitalize on terabytes or even petabytes of information, you will need a smart and effective way of making sense of it all. Modern machine learning and statistical tools have the potential to multiply the effectiveness of a hunter's powers by automating common tasks such as producing activity summaries or finding the “weird” entities in a dataset. Hunters need tools that provide data science without requiring the users to be data scientists.

Obviously, there is a lot more to hunting than just these five steps. The most important tip, though, is just to dive in! Start by making the most of the data you already collect, no matter what it is. As you hunt, you’ll naturally learn the limitations of your data collection and your analysis toolsets. Use this feedback to prioritize improvements. Hunting is an iterative process, and so is the process of improving your hunting platform.

What are you waiting for? Go out and find the threats before they find you.

[Everything you need to know about today’s IT security challenges – but were afraid to ask. Register with Discount Code DRBLOG to save $100 for this special one-day event, Dark Reading's Cyber Security Crash Course at Interop on Wednesday, April 29.]

Before coming to work as a Security Architect and DFIR subject matter expert at Sqrrl, David led the hunt team at Mandiant, helping to develop and prototype innovative approaches to detect and respond to network attacks. Prior to that, he spent five years helping to build an ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
phat32
50%
50%
phat32,
User Rank: Apprentice
6/12/2015 | 2:01:19 PM
Re: Data science
I recently started working through the tutorials and missions on https://dataquest.io/.  It teaches you how to use Python to solve data science problems or questions.  As much as I like Python, programming isn't part of my day job but we deal with a LOT of log/alert data.  This site combines the two and gives me a better incentive to learn more. The site interface works well and it's free.  Definitely worth a look.  I'm enjoying working through each of the problems and seeing how I can apply them to my day job.  
BJ24
50%
50%
BJ24,
User Rank: Apprentice
4/7/2015 | 9:35:12 PM
Cyber Hunting Data Science


Thanks for posting the Cyber Hunting Tips !  I am trying to get my company to focus on Cyber Hunting and your information and insight are very helpful.  I have also noticed some Network Application Performance Monitoring and Analysis software vendors are partnering with APT Detection software vendors which might help with analyzing network application traffic big data for IOCs.  Extrahop partnering with FireEye is an example.

In the past, I was a network architect and used Extrahop. I found it very helpful in baselining  network application transactions and identifying the cause of performance issues. I believe it could be equally helpful in tracking and identifying security related issue s.   
Dan Euritt
50%
50%
Dan Euritt,
User Rank: Apprentice
3/31/2015 | 12:48:27 PM
Re: Data science
Thanks for posting those relevant outgoing links, this is quite a bit of info to digest.
find_evil
50%
50%
find_evil,
User Rank: Apprentice
3/30/2015 | 7:41:53 PM
Fantastic
Great article. More like these, please.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/26/2015 | 4:56:48 PM
Re: Data science
Great point. Touche'
DavidJBianco
50%
50%
DavidJBianco,
User Rank: Author
3/26/2015 | 4:55:38 PM
Re: Data science
Cybersecurity without data science is probably a losing combo...
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/26/2015 | 4:53:06 PM
Re: Data science
Thanks for the suggestions! It does seem like cybersecurity + data science is a winning combo! 
DavidJBianco
100%
0%
DavidJBianco,
User Rank: Author
3/26/2015 | 4:50:36 PM
Re: Data science
Thanks, Marilyn, glad you enjoyed the post. Every person is different, so there's probably no one "correct" path into Data Science.  Personally, I got started just by doing a lot of reading.  Data Driven Security is a great book for beginners (with a cool blog and podcast to go with it).  Since I do my best learning by getting my hands dirty, I have been checking out a lot of data science challenges on Kaggle and experimenting with platforms like Microsoft's Azure ML Studio.  I also do some Python and R coding, depending on my exact needs.  

I think the secret is to just get started a little at a time.  I recommend that more security people become data science literate, but not necessarily become data scientists.  That makes things a lot easier, because we can focus ourselves more on the area(s) that most directly address our infosec needs.  Even so, there's still a lot to learn!  
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/26/2015 | 4:31:46 PM
Data science
Nice blog, @David. Wondering how you suggest security pros go to "get their data science on." Are their certifications, courses or hands-on expereince strategies you can suggest?
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Darn - typed UNICORN instead of UNICODE.  
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.