Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:19 AM

From Event Gatherers To Network Hunters

Passive, wait-for-an-event defenses are no longer enough -- companies need to move to a more proactive strategy of hunting down the bad actors in their network, say experts

When David Bianco examined a company's Web browsing logs, it did not take long for a pattern to appear.

At regular periods, nearly a dozen systems across the network would all request data from the same Web page. Because the company, who Bianco declined to name, captured network data, additional analysis revealed that all of the suspicious systems downloaded small binaries. By running those executables in a virtual machine, Bianco, a network hunter, was able to identify the cause of the problem -- an attacker using specialized malware.

Bianco, whose official title is Hunt Team Manager at incident-response firm Mandiant, does not like to wait for automated systems to flag suspicious behavior. As a network hunter, he goes looking for it. It's a role that more companies should develop because it allows them to run down attackers in their networks before they do damage, he says.

"The goal of hunting is not only to find the evil in your organization," he says. "The goal of hunting is to explore methods that let you find the evil in your organization, and -- when you find those methods -- you polish them up so you don't have to hunt for the same stuff again."

Companies that only wait for their security information and event monitoring systems to alert them to anomalies are missing a key resource in the fight against online attacks: inquisitive security analysts. By being more aggressive within their own networks and hunting down signs of suspicious behavior, network hunters can minimize the time between infection and detection, says Will Gragido, senior manager of advanced threats research and intelligence for security firm RSA.

"A proactive defense is something that organizations should aspire toward," he says. "I don't think there is anything wrong with advocating a proactive defense because it is not the same as hacking back."

While only organizations with mature network security groups typically have the capability to hunt for anomalies in their networks, it is a skill that should be developed within any security group, he says.

Network hunters exploit weaknesses that hamper all external attackers: The attackers do not know the layout of the target's network, so they will do things that insiders would never do as they poke around the network and discover its topology, say Dan Kaminsky, chief scientist at White Ops, a firm focused on securing the online advertising business.

"They actually don't know the network they have broken into; they have to discover it," he says. "So you want to find these rare signals that reveal the attacker's actions in real time."

Companies looking to start developing the needed skills for network hunters should begin at the end of the cyberkill chain, says Mandiant's Bianco.

Kill-chain analysis models the steps that an attacker must take to achieve his or her objective. The cyberkill chain, a concept first introduced by Lockheed Martin, consists of seven steps: reconnaissance of the target, creating an attack, delivering the payload, exploiting the target, installing tools, establishing command and control, and leveraging access to take action. Most companies embarking on their first hunt should look for the most serious activities at the end of the kill chain: signs of data exfiltration and command-and-control activity, Bianco says.

[For the cybercriminal lions out on the Internet, your company is full of zebras. Defenders should not just protect the herd, but pay attention to those who stray, experts argue. See Five Ways To Better Hunt The Zebras In Your Network.]

Data exfiltration may look like large amounts of traffic from a sensitive server or smaller amounts leaving at frequent intervals. Command-and-control traffic generally is HTTP requests with suspicious or unknown destinations. Where they look depends on what a hunter wants to find, he says.

"It's like saying, 'If I'm going to hunt birds, I look in the trees, and if I'm hunting deer, I look at the ground,'" Bianco says.

Once a network hunter finds the attacker or malware in the network, they can turn their knowledge of how to pinpoint the attack into rules for the company's network and security equipment. By fusing the internal information with external threat data, a company can take an internal investigation and turn it into a rule set that can automatically detect such attacks in the future.

It's that ability to improve security in the future that makes network hunting so valuable, says Adam Meyers, director of intelligence at security services firm CrowdStrike.

"The big challenge is, how do you operationalize intelligence information?" he says. "When they are hunting for things on their network, that is where they are getting into the operationalization of the data."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Credential Manager component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Assets component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Analytics component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Permissions component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
PUBLISHED: 2020-08-10
In MyBB before version 1.8.24, the custom MyCode (BBCode) for the visual editor doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Mes...