Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:19 AM

From Event Gatherers To Network Hunters

Passive, wait-for-an-event defenses are no longer enough -- companies need to move to a more proactive strategy of hunting down the bad actors in their network, say experts

When David Bianco examined a company's Web browsing logs, it did not take long for a pattern to appear.

At regular periods, nearly a dozen systems across the network would all request data from the same Web page. Because the company, who Bianco declined to name, captured network data, additional analysis revealed that all of the suspicious systems downloaded small binaries. By running those executables in a virtual machine, Bianco, a network hunter, was able to identify the cause of the problem -- an attacker using specialized malware.

Bianco, whose official title is Hunt Team Manager at incident-response firm Mandiant, does not like to wait for automated systems to flag suspicious behavior. As a network hunter, he goes looking for it. It's a role that more companies should develop because it allows them to run down attackers in their networks before they do damage, he says.

"The goal of hunting is not only to find the evil in your organization," he says. "The goal of hunting is to explore methods that let you find the evil in your organization, and -- when you find those methods -- you polish them up so you don't have to hunt for the same stuff again."

Companies that only wait for their security information and event monitoring systems to alert them to anomalies are missing a key resource in the fight against online attacks: inquisitive security analysts. By being more aggressive within their own networks and hunting down signs of suspicious behavior, network hunters can minimize the time between infection and detection, says Will Gragido, senior manager of advanced threats research and intelligence for security firm RSA.

"A proactive defense is something that organizations should aspire toward," he says. "I don't think there is anything wrong with advocating a proactive defense because it is not the same as hacking back."

While only organizations with mature network security groups typically have the capability to hunt for anomalies in their networks, it is a skill that should be developed within any security group, he says.

Network hunters exploit weaknesses that hamper all external attackers: The attackers do not know the layout of the target's network, so they will do things that insiders would never do as they poke around the network and discover its topology, say Dan Kaminsky, chief scientist at White Ops, a firm focused on securing the online advertising business.

"They actually don't know the network they have broken into; they have to discover it," he says. "So you want to find these rare signals that reveal the attacker's actions in real time."

Companies looking to start developing the needed skills for network hunters should begin at the end of the cyberkill chain, says Mandiant's Bianco.

Kill-chain analysis models the steps that an attacker must take to achieve his or her objective. The cyberkill chain, a concept first introduced by Lockheed Martin, consists of seven steps: reconnaissance of the target, creating an attack, delivering the payload, exploiting the target, installing tools, establishing command and control, and leveraging access to take action. Most companies embarking on their first hunt should look for the most serious activities at the end of the kill chain: signs of data exfiltration and command-and-control activity, Bianco says.

[For the cybercriminal lions out on the Internet, your company is full of zebras. Defenders should not just protect the herd, but pay attention to those who stray, experts argue. See Five Ways To Better Hunt The Zebras In Your Network.]

Data exfiltration may look like large amounts of traffic from a sensitive server or smaller amounts leaving at frequent intervals. Command-and-control traffic generally is HTTP requests with suspicious or unknown destinations. Where they look depends on what a hunter wants to find, he says.

"It's like saying, 'If I'm going to hunt birds, I look in the trees, and if I'm hunting deer, I look at the ground,'" Bianco says.

Once a network hunter finds the attacker or malware in the network, they can turn their knowledge of how to pinpoint the attack into rules for the company's network and security equipment. By fusing the internal information with external threat data, a company can take an internal investigation and turn it into a rule set that can automatically detect such attacks in the future.

It's that ability to improve security in the future that makes network hunting so valuable, says Adam Meyers, director of intelligence at security services firm CrowdStrike.

"The big challenge is, how do you operationalize intelligence information?" he says. "When they are hunting for things on their network, that is where they are getting into the operationalization of the data."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seei...
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could b...
PUBLISHED: 2020-01-23
In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3...
PUBLISHED: 2020-01-23
A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.
PUBLISHED: 2020-01-22
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.