Albert Zhichun Li, Chief Security Scientist, Stellar Cyber, also contributed to this article.
Have you ever played hide and seek? If you have, you may already understand how it relates to cybersecurity threat hunting. For those who haven't heard of the game, the object requires at least two people, where one individual finds a hiding place and the other attempts to find him. The person tasked with seeking out the other individuals typically counts to 30, giving the individual(s) hiding a chance to run, hide, and attempt to remain undetected. It is a game of persistence, visual and audible acuity, and methodical review of previous known hiding places.
In the cybersecurity realm, hide and seek is an analogy for threat hunting, and using modern tools like XDR (extended detection response) makes the task much easier than combing through gigabytes, terabytes, or even petabytes of event data.
What is XDR? XDR is an enhanced approach to traditional endpoint detection and response (EDR). It provides a model that detects attacks across endpoints, networks, software-as-a-service applications, cloud infrastructure, and really any network-addressable resource. It provides visibility into all layers of the network and application stack and provides advanced detection and automatic correlation and machine learning to reveal events traditionally missed by SIEM solutions using correlation alone. In addition, it provides intelligent alert suppression to filter out the noise that plagues most organizations. If you consider our hide-and-seek model, XDR brings a proactive approach to:
- Maximizing the efficiency of data collected from existing security and information technology investments by collecting the right data and transforming the data with contextual information.
- Identifying hidden threats using sophisticated behavior models through machine learning.
- Identifying and correlating threats across multiple layers of the network or application stack.
- Minimizing information security professional fatigue by providing precise alerts for investigation.
- Providing the necessary forensic capabilities to integrate multiple signals and to construct the big picture of attacks quickly, so security professionals can complete investigations promptly and with high confidence for indicators of compromise.
From an organization's security perspective, XDR enables teams to prevent known cyberattacks, identify new threats, and strengthen the overall security process by literally finding the attacker hiding in your network. It becomes a better way for a security professional to become the efficient "seeker" in this new hide-and-seek game. And finally, it enables users to capitalize on an automated response in XDR which represents a potential game changer for capturing and ejecting an attacker once they are identified within an organization.
For executives and new security professionals, let us apply hide and seek and XDR to threat hunting. Threat hunting is the cybersecurity act of processing information and process-oriented searching through networks, assets, and infrastructure for advanced threats that are evading existing security solutions and defenses. Firewalls, intrusion prevention solutions, and log management are all designed to detect and protect against threats — even if they are zero-day threats and have never been seen before. Threat hunting is the layer above this. What threats are actively running in my network and are missed by the aforementioned security tools, and how I can find them? XDR assumes the basic premise that the environment has already been compromised and a threat exists within it. In a typical environment, how can you determine if a threat exists and where it is hiding with just an event correlation and aggregation solution? Realistically, you can't, and that's where XDR comes into play for our hide and seek analogy.
Dive Deep into Log Files and Access Requests
Threat hunting and an XDR solution provide better inspection of the data already being collected. This includes diving deeper into log files and access requests, and processing application events correlated from application control solutions and networks. Then, taking XDR to the next level requires automating a response potentially at any layer to contain or mitigate the detected threat. To determine whether a threat is truly present, consider these familiar hypotheses:
- Advanced analytics via machine learning: Behaviors (or outlier events) can be assigned risk ratings and used to determine if a high-risk pattern is occurring.
- Situational: High-value targets are analyzed, including data, assets, and employees, for abnormalities and unusual requests.
- Intelligence: Correlation of threat patterns, threat intelligence, malware, sessions, and asset vulnerability information to draw a conclusion.
Therefore, for threat hunting to succeed, we need to meet the following requirements:
- Consolidation tools, like an XDR system, collecting all applicable data sources for pattern recognition. As a general rule of thumb, the more security data the better. Extra data can always be filtered out, purged, or suppressed.
- Tools for risk assessments, intrusion detection, and attack prevention are up to date and operating correctly. If these systems are faulty, your first lines of defense are in jeopardy and so is the data they are collecting.
- Sources of information can be correlated by user account and hostname reliably. IP address changes due to DHCP and even time synchronization (due to poor NTP implementation) can jade the results. We need to trust the data nearly implicitly and a well-working infrastructure is a prerequisite.
- Crown jewels and sensitive accounts are properly identified for data modeling. This includes monitoring when they are used, who is using them, and what actions are being performed.
- Threats to the business, like a game-over breach event, are established and used to build a hypothesis. If an attacker did "this," could my business ever recover, and what would be the cost?
- Documentation, such as network maps, descriptions of business processes, asset management, etc., are of high importance. Threat hunting with XDR does rely on the human element to correlate information to the actual business. Without being able to map a transaction to its electronic workflow, a hypothesis is blind as to how the threat occurred and is remaining persistent.
- The response to the threat needs to be a part of a standard workflow and be secured. If the desired result is to quarantine an asset or change a firewall configuration, the method for automated response needs to be secure so it cannot be leveraged against the business as a denial-of-service attack.
About Albert Zhichun Li, Chief Security Scientist, Stellar Cyber
Albert Zhichun Li has over 15 years of experience in cybersecurity research. He has filed 40+ US patents and published many seminal research papers in top security, AI and system academic conferences.
Check out this listing of free security products and services developed for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19.