Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

4/8/2020
10:00 AM
Morey Haber
Morey Haber
Commentary
Connect Directly
Facebook
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

Why Threat Hunting with XDR Matters

Extended detection response technology assumes a breach across all your endpoints, networks, SaaS applications, cloud infrastructure, and any network-addressable resource.

Albert Zhichun Li, Chief Security Scientist, Stellar Cyber, also contributed to this article.

Have you ever played hide and seek? If you have, you may already understand how it relates to cybersecurity threat hunting. For those who haven't heard of the game, the object requires at least two people, where one individual finds a hiding place and the other attempts to find him. The person tasked with seeking out the other individuals typically counts to 30, giving the individual(s) hiding a chance to run, hide, and attempt to remain undetected. It is a game of persistence, visual and audible acuity, and methodical review of previous known hiding places.

In the cybersecurity realm, hide and seek is an analogy for threat hunting, and using modern tools like XDR (extended detection response) makes the task much easier than combing through gigabytes, terabytes, or even petabytes of event data.

What is XDR? XDR is an enhanced approach to traditional endpoint detection and response (EDR). It provides a model that detects attacks across endpoints, networks, software-as-a-service applications, cloud infrastructure, and really any network-addressable resource. It provides visibility into all layers of the network and application stack and provides advanced detection and automatic correlation and machine learning to reveal events traditionally missed by SIEM solutions using correlation alone. In addition, it provides intelligent alert suppression to filter out the noise that plagues most organizations. If you consider our hide-and-seek model, XDR brings a proactive approach to:

  • Maximizing the efficiency of data collected from existing security and information technology investments by collecting the right data and transforming the data with contextual information.
  • Identifying hidden threats using sophisticated behavior models through machine learning.
  • Identifying and correlating threats across multiple layers of the network or application stack.
  • Minimizing information security professional fatigue by providing precise alerts for investigation.
  • Providing the necessary forensic capabilities to integrate multiple signals and to construct the big picture of attacks quickly, so security professionals can complete investigations promptly and with high confidence for indicators of compromise.

From an organization's security perspective, XDR enables teams to prevent known cyberattacks, identify new threats, and strengthen the overall security process by literally finding the attacker hiding in your network. It becomes a better way for a security professional to become the efficient "seeker" in this new hide-and-seek game. And finally, it enables users to capitalize on an automated response in XDR which represents a potential game changer for capturing and ejecting an attacker once they are identified within an organization.

For executives and new security professionals, let us apply hide and seek and XDR to threat hunting. Threat hunting is the cybersecurity act of processing information and process-oriented searching through networks, assets, and infrastructure for advanced threats that are evading existing security solutions and defenses. Firewalls, intrusion prevention solutions, and log management are all designed to detect and protect against threats — even if they are zero-day threats and have never been seen before. Threat hunting is the layer above this. What threats are actively running in my network and are missed by the aforementioned security tools, and how I can find them? XDR assumes the basic premise that the environment has already been compromised and a threat exists within it. In a typical environment, how can you determine if a threat exists and where it is hiding with just an event correlation and aggregation solution? Realistically, you can't, and that's where XDR comes into play for our hide and seek analogy.

Dive Deep into Log Files and Access Requests
Threat hunting and an XDR solution provide better inspection of the data already being collected. This includes diving deeper into log files and access requests, and processing application events correlated from application control solutions and networks. Then, taking XDR to the next level requires automating a response potentially at any layer to contain or mitigate the detected threat. To determine whether a threat is truly present, consider these familiar hypotheses:

  • Advanced analytics via machine learning: Behaviors (or outlier events) can be assigned risk ratings and used to determine if a high-risk pattern is occurring.
  • Situational: High-value targets are analyzed, including data, assets, and employees, for abnormalities and unusual requests.
  • Intelligence: Correlation of threat patterns, threat intelligence, malware, sessions, and asset vulnerability information to draw a conclusion.

Therefore, for threat hunting to succeed, we need to meet the following requirements:

  • Consolidation tools, like an XDR system, collecting all applicable data sources for pattern recognition. As a general rule of thumb, the more security data the better. Extra data can always be filtered out, purged, or suppressed.
  • Tools for risk assessments, intrusion detection, and attack prevention are up to date and operating correctly. If these systems are faulty, your first lines of defense are in jeopardy and so is the data they are collecting.
  • Sources of information can be correlated by user account and hostname reliably. IP address changes due to DHCP and even time synchronization (due to poor NTP implementation) can jade the results. We need to trust the data nearly implicitly and a well-working infrastructure is a prerequisite.
  • Crown jewels and sensitive accounts are properly identified for data modeling. This includes monitoring when they are used, who is using them, and what actions are being performed.
  • Threats to the business, like a game-over breach event, are established and used to build a hypothesis. If an attacker did "this," could my business ever recover, and what would be the cost?
  • Documentation, such as network maps, descriptions of business processes, asset management, etc., are of high importance. Threat hunting with XDR does rely on the human element to correlate information to the actual business. Without being able to map a transaction to its electronic workflow, a hypothesis is blind as to how the threat occurred and is remaining persistent.
  • The response to the threat needs to be a part of a standard workflow and be secured. If the desired result is to quarantine an asset or change a firewall configuration, the method for automated response needs to be secure so it cannot be leveraged against the business as a denial-of-service attack.

About Albert Zhichun Li, Chief Security Scientist, Stellar Cyber
Albert Zhichun Li has over 15 years of experience in cybersecurity research. He has filed 40+ US patents and published many seminal research papers in top security, AI and system academic conferences.

Related Content:

Check out this listing of free security products and services developed for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19. 

With more than 20 years of IT industry experience and author of Privileged Attack Vectors and Asset Attack Vectors, Morey Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. He currently oversees the vision for BeyondTrust technology ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
The Yellow Brick Road to Risk Management
Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29070
PUBLISHED: 2020-11-25
osCommerce 2.3.4.1 has XSS vulnerability via the authenticated user entering the XSS payload into the title section of newsletters.
CVE-2020-26212
PUBLISHED: 2020-11-25
GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of ever...
CVE-2020-26243
PUBLISHED: 2020-11-25
Nanopb is a small code-size Protocol Buffers implementation. In Nanopb before versions 0.4.4 and 0.3.9.7, decoding specifically formed message can leak memory if dynamic allocation is enabled and an oneof field contains a static submessage that contains a dynamic field, and the message being decoded...
CVE-2020-25650
PUBLISHED: 2020-11-25
A flaw was found in the way the spice-vdagentd daemon handled file transfers from the host system to the virtual machine. Any unprivileged local guest user with access to the UNIX domain socket path `/run/spice-vdagentd/spice-vdagent-sock` could use this flaw to perform a memory denial of service fo...
CVE-2020-29071
PUBLISHED: 2020-11-25
An XSS issue was found in the Shares feature of LiquidFiles before 3.3.19. The issue arises from the insecure rendering of HTML files uploaded to the platform as attachments, when the -htmlview URL is directly accessed. The impact ranges from executing commands as root on the server to retrieving se...