Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/26/2015
10:30 AM
David J. Bianco
David J. Bianco
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Cyber Hunting: 5 Tips To Bag Your Prey

Knowing the lay of the land and where attackers hide is a key element in hunting, both in nature and in the cyber realm.

The days when Security Operations Center analysts could sit back and wait for alerts to come to them have long passed. A year of breaches and attacks at Fortune 100 banks, retailers, and government agencies have shown that traditional measures like firewalls, IDS, and SIEMs are not enough. While these measures are still important, today’s threats demand a more active role in detecting and isolating sophisticated attacks. It’s hunting season, so here are five tips to make your efforts more productive.

Tip 1: Embrace Big Data
Since hunting is a data-driven process, it is not surprising that the collection of large amounts of data is critical. You should be collecting logs from each of the three major security data domains (network transactions, operating system events, and application logs). This is potentially a lot of data, but you don’t have to do it all at once. Start with a subset of sources and then grow your data collection incrementally as your monitoring program matures. Authentication logs for operating systems and applications are a good place to start, as are some of the more common types of network transactions, like HTTP server and proxy logs and netflow records. Emails and employee data, like HR information and access privileges, can also be useful to detect internal threats and anomalies.

These datasets make for productive hunting, but may be more than your SIEM can handle. Given that advanced attacks can often evade observation for weeks or months, we often see organizations that want to store all this data for a year or more. To house and use it efficiently, you’re going to need some kind of big data platform like Apache Hadoop.

Tip 2: Ask questions
It’s important to remember that hunting is not an automated process; it’s driven by questions and hypotheses. One question might be “Is data exfiltration happening?” A starting hypothesis might be “If there is data exfiltration happening, it is most likely going on through this part of the network.” So, you may want to check to see whether there is any exfiltration going through that subnet, and then you might try to figure out what protocols the attacker would use and what that activity would look like in the logs. An adversary could steal data by FTPing it straight out or using HTTP to bypass possible firewall restrictions. A savvy hunter understands that the attackers can accomplish their goals in many ways and examines the data from several viewpoints to compensate.

Tip 3: Pivot… and then pivot again
Hunting consists of spending a lot of time searching for something that is elusive by nature. To locate entrenched threats, your hunt needs to be dynamic and adaptable. Plus, you need to be able to easily pivot from one dataset to the next to evaluate the full context of the attacker’s digital footprints. This might include moving from operating system events to netflow data and then to application logs. Your hunting toolset needs to be able to support this kind of nimble data exploration. Once you’ve identified an item of interest, you’ll also need to be able to quickly identify all the context associated with that item, including its relationships to other entities on your network, its historical activity, how it correlates with threat intelligence, or how it relates to non-technical data, like HR information.

Tip 4: Always have a strategy
Knowing the lay of the land and where attackers may hide is a key element to hunting. Kill chain mapping provides a useful framework to plan your hunting trips for maximum impact. Typically, you will want to focus on the last two phases of the kill chain (Command and Control and Act on Objectives) first, since the farther along the kill chain the adversary is, the worse the incident is for you. It is also where attackers typically leave the largest digital footprints, so starting your hunts near the end of the kill chain makes a lot of sense. Beginning with even a simple strategy like this can save you a lot of time that might otherwise have been wasted chasing leads that either don’t pan out or that you don’t have enough data to investigate properly.

Tip 5: Get your data science on
Making sense of Big Data is no easy task, and it’s no secret among security professionals that data science is becoming increasingly important in security efforts. In general, an enterprise is going to want to keep as much data as it will be able to store. If you want to actually capitalize on terabytes or even petabytes of information, you will need a smart and effective way of making sense of it all. Modern machine learning and statistical tools have the potential to multiply the effectiveness of a hunter's powers by automating common tasks such as producing activity summaries or finding the “weird” entities in a dataset. Hunters need tools that provide data science without requiring the users to be data scientists.

Obviously, there is a lot more to hunting than just these five steps. The most important tip, though, is just to dive in! Start by making the most of the data you already collect, no matter what it is. As you hunt, you’ll naturally learn the limitations of your data collection and your analysis toolsets. Use this feedback to prioritize improvements. Hunting is an iterative process, and so is the process of improving your hunting platform.

What are you waiting for? Go out and find the threats before they find you.

[Everything you need to know about today’s IT security challenges – but were afraid to ask. Register with Discount Code DRBLOG to save $100 for this special one-day event, Dark Reading's Cyber Security Crash Course at Interop on Wednesday, April 29.]

Before coming to work as a Security Architect and DFIR subject matter expert at Sqrrl, David led the hunt team at Mandiant, helping to develop and prototype innovative approaches to detect and respond to network attacks. Prior to that, he spent five years helping to build an ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/26/2015 | 4:31:46 PM
Data science
Nice blog, @David. Wondering how you suggest security pros go to "get their data science on." Are their certifications, courses or hands-on expereince strategies you can suggest?
DavidJBianco
100%
0%
DavidJBianco,
User Rank: Author
3/26/2015 | 4:50:36 PM
Re: Data science
Thanks, Marilyn, glad you enjoyed the post. Every person is different, so there's probably no one "correct" path into Data Science.  Personally, I got started just by doing a lot of reading.  Data Driven Security is a great book for beginners (with a cool blog and podcast to go with it).  Since I do my best learning by getting my hands dirty, I have been checking out a lot of data science challenges on Kaggle and experimenting with platforms like Microsoft's Azure ML Studio.  I also do some Python and R coding, depending on my exact needs.  

I think the secret is to just get started a little at a time.  I recommend that more security people become data science literate, but not necessarily become data scientists.  That makes things a lot easier, because we can focus ourselves more on the area(s) that most directly address our infosec needs.  Even so, there's still a lot to learn!  
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/26/2015 | 4:53:06 PM
Re: Data science
Thanks for the suggestions! It does seem like cybersecurity + data science is a winning combo! 
DavidJBianco
50%
50%
DavidJBianco,
User Rank: Author
3/26/2015 | 4:55:38 PM
Re: Data science
Cybersecurity without data science is probably a losing combo...
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/26/2015 | 4:56:48 PM
Re: Data science
Great point. Touche'
find_evil
50%
50%
find_evil,
User Rank: Apprentice
3/30/2015 | 7:41:53 PM
Fantastic
Great article. More like these, please.
Dan Euritt
50%
50%
Dan Euritt,
User Rank: Apprentice
3/31/2015 | 12:48:27 PM
Re: Data science
Thanks for posting those relevant outgoing links, this is quite a bit of info to digest.
BJ24
50%
50%
BJ24,
User Rank: Apprentice
4/7/2015 | 9:35:12 PM
Cyber Hunting Data Science


Thanks for posting the Cyber Hunting Tips !  I am trying to get my company to focus on Cyber Hunting and your information and insight are very helpful.  I have also noticed some Network Application Performance Monitoring and Analysis software vendors are partnering with APT Detection software vendors which might help with analyzing network application traffic big data for IOCs.  Extrahop partnering with FireEye is an example.

In the past, I was a network architect and used Extrahop. I found it very helpful in baselining  network application transactions and identifying the cause of performance issues. I believe it could be equally helpful in tracking and identifying security related issue s.   
phat32
50%
50%
phat32,
User Rank: Apprentice
6/12/2015 | 2:01:19 PM
Re: Data science
I recently started working through the tutorials and missions on https://dataquest.io/.  It teaches you how to use Python to solve data science problems or questions.  As much as I like Python, programming isn't part of my day job but we deal with a LOT of log/alert data.  This site combines the two and gives me a better incentive to learn more. The site interface works well and it's free.  Definitely worth a look.  I'm enjoying working through each of the problems and seeing how I can apply them to my day job.  
aborsi
50%
50%
aborsi,
User Rank: Apprentice
2/19/2019 | 8:48:59 PM
Re: Data science
thansk your posting obat klg
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19040
PUBLISHED: 2019-11-17
KairosDB through 1.2.2 has XSS in view.html because of showErrorMessage in js/graph.js, as demonstrated by view.html?q= with a '"sampling":{"value":"<script>' substring.
CVE-2019-19041
PUBLISHED: 2019-11-17
An issue was discovered in Xorux Lpar2RRD 6.11 and Stor2RRD 2.61, as distributed in Xorux 2.41. They do not correctly verify the integrity of an upgrade package before processing it. As a result, official upgrade packages can be modified to inject an arbitrary Bash script that will be executed by th...
CVE-2019-19012
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
CVE-2019-19022
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
CVE-2019-19035
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.