Hunter-Gatherers in the Cybersecurity Jungle

Why complementing your SOC's ongoing CTI efforts with advanced threat-hunting analytics is a vital strategy for ensuring cyber resilience.

Dark Reading Staff, Dark Reading

May 3, 2021

4 Min Read

Today's ever-evolving threat landscape has made proactivity a vital component of a successful cyber-defense strategy. 

Cybersecurity teams are expected to ensure that they are continuously zeroing in on malicious activities with extensive data collection and monitoring, which will allow them to proactively uncover attacks and ultimately promote cyber resilience by preventing these threats in the first place.

The most effective way to accomplish this is by complementing your security operations center's (SOC) ongoing cyber-threat intelligence (CTI) efforts with advanced threat-hunting analytics. Synergy between the two will lead to more threats being discovered and mitigated.

To illustrate the importance of this strategy, I've laid out the following example of a government agency — one that is unquestionably being targeted by the most advanced adversaries, including nation-state actors. 

Implementing Cyber-Threat Intelligence — Practical Example
Leveraging CTI technology, the government agency's SOC team has been actively monitoring the open, Deep, and Dark Web, in addition to other forums, messaging services, and social networking platforms. By doing so, it detects critical information — a threat actor has been attempting to sell access to the organization's internal network. The detected ad on the Dark Web provides in-depth details related to the targeted agency.

Based on this unsettling discovery, an investigation immediately begins. It's imperative that the agency finds out who is behind this action, and which sensitive systems or information was compromised. In essence, it needs to quickly find the answers to "who," "what," "where," "when," and "how."

The CTI team that made this discovery generates an in-depth report in order to find out more about the threat actor. The team discovers the threat actor's nicknames and aliases, Telegram and Jabber accounts, and associated email addresses. With this information, the team uncovers the threat actor's previous activity on the Deep and Dark Web, including its capabilities, motivations, and interactions with other attack groups — ultimately concluding that the threat actor is highly credible.

Most importantly, critical information about the threat actor's tactics, techniques, and procedures (TTPs) is uncovered by reviewing technical questions it has posted in the past and interest it showed in particular tools.

Once compiled, the CTI team pushes this data to colleagues focused on threat hunting and incident response.

Time to Go Hunting
Leveraging this new information developed through threat intelligence, the government agency's SOC team now focuses on discovering the precise details of the threat. Implementing data-driven analytics and automated investigations, the threat-hunting team works to identify the information that may have been stolen. It focuses on leads generated by running analytics most relevant to the threat actor's TTPs. It also digs into various logs and alerts for any clue into suspicious users accessing their databases and search for other activities that may be related to the unauthorized access that was obtained. It runs queries to look for potential points of interest, zoom in on the most relevant results, and highlight IP addresses of potential command-and-control communications.

Visibility is incredibly important throughout this entire process. The team needs as much detail as humanly possible in order to fully understand the entire life cycle of the attack. Piece by piece, it puts the puzzle back together.

Once this is accomplished through the threat-hunting platform, the team then turns back to the threat intelligence technology to find additional vital information. By doing this, it is also able to identify additional indicators of compromise (IOCs) related to the attack.

Gathering to Prevent Future Threats
Now that the government agency possesses comprehensive knowledge of the threat actor's TTPs, capabilities, and motives, it uses that information to its advantage moving forward. The agency develops a new AI algorithm based on the investigation's findings, which allows it to identify other similar behaviors or techniques being used within its network. With these behavioral analytics, the SOC team is able to greatly enhance their security posture, preventing potential threats posed by other would-be attackers attempting comparable maneuvers.

By complementing its threat-hunting capabilities with a cyber-threat intelligence platform, the government agency was able to discover and mitigate a major threat, in ways that would have otherwise been impossible. This highly proactive approach to threat discovery, investigation, and response is an integral aspect of effective cyber defense. While the organization and exact situation may be hypothetical, the threats and solutions laid out are as real as it gets.

About the Author

Gilad Zahavi is a Senior Director of Cyber Threat Intelligence Analytics at Cognyte, the global leader in security analytics software that empowers governments and enterprises with Actionable Intelligence for a Safer World.TM Gilad has over 15 years of security experience and is a leading expert in the cyber-threat intelligence domain. Prior to joining Cognyte, he held executive positions at SenseCy Cyber Intelligence Ltd. and Terrogence Ltd. (both acquired by Cognyte). He holds an MA in Near Middle Eastern Studies and a BA in Islamic Studies and Communications.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights