"If I'm a bank and I know that criminals are likely to go after my database to get at accounts, I need to protect that database first," Lovejoy says.
Before you can start hunting, you need to understand the environment you are hunting in. This goes back to basic IT administration, such as having a clear picture of the number of systems, what software and which version is running, and who has access to each one. The network architecture, patch management process, and kind of defenses you have in place are all critical pieces of information in understanding your threat landscape. IT teams need to know the weaknesses to identify potential points of entry.
Here, adopting an adversary mindset is key in determining your attackers' moves. Your attackers' motivations may vary wildly, but they often have similar goals and frequently share similar techniques. An adversary intent on cybercrime will typically behave differently from one focused on economic espionage or sabotage, for example.
Threat intelligence is one way to receive information about the kind of attacks hitting similar-sized organizations in the same industry. If a number of competitors has been under attack by a gang using a Flash exploit, it makes sense to prioritize investigating potential Flash-based attacks over other types. Knowing exploit kits and other types of malware are all pushing the same dropper payload is helpful.
It's also essential to ascertain what might interest an attacker most about your organization right now. This could be a new product your organization is working on or rumors about a potential acquisition. When you know what might trigger interest from potential attackers, you can better predict what techniques they will use and how they will traverse your network to get what they want.
Map the kill chain
A few years back, Lockheed Martin put forth the "cyber kill chain," which divides targeted attacks into seven distinct phases: reconnaissance, weaponization, delivery, exploit, installation, command and control, and action. Attackers typical move through each step, from initial compromise to theft, getting a lay of your environment well before exfiltrating any data. A targeted attack takes time to develop; detecting the breach and blocking the attack as soon as possible will minimize damage.
"Cyberhunters assume that something has been exploited, and their job is to find the threat before they can actually cause an impact," Acuity's Lovejoy says.
During reconnaissance, criminals collect information about potential targets and avenues of attack. In the case of an acquisition, an attacker will collect information about executives and assistants who could potentially be working on the deal. Based on the information gathered, the criminals develop a course of action, such as creating a phishing campaign.
Sign up for MIS Asia eNewsletters.