A successful hunt involves examining each phase of the kill chain and assessing specific tactics and techniques attackers may employ. That may involve mining social media postings to determine whether anyone working on a possible acquisition may have identified themselves as working on the deal and creating a list of employees who may be potentially targeted by a phishing email. If you believe phishing is the likely entry point of a targeted attack, then you can make assumptions about what the attack scenario will look like along each phase of the kill chain.
Actively hunt for threats
Your assumptions and hypotheses about potential attacks provide places to start your hunt. Successful hunting involves examining a specific segment of your network without trying to see everything that may go wrong. It's about closely scrutinizing an endpoint for specific indicators of attack rather than getting a bird's-eye view of system security.
Most threat intelligence efforts focus on indicators of compromise that don't help with cyberhunting. The factors tend to be cheap, fragile, and inexpensive for adversaries to change. Consider domain names or the name of the weaponized Word document carrying the payload. It is trivial for attackers to generate new domain names and to change the messaging in an email accompanying an attack file to bypass security filters. Instead, hunters should focus on patterns of attack, Lovejoy recommends.
For example, you should look out for attempts to open a remote desktop session to create new admin accounts within Active Directory. It doesn't matter what the new accounts are called -- you should be searching for unexplained accounts.
It's trivial for an attacker to change the domain of a command-and-control server, but far more expensive to give up using a Flash exploit delivered via a malicious advertisement to remotely execute code and open a backdoor on the compromised machine. Look for attackers using legitimate tools such as PowerShell and WMI. See where account credentials are being used. Patterns of attack reveal more about attackers than indicators of compromise because they are relevant for a longer period of time.
Next-generation firewalls, anomaly detection platforms, and logs all provide a wealth of information, as do threat intelligence platforms and network threat detection systems. In many cases, there is a silo effect, with information locked within each system, making it difficult for defenders to see all the related pieces. Threat hunting forces defenders to break out of the tendency to consider systems in isolation. When a process touches different segments and systems, hunters must pay attention to how they relate to each other.
Build up security response
One you find signs of a breach, threat hunters should step aside to let traditional incident response teams take over. The hunter's job is to make guesses as to where the attackers may be within the network, but they aren't necessarily those with the expertise to block attackers. Incident response will be in charge of mitigating the attack and remediating issues.
Sign up for MIS Asia eNewsletters.