From Event Gatherers To Network Hunters

  /     /     /  
Publicated : 22/11/2024   Category : security


From Event Gatherers To Network Hunters


Passive, wait-for-an-event defenses are no longer enough -- companies need to move to a more proactive strategy of hunting down the bad actors in their network, say experts



When David Bianco examined a companys Web browsing logs, it did not take long for a pattern to appear.
At regular periods, nearly a dozen systems across the network would all request data from the same Web page. Because the company, who Bianco declined to name, captured network data, additional analysis revealed that all of the suspicious systems downloaded small binaries. By running those executables in a virtual machine, Bianco, a network hunter, was able to identify the cause of the problem -- an attacker using specialized malware.
Bianco, whose official title is Hunt Team Manager at incident-response firm Mandiant, does not like to wait for automated systems to flag suspicious behavior. As a network hunter, he goes looking for it. Its a role that more companies should develop because it allows them to run down attackers in their networks before they do damage, he says.
The goal of hunting is not only to find the evil in your organization, he says. The goal of hunting is to explore methods that let you find the evil in your organization, and -- when you find those methods -- you polish them up so you dont have to hunt for the same stuff again.
Companies that only wait for their security information and event monitoring systems to alert them to anomalies are missing a key resource in the fight against online attacks: inquisitive security analysts. By being more aggressive within their own networks and hunting down signs of suspicious behavior, network hunters can minimize the time between infection and detection, says Will Gragido, senior manager of advanced threats research and intelligence for security firm RSA.
A proactive defense is something that organizations should aspire toward, he says. I dont think there is anything wrong with advocating a proactive defense because it is not the same as hacking back.
While only organizations with mature network security groups typically have the capability to hunt for anomalies in their networks, it is a skill that should be developed within any security group, he says.
Network hunters exploit weaknesses that hamper all external attackers: The attackers do not know the layout of the targets network, so they will do things that insiders would never do as they poke around the network and discover its topology, say Dan Kaminsky, chief scientist at White Ops, a firm focused on securing the online advertising business.
They actually dont know the network they have broken into; they have to discover it, he says. So you want to find these rare signals that reveal the attackers actions in real time.
Companies looking to start developing the needed skills for network hunters should begin at the end of the cyberkill chain, says Mandiants Bianco.
Kill-chain analysis models the steps that an attacker must take to achieve his or her objective. The cyberkill chain, a concept first introduced by Lockheed Martin, consists of seven steps: reconnaissance of the target, creating an attack, delivering the payload, exploiting the target, installing tools, establishing command and control, and leveraging access to take action. Most companies embarking on their first hunt should look for the most serious activities at the end of the kill chain: signs of data exfiltration and command-and-control activity, Bianco says.
[For the cybercriminal lions out on the Internet, your company is full of zebras. Defenders should not just protect the herd, but pay attention to those who stray, experts argue. See
Five Ways To Better Hunt The Zebras In Your Network
.]
Data exfiltration may look like large amounts of traffic from a sensitive server or smaller amounts leaving at frequent intervals. Command-and-control traffic generally is HTTP requests with suspicious or unknown destinations. Where they look depends on what a hunter wants to find, he says.
Its like saying, If Im going to hunt birds, I look in the trees, and if Im hunting deer, I look at the ground, Bianco says.
Once a network hunter finds the attacker or malware in the network, they can turn their knowledge of how to pinpoint the attack into rules for the companys network and security equipment. By fusing the internal information with external threat data, a company can take an internal investigation and turn it into a rule set that can automatically detect such attacks in the future.
Its that ability to improve security in the future that makes network hunting so valuable, says Adam Meyers, director of intelligence at security services firm CrowdStrike.
The big challenge is, how do you operationalize intelligence information? he says. When they are hunting for things on their network, that is where they are getting into the operationalization of the data.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
From Event Gatherers To Network Hunters