Posted December 14, 2017
“If you know the enemy and know yourself, you need not fear the result of a hundred battles.”
Cyber hunt teams are becoming an important part of organizations’ cyber defense teams, complementing traditional passive monitoring detection efforts with a proactive means to identify, mitigate, and remediate threats. Typically, these teams are composed of a hybrid of various capabilities spanning from counterintelligence to aggressive collection designed to identify the adversary quickly. Since hostile actors enjoy a favorable digital environment in which to conduct their nefarious operations, cyber hunt teams of experienced and well-trained professionals serve as a counterbalance to the agility and adaptability of the bad guys. More importantly, these teams serve as proactive defense assets focused on tipping and queuing transactions and behaviors that drive a more take-charge approach versus primarily relying on known hostile activity.
Most organizations employ a passive cybersecurity posture where operations focus on reacting to offensive activities knocking on the front doors of their perimeters. Considering the average organization faces thousands, if not millions, of suspected hostile events a day, it’s easy to see how just sifting through the noise to find more pressing incidents occupy the efforts of security operations center (SOC) personnel. SOCs are generally more concerned with attacks that can impact network integrity and operations and are attune to preventing, detecting, analyzing, and responding to cybersecurity incidents with the aid of both technology and well-defined processes and procedures.
Cyber hunt teams embody the security sentiment, “know your adversary,” seeking to understand the human element behind the 1s and 0s and using that knowledge to exploit areas in order to remove or at least lessen the risk these actors pose to an organization. As one source candidly describes the actions of cyber hunt teams, they target the attackers, internal as well as external actors. Implementing an intelligence-driven approach to analyzing suspicious activities, cyber hunt teams leverage experience, advanced tools, and their ability to pivot accordingly to separate the digital chaff from the wheat. While network defenders guard against attacks, improving defenses in the process, cyber hunt teams find value in focusing on the attackers themselves, trying to develop countermeasures to dissuade or mitigate them.
Furthermore, cyber hunt teams assume the initiative by prowling through an enterprise’s security posture, testing known and unknown potential points of access that can be exploited. Teams are versed in detecting and identifying those threats that evade traditional rules or signature-based solutions. They investigate tools and techniques (e.g., via log, network, and host analysis); uncover new patterns and adversary tactics, techniques, and procedures (e.g., intrusion discovery and response); and inform and enrich analytics (e.g., develop automated hunt techniques and the generation of threat intelligence). The result is a more informed security posture; teams become more effective over time as they gain greater knowledge from their efforts and share their findings.
Such a proactive measure is the next evolution of the cybersecurity ecosystem, and organizations need to better familiarize themselves with the philosophy behind these teams. A good first step is undertaking a shift in cybersecurity mindset from traditional incident response to intelligence gathering of the actors and capabilities that pose a real threat. Understanding the actors, intents, capabilities, and targeting histories will aid organizations in developing a risk management approach to shoring up their security postures. This is not to say there isn’t value in incident response; every organization needs to be able to identify, mitigate, and remediate cyber attacks as a part of maintaining its operational resiliency. However, including an offensive complement to a defensive apparatus rounds out the existing cybersecurity posture.
In addition to being forward leaning, cyber hunt teams take known tactics, techniques, and procedures (TTP) of threat actors and apply this knowledge toward investigating and evaluating through large amounts of data often found in antivirus, proxy, and/or authentication logs for productive hunting. Knowing specific actor TTPs such as dropper programs, backdoor programs (e.g., remote access Trojans), privilege changes, and explicit credential use all serve as potentials areas for further investigation. Findings from cyber hunt teams can be used to not only supplement network defenders with key TTP and capability information, they can better inform decision makers when budget, material, and human resource considerations as they apply to better securing the organization, its critical data, and important business processes.
Since these teams are composed of seasoned professionals, cost and scalability may prohibit some organizations from implementing them as part of their security practices. While that is understandable for some small-to-medium enterprises, larger ones – especially those that have been targeted and proven susceptible to breaches – with more robust budgets would greatly benefit from using these teams to augment their security. In this day where hostile actors continue to demonstrate their proficiency in maximizing cyber space by exploiting advanced and vulnerable technologies, there needs to be a security option that matches adversary intelligence, flexibility, and pervasiveness.
Cyber hunt teams provide these capabilities because they know the very types of individuals looking to attack. Complementing these efforts, the proactive testing of the integrity of networks and the collaboration with the defensive side of the house positions these teams to understand the strengths and weaknesses of the organization’s networks. Knowing both and being able to act on them may be just what’s needed for organizations to start winning the battles Sun Tzu talked about.