Every threat alert and security incident provides an organization with the opportunity to acquire valuable information on the adversary and use it to proactively hunt for advanced persistent threats that may have evaded the company’s defenses.
“As defenders we need to seize that advantage,” said Justin Lachesky, a cyber intelligence analyst at Lockheed Martin.
Knowing how hackers operate allows security teams to figure out the adversaries tools, techniques and procedures. Armed with this information, analysts can look for similar behavior in their IT environment and hunt for attacks they have yet to detect, he said.
“The more I can derive from that intelligence, the more I can proactively look for the adversary,” Lachesky said during a webinar by Lockheed Martin co-hosted with Cybereason on the four steps for combating APTs.
Knowing the attacker’s behavior allows companies to construct a full lifecycle of an attack, said Cybereason CTO Yonatan Striem-Amit.
In order to develop an even deeper understanding of how attackers function and improve a company’s threat hunting capabilities, Striem-Amit suggested that security teams consider not immediately resolving some threats.
This aspect of hunting is “counterintuitive” to traditional security training, which calls for threats to be remediated as soon as they are discovered, he said. However, not being so quick to remediate will help companies identify the vulnerabilities that allowed attackers to get past their defenses.
Even blocking an attack doesn’t mean a company has completely eradicated an advanced persistent threat. Instead of immediately resolving a threat, analysts should ask if they understand how the full operation works. In many cases, security analysts have only detected and stopped an individual piece of a larger, more complex attack campaign. This approach requires considering what could have happened if an attacker successfully infected a company’s network, Striem-Amit said.
For instance, a company may have blocked a malicious email from reaching a user, but that could mean only one part of an advanced persistent threat was shut down. An organization didn’t necessarily stop a full attack, which has many components. In fact, security research has shown that for every malicious email a company blocks, a few still manage to make it into the inboxes of unsuspecting employees and “at least one will be opened,” Striem-Amit said.
“Don’t be so quick to remediate. Before closing that ticket make sure you know what happened and understand the circumstances that lead to the attack,” he said.
For organizations eager to hunt threats, Lachesky recommended that they first take care of the fundamentals before proactively pursuing adversaries.
“You just don’t wake up, go into the office and say ‘Today we are going to hunt,’” he said.
While there a around a dozen components that comprise a successful hunting strategy, Lachesky emphasized that organizations have full visibility into IT environment and the ability to use analytics to turn threat information into threat intelligence. Without this foundation, hunting is “an uphill battle,” he said.
