The IR Boost: How Threat Hunting Enhances Incident Response

1. ©2017 Cybereason. All rights reserved.
2. The IR Boost: How Threat Hunting Enhances Incident Response
3.  
4. Whether it’s referred to as threat hunting or hunt teaming,
5. companies are increasingly taking a proactive approach to
6. security by looking for evidence of threats that are already
7. in their environments. Organizations have realized that
8. waiting for antivirus, SIEMs and other security solutions to
9. trigger an alert is not a practical approach to detecting
10. sophisticated and stealthy adversaries since they know how
11. to evade these tools. Hunting enables security teams to
12. proactively answer the question “Am I under attack?”
13. An often overlooked benefit of threat hunting is how it aids
14. incident response teams. To show what’s possible when the two
15. are used together, in this white paper we’ll present several
16. examples that demonstrate how threat hunting boosts incident
17. response efforts.
18.  
19. In our whitepaper Threat Hunting: Answering “Am I Under Attack?” we explained that a hunting
20. engagement starts with a security team presenting a hypothesis. Trying to identify the blind spots in a
21. company’s security plan can serve as the hypothesis for a hunt, for example. A more basic and direct
22. question for security professionals to ask is, “What do we suck at doing?” and use the answer as
23. motivation for a hunt.
24. Take the perennial phishing email, which still manages to slip past even the best email filters. Let’s
25. assume your organization is getting slammed with them, causing your security team to fear that a
26. nasty security incident could be a few clicks away. Use a hunt to learn what kinds of documents are
27. attached to the emails. Word Documents with malicious Visual Basic for Applications macros are a
28. common way for attackers to spread malware. The hunt could reveal that 77 percent of the emails
29. received by the organization contain Word documents. Out of that 77 percent, 22 percent contain
30. Visual Basic for Applications macros. The question then becomes what’s the likelihood that your
31. company will get hit by malware that uses Visual Basic script as a delivery method?
32. The hunt could show that only 0.5 percent of the attached Word documents are used for valid business
33. purposes. This information could motivate the IT and security departments to find ways for people to
34. complete their jobs without using Word documents or using them as infrequently as possible, reducing
35. the attacker’s potential footprint.
36. Respond to incidents faster
37. When the incident response team is called in to handle a security incident unearthed during a hunt,
38. they’ll be better equipped to handle the situation since a significant amount of scoping and triaging
39. was completed during the hunt. Your organization’s hunters have analyzed the data they collected.
40. They grasp the problem, know what machines are affected and understand the incident impact. All of
41. this information is passed along to the incident response team. With the some of the preliminary work
42. done, incident response team will have less work to do and can remediate the threat quicker.
43.  
44. How to use threat hunting to detect advanced attacks
45. A hunt is probably the best approach to deal with attacks that use advanced threats like fileless
46. malware or PowerShell. Fileless techniques are becoming the bad guys’ preferred attack vector since
47. this method uses legitimate programs to mask malicious behavior and evade detection by most
48. security tools.
49. Let’s say a hunt at a large manufacturing company revealed all kind of suspicious activities. The
50. hunting teams spotted a service named TCP/IP NetBIOS Helper with a command line argument
51. showing PowerShell with bypass hidden calling off regular named ps file, a tactic used to maintain
52. persistence in an environment. There’s data exfiltration using PowerShell where files are uploaded to a
53. remote location through your proxy. The hunt also looked at how PowerShell performed DNS queries
54. by doing data stacking between process execution and DNS requests. This revealed that PowerShell
55. was establishing a network connection to the Internet. The question then became what outside
56. addresses were being talked to; was PowerShell making DNS queries to domains that the company
57. didn’t own.
58. So what happens after the hunting team identifies these activities? First, they need to be escalated to
59. the level of an incident since there’s proof that malicious activity is occurring in the environment.
60. Then, the information from the hunt can be used to establish an intelligent prevention program. For
61. example, if the hunting team discovers that 99 percent of PowerShell activity in the company occurs
62. on servers and the remaining one percent is on clients and it’s all malicious, PowerShell could be
63. blocked on end user systems, especially if they’re not being used for administrative purposes.
64. Or use the application control capabilities in your company’s antivirus software to prevent browsers
65. from spawning PowerShell or Windows Management Instrumentation from spawning PowerShell.
66. If you use PowerShell scripts in your server environment and not in your client environment, anchor
67. those scripts to a specific directory and then sign them so that you only run signed PowerShell scripts
68. from a specific location. This builds resiliency into the environment.
69. Following this approach allows hunting to strengthen the organization's security posture while slowing
70. down the adversary and decreasing their dwell time. The results of a hunt can be used to build new
71. prevention mechanisms, ensuring that the discovered security incidents do not happen again.