Advertisement
opexxx

The IR Boost: How Threat Hunting Enhances Incident Response

Oct 13th, 2017
641
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.58 KB | None | 0 0
  1. ©2017 Cybereason. All rights reserved.
  2. The IR Boost: How Threat Hunting Enhances Incident Response
  3.  
  4. Whether it’s referred to as threat hunting or hunt teaming,
  5. companies are increasingly taking a proactive approach to
  6. security by looking for evidence of threats that are already
  7. in their environments. Organizations have realized that
  8. waiting for antivirus, SIEMs and other security solutions to
  9. trigger an alert is not a practical approach to detecting
  10. sophisticated and stealthy adversaries since they know how
  11. to evade these tools. Hunting enables security teams to
  12. proactively answer the question “Am I under attack?”
  13. An often overlooked benefit of threat hunting is how it aids
  14. incident response teams. To show what’s possible when the two
  15. are used together, in this white paper we’ll present several
  16. examples that demonstrate how threat hunting boosts incident
  17. response efforts.
  18.  
  19. In our whitepaper Threat Hunting: Answering “Am I Under Attack?” we explained that a hunting
  20. engagement starts with a security team presenting a hypothesis. Trying to identify the blind spots in a
  21. company’s security plan can serve as the hypothesis for a hunt, for example. A more basic and direct
  22. question for security professionals to ask is, “What do we suck at doing?” and use the answer as
  23. motivation for a hunt.
  24. Take the perennial phishing email, which still manages to slip past even the best email filters. Let’s
  25. assume your organization is getting slammed with them, causing your security team to fear that a
  26. nasty security incident could be a few clicks away. Use a hunt to learn what kinds of documents are
  27. attached to the emails. Word Documents with malicious Visual Basic for Applications macros are a
  28. common way for attackers to spread malware. The hunt could reveal that 77 percent of the emails
  29. received by the organization contain Word documents. Out of that 77 percent, 22 percent contain
  30. Visual Basic for Applications macros. The question then becomes what’s the likelihood that your
  31. company will get hit by malware that uses Visual Basic script as a delivery method?
  32. The hunt could show that only 0.5 percent of the attached Word documents are used for valid business
  33. purposes. This information could motivate the IT and security departments to find ways for people to
  34. complete their jobs without using Word documents or using them as infrequently as possible, reducing
  35. the attacker’s potential footprint.
  36. Respond to incidents faster
  37. When the incident response team is called in to handle a security incident unearthed during a hunt,
  38. they’ll be better equipped to handle the situation since a significant amount of scoping and triaging
  39. was completed during the hunt. Your organization’s hunters have analyzed the data they collected.
  40. They grasp the problem, know what machines are affected and understand the incident impact. All of
  41. this information is passed along to the incident response team. With the some of the preliminary work
  42. done, incident response team will have less work to do and can remediate the threat quicker.
  43.  
  44. How to use threat hunting to detect advanced attacks
  45. A hunt is probably the best approach to deal with attacks that use advanced threats like fileless
  46. malware or PowerShell. Fileless techniques are becoming the bad guys’ preferred attack vector since
  47. this method uses legitimate programs to mask malicious behavior and evade detection by most
  48. security tools.
  49. Let’s say a hunt at a large manufacturing company revealed all kind of suspicious activities. The
  50. hunting teams spotted a service named TCP/IP NetBIOS Helper with a command line argument
  51. showing PowerShell with bypass hidden calling off regular named ps file, a tactic used to maintain
  52. persistence in an environment. There’s data exfiltration using PowerShell where files are uploaded to a
  53. remote location through your proxy. The hunt also looked at how PowerShell performed DNS queries
  54. by doing data stacking between process execution and DNS requests. This revealed that PowerShell
  55. was establishing a network connection to the Internet. The question then became what outside
  56. addresses were being talked to; was PowerShell making DNS queries to domains that the company
  57. didn’t own.
  58. So what happens after the hunting team identifies these activities? First, they need to be escalated to
  59. the level of an incident since there’s proof that malicious activity is occurring in the environment.
  60. Then, the information from the hunt can be used to establish an intelligent prevention program. For
  61. example, if the hunting team discovers that 99 percent of PowerShell activity in the company occurs
  62. on servers and the remaining one percent is on clients and it’s all malicious, PowerShell could be
  63. blocked on end user systems, especially if they’re not being used for administrative purposes.
  64. Or use the application control capabilities in your company’s antivirus software to prevent browsers
  65. from spawning PowerShell or Windows Management Instrumentation from spawning PowerShell.
  66. If you use PowerShell scripts in your server environment and not in your client environment, anchor
  67. those scripts to a specific directory and then sign them so that you only run signed PowerShell scripts
  68. from a specific location. This builds resiliency into the environment.
  69. Following this approach allows hunting to strengthen the organization's security posture while slowing
  70. down the adversary and decreasing their dwell time. The results of a hunt can be used to build new
  71. prevention mechanisms, ensuring that the discovered security incidents do not happen again.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement