The Fortifying Fifteen: Incident Hunting
Sometimes it's not what you see, but what you don't. Reading between the lines is critical.
Part 12 of 15: Hunt to Discover Incidents
What Is It? The very thought of “incident hunting” often suggests the dramatized scenes from movies and TV shows of a group of people perfectly coordinated in an area with the latest technology, dimly lit but for glowing screens, and able to electronically able to see and hear everything while deploying the heroes anywhere globally in minutes. Those of us that work in this industry usually sit back as these scenes play out with a sarcastic smile, coffee in hand, and resist the urge to tear the flaws apart so our partners and friends can believe that what we do is, in fact, “that cool”.
I digress. Incident hunting is a very proactive defence technique that seeks out what could happen rather than what has already happened. It’s a much specialised discipline that I have found only very few practices, and those that do think unconventionally, are incredibly skilled at what they do, and are nearly impossible to find through the existing employment methods. Place an ad on Seek for someone to perform Incident Hunting and you are far more likely to get someone that almost exclusively deals with incidents that have already happened. Again, think proactive rather than reactive.
Threat intelligence is gold and the ability to understand what is happening, how it could happen and more importantly, how it could impact you, is critical. A great example provided by ASD in this regard involved them providing an organisation with intel about a specific threat likely to send spear phishing emails to employees to obtain information about a certain topic. The organisation, in turn, used this information to identify who had access to the information in question to verify mitigation strategies were in place. This included email filtering, logging, and log analysis for these employees. Obviously, there is lot more to the story, but you get the point.
Seek out the information that helps you act to mitigate the threats before they even occur. Think of it in a way where you try to understand your adversaries nearly to the point you know what they’re going to do before they do. What’s the old expression? An ounce of prevention is worth a pound of cure?
How about another example. Let’s say the police issue a non-specific report that they believe break-ins may increase because of a downturn in the economy driving people to commit more crimes. Because of reading or hearing this, you check and service the locks on your doors and windows, install some simple security around your home like motion sensor lights, and keeping valuables hidden out of view and secured.
Where Do I Start? I don’t believe this mitigation strategy comes in a shiny box despite what some vendors may tell you, but there are a ton of products you can use to obtain the intelligence you need as part of this strategy, and those do come from vendors who have access to the most skilled professionals, the large threat networks, and the content delivery means to get this data to you…. for a price. This is a case where you really do need to get the right people involved. If you have the skills and knowledge to take the threat and incident information and put it to work correctly, you’re in a minority of organisations.
Critically, some questions need to be asked about this intelligence and its value such as:
- Has the organisation already implemented strategies that may be more effective such as Incident Detection and Response which leverages existing intel such as logs and threat feeds?
- Does the organisation have sufficiently skilled and resourced staff with a capable infrastructure that can consume and act on the threat intelligence?
- Is the threat intelligence more comprehensive than simply domains, IP addresses, and other Indicators of Compromise (which resembles reactive signatures and have little to no relevance if rotated regularly or changed per target)?
- Does the threat intelligence have context, ideally tailored to the specific organisation (or at least industry vertical) which reduces false positives and other “noise”? Separating the wheat from the chaff, as it were.
- Is the threat intelligence actionable, assisting the organisation to make informed decisions and take definitive action such as choosing and implementing relevant mitigation strategies? Ideally, this is to identify and prevent incidents based on awareness attacker's objectives, strategies, tactics, methods, chosen compromise procedures, and even the tools they could or do use.
Rather than being a mitigation strategy in and of itself, this is a combination of tactical advantage towards a long-term strategy. Proper planning and execution are crucial for success and you may find that you are already engaging in some form of Incident Hunting without realising it. Get the right people involved and ask the right questions…. In some cases, the right people know what questions to ask you and help you ask the right ones to others. I’ve often sat with a client during a strategy session with an external service provider only to discover their strategy is more akin to simply using another layer of reactive technology.
How do I make It Work? As much as I’d like to say that you simply design a system, then install and configure it, then maintain it, it’s not that easy. The first thing I recommend is bringing in specialised cyber security specialists to help you on your journey with Incident Hunting if you chose this as a mitigation strategy. Ask around, get referrals, and go beyond the fancy websites and flashy brochures.
Once you have the right people involved, sort out what you have, what you don’t, and what you need. You will have specific business goals, data and systems specific to those goals, and may be susceptible to unique and clandestine hacking methods. The intel that works for a competitor or a similar industry may not be enough for you, so it’s imperative to understand the threats and threat actors out there that may be interested in what you have. The first step to filling these gaps is to identify them.
By this point, you should have some sort of plan, and now you can look at products and services, including those developed specifically for you, to leverage Incident Hunting as a mitigation strategy. Perhaps it’s a subscription to a threat feed for your security strategies. Maybe it’s managed security services that specialise in this area. It can be nearly anything that help you accomplish your goals and those are too numerous to list here. Just keep front of mind this is a mainly proactive strategy rather than reactive, which compose most solutions available.
Pitfalls? It’s easy to think this mitigation strategy should be rated higher, but the reality is that it’s not an easy strategy to implement and, in many cases, is cost prohibitive… especially for smaller businesses. The ASD is correct when they indicate this may have low user resistance but can have high up-front costs and high ongoing costs. With an evolving threat landscape and highly dynamic threat actors, it’s a fight you can begin but may never end.
Ghosts in the Machine? The ghosts in this machine may be in your own machine as a malicious insider. You cannot simply assume that Incident Hunting is external only and the domain of hacking groups or foreign enemies. Keep an eye out for insiders that may be underperforming, about to be dismissed, or planning to resign because these may be the ghosts you are looking for. Also keep track of any tools that could be used against you from the inside and any data that could be exfiltrate such as intellectual property that represents your competitive advantage. Even something like a client contact list can be valuable.
We’re not advocating wholescale distrust; we’re all supposed to be on the same side, but any of us that have been around a while know things can and do happen. We’re just promoting awareness in this regard.
Anything Missing? A deep understanding of what the threats are, where they may come from, and what to do about them when they’re so dynamic isn’t just a skill, but an art. Getting the right people involved and reading between the lines when finding those people is tricky, but they are out there. Take your time and do it right if you choose to adopt this strategy lest you find yourself jumping at shadows and seeing threats where they don’t exist.
Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such. Appropriate legal advice should be obtained in actual situations. All images, unless otherwise credited, are licensed through ShutterStock
Information Security Manager
Information Security Manager. Cybersecurity Writer & Presenter. Humanity, not machinery.