How to Build a Threat Hunter Mentality

One Hundred and Ninety-Seven. That’s the average number of days an advanced persistent threat, known as an APT, can dwell without being detected inside a network—according to the 2018 Cost of a Data Breach Study conducted by the Ponemon Institute. That is a six-month period in which a very quiet threat, using sophisticated tactics, is actively exploring the network and most likely offloading sensitive data before it’s noticed, not even counting the days, weeks, months needed to then respond and recover from its foothold. 

Data breaches can cause devastating financial losses and affect an organization’s reputation for years. From lost business to regulatory fines and remediation costs, data breaches have far-reaching consequences. According to the 2019 Cost of a Data Breach Report conducted by the Ponemon Institute and sponsored by IBM Security, the average total cost of a data breach is $3.92 million USD.

Dealing with something this untenable requires identifying the infrequent signaling events of an active APT occurring across the network, along with conducting continuous network investigation by cyber defenders. This approach combines the use of monitoring automation along with vigilant human cyber defenders. The monitoring watches across the network for the known tactics and techniques employed by these threats. To complement this monitoring is the need to have cyber defenders continuously exploring the network landscape to identify blind spots in the monitoring and where a threat could try to hide. 

The mission is detection, containment, and eradication of these stealthy threats so they cannot acquire sensitive data. To successfully execute this two-prong approach starts by understanding the intricacies of how threats operate to achieve their goals. 

With the main goal of persisting undetected in the network for as long as it can and steal the target sensitive data, the supporting tactics for the threat include the ability to run malicious code, gain higher-privilege permissions, avoid being detected, compromise user credentials, discover all assets in the network, compromise multiple assets through lateral movement, gather data that it wants, and use remote control mechanisms on assets that have been compromised. 

Knowing the details of these tactics can help determine what to include in the monitoring rulesets, such as watching for certain processes to run, certain codes to be written in log files, creation of encrypted zip/archive files, atypical data flow movement, and communications across the network. 

The vigilant cyber defender efforts of this approach require the need for relevant information, including both internal log data and external cyber intelligence, along with tools used to track down threats and analyze suspicious events, including: 

Security Logs

Generated by the multiple defense-in-depth protection and detection technologies such as firewalls, network intrusion detection, network data flow, insider threat detection, data loss prevention, and endpoint security tools. 

Security Information and Event Management (SIEM) System

This tool turns log data from across the network and supplemented external cyber intelligence feeds into meaningful information. Cyber defenders can take additional discovery actions using the findings and correlations identified to reveal hidden threats. 

Advanced Analytics & Entity Linking

Advanced analytics software uses patterns instead of pre-defined rules to find security anomalies in the environment, while entity mapping software links relationships between entities and provides interactive visualizations to highlight any hidden connections. 

With the implementation of this monitoring and cyber defender paired approach, an organization can begin to find advanced threats in their network, strengthen their approach, and identify and mitigate these threats before they even appear in the network. 

To learn more about protecting your organization from growing threats, check out our presentation on Crushing Payment Fraud Risk.