Despite the continued headlines touting the promise of AI, in today’s evolving threat landscape, there are still many cyber threats that automated security alone cannot detect. Eighty-two percent of breaches start with phishing or other social engineering schemes that do not raise alarms from traditional automated security tools. It has become too easy for threat actors to evade detection from most endpoint detection and response (EDR) tools that rely on indicators of compromise (IOC) or low-fidelity detection rules.
Organizations need to rethink how they hunt for threats to stay ahead. Advanced threat hunting combines innovative technology with human expertise to actively search for threats evading traditional security defenses.
Trustwave’s Global Director of the SpiderLabs Threat Hunt Team Shawn Kanady joins SecurityInfoWatch to explain advanced threat hunting and provide recommendations for organizations looking for a more comprehensive picture of their threat landscape.
SIW: Before we get into the idea of advanced threat hunting, can you share a bit about how traditional threat hunting has historically been done?
Kanady: Traditional threat detection and prevention tools often rely on IOCs, an after-the-fact approach that provides guidance for countering an attack. IOCs are not enough to prevent an attack before it happens or predict what will happen if an organization makes any security process changes.
A hunt based on an IOC means that an attack has already happened and has been discovered – an entity was breached, the breach became known, and an investigation was conducted. Only after that process would other security teams be able to hunt that IOC. While it is good to use IOCs to look historically to see if a malware campaign impacted you, it is not very proactive.
SIW: How should organizations rethink their threat-hunting approach to become more advanced and proactive?
Building a more comprehensive picture of the threat landscape through IOBs makes it easier to proactively uncover zero days, hunt for previously unknown security gaps, and identify hidden threats while providing actionable recommendations to mitigate risk to an organization. As new threat hunt findings are discovered, intelligence can be distributed globally to help security teams improve existing monitoring tools and services, creating a constant feedback loop to advance security operations and approaches. Plus, that information doesn’t require a full-blown compromise to be helpful to other teams.
Human-led threat hunts based on IOBs can proactively find what others may be missing and discover net-new threats. For example, when our threat hunt team deployed a behavior-based hunt for the Lockbit ransomware gang and hunted for tactics specifically mapped to their threat profile, we discovered a previously unknown malicious IP address which a brute force attempt was being launched from. This IP address did not have a history in the wild and we leveraged this new intelligence to create detection rules for this behavior for all clients to benefit.
SIW: How can a cybersecurity team operationalize human-led and behavior-based threat hunting?
Kanady: Threat hunt teams should employ human-led threat hunts that work around the clock, meticulously and continuously developing thousands of queries across multiple EDR technologies and mapping them to the MITRE ATT&CK framework. Leveraging those queries through automation can then help teams hunt for the IOBs of specific threat actors at scale, across all clients and a variety of supported EDR tools at one time.
This new, complete overhaul of the previous methodology also helps to identify threats from within an organization’s perimeter more quickly. While hunting a targeted adversary, human-led teams can also uncover general security hygiene issues like unsecured legacy systems, open ports, and human errors like storing passwords on computers. Considering that most cyberattacks leverage human error, security teams can’t afford to focus on just the threat actor’s part of the equation.
SIW: Why is this approach necessary and beneficial to organizations?
Kanady: The current threat landscape is characterized by constantly evolving and increasingly sophisticated cyber adversaries, making it essential for security teams to continuously adapt and innovate. To stay ahead of these evolving threats, organizations must consider the benefits of behavior-based threat hunting led by human expertise to increase the chances of stopping an attack before it happens and to gain a deeper understanding of their network to identify areas for improvement.
For example, in the Lockbit case I mentioned before, one of the true highlights of advanced threat hunting became apparent. While searching for Lockbit, we found evidence of other threats and security lapses. Many of the techniques shared by different threat groups are now being discovered alongside general security hygiene issues in a single search before they could cause a breach or security incident.
With the ability to scale and accommodate an ever-increasing threat landscape, a proactive, human-led, behavior-based approach should be considered an indispensable component of an organization’s network protection plan. By pairing human analysis and knowledge base with automation tools, it becomes easier to identify and disrupt the very human behaviors of cybercriminals well before a breach occurs, strengthening an organization's overall security posture.
