The Knights Fork: Hunting the hunter

An effective hunt can mitigate lateral movement and the exfiltration of the crown jewel, but the true utility of an effective hunt team is to inhibit destructive attacks and effectuate attribution.

1 tracking hunting dogs horse
Thinkstock

We are being hunted in cyberspace. Gone are the days of smash and grab cyber burglaries. In today’s increasing punitive cyberspace cybercriminals have transitioned from burglary to home invasion. Victim organizations are experiencing multiple criminal schemes of monetization. Data is stolen and subsequently the brand is used against her constituency via watering hole attacks and business email compromise campaigns.

It still takes months for a victim organization to respond to a cyber-intrusion. Given the reality that the cybercriminal has a footprint within ones’ network for an extended period one must alter their security posture. The metric by which we can assess the potency of a cyber-countermeasure, is how effective it decreases an adversary’s dwell time. Decreasing dwell time is the measurable metric by which we can value a return on investment for an enterprise.

Diving down into that decreasing dwell time. The true ROI of cybersecurity investment is the delta in dwell time. There is direct correlation between cybersecurity investment and brand protection. Hunting gives an organization the opportunity to turn the tables on an adversary. Whereas an effective hunt can mitigate lateral movement and the exfiltration of the crown jewel, the true utility of an effective hunt team is to inhibit destructive attacks and effectuate attribution.

Hunt teams must be established. The team must be multidisciplinary. These hunters  must have incident response and forensics experience. They must play chess and possess knowledge of geopolitics as understanding motivation for an attack is paramount. Assemble a team of operators who understand that the solution to identifying an active compromise on the network requires knowledge of not only technical solutions (endpoint monitoring, passive network monitoring, memory augmentation), but also knowledge of current exploits, vulnerabilities, threat actor methodology and TTP.

Develop a threat profile. This will help a hunter know where to prioritize hunting (and ultimately where to start hunting). Apply big data analytics and memory augmentation. Big Data to consolidate efforts, sort information faster, and enable tools to do the target acquisition for the team. This results in a force multiplier to your hunters. Finally develop rapid response protocols. Deciding when to turn up the volume is critical as counter-incident response measures and destructive attacks are becoming the norm.

You might now ask yourself with what do we arm our hunters? A threat hunt is most effective when employing both active measures (agents deployed to endpoints) as well as passive measures (netflow, packet capture appliances). User entity behavior analytics must be employed as it is critical to baseline "normal" network and host behavior in a threat hunt; contextualizing normal behavior is the most effective way of determining where an adversary might lie in wait.  

Hunters should evaluate users with higher levels of access to a network's "crown jewels" and Deceptiongrids should be deployed around these users and hosts. Lastly deploy memory augmentation to facilitate situational awareness and reverse search for attribution. This capability will serve as your night vision goggles.

An effective hunt will result in a knights fork wherein a single piece makes two or more direct attacks simultaneously. An opponent must move out of check but in the process they sacrifice their queen. The queen in cyber is the clandestine footprint on your network. Happy hunting.

Hunting for a comments box? It is over on our Facebook page.

This article is published as part of the IDG Contributor Network. Want to Join?

NEW! Download the Winter 2018 issue of Security Smart