• United States




It’s hunting season but who’s the prey?

Nov 02, 20168 mins
Advanced Persistent ThreatsBig DataCritical Infrastructure

Caveats to consider before answering the Call of the Wild.

Autumn in North America: The brightly colored leaves, shorter days and cooler temperatures convert “weakened worriers”  into “weekend warriors,” who switch their suits and khakis for coveralls and flaming orange vests and hats — swap MacBooks for Mossbergs, and the commute for the camp out — all in an effort to return to some primordial connection of our days as Hunter-Gatherers.

There’s a trend in security operations to work to close the gap between discovering a breach after the damage has been inflicted, and delving deeper into the infrastructure to evaluate the “What/Where/When/How” in an effort to advance the security team’s preemptive efforts in deterring or at least containing malicious activity. And with one report suggesting ransomware being up almost 90 percent over last year, it’s getting a bit confusing as to which side of the “hunting season” organizations are finding themselves.

This relatively new trend in cyber-hunting has spawned a host of strategies and tactics emerging that describe the latest “How-to” lists, tactical toolkits and “Everything APT” advancements — all in an effort to stay out in front of the Big Game that frequently out-hunts the hunters.

Despite the rising trend in what Anton Chuvakin of Gartner calls “the domain of the well-resourced, super-security-mature, extra-skilled 1%-ers,” cyber hunters don’t have to have Master’s degrees in Boolean and Bayesian Logic to be effective in a search-and-defend mission to protect their infrastructures (although looking to some of the new EDR and UBA technologies from the likes of Cybereason and Interset can help from both sides of the duck blind).

As well, there are some useful resources CSOs can turn to before donning their virtual orange hats and cammo vests, and heading into the wilderness, including reports out of the FBI on the tail of October’s “National Cyber Security Awareness Month,” which are worthy of a double-check before moving on to the next alert. One particular threat, which may not be anything at all, might still warrant a quick look into the sites, to stay ahead of the game. . .

Remember, remember, the 5th of November

While the Fed thinks it is “unlikely” hackers will be any more active on Nov. 5, “Guy Fawkes Day,” than usual, because of the loose leadership structure within hacktivist groups, it is possible individuals claiming affiliation to a group might want to announce their own hunting season. Our friends at the FBI suggest there’s always that risk of the bad guys doing whatever they want (whenever they want), and that they don’t need an anniversary to do so.

Perhaps out of coincidence, or just by happenstance, Anonymous did post a message on Twitter last week, which read “DDoS comin.” While the potential target and timeframe for another IoT-based attack is uncertain (but highly likely), and whether it is meant to coincide with Nov. 5, is also unclear. Most folks are betting the wildlife will emerge around the general election. Suffice to say, however, that a public posting from any nefarious group should be at least warning enough to be aware of the growing risks to our computing infrastructures, and a prompting to exercise some elevated precaution.  

Who’s hunting whom?

To stay ahead of the tracks, Cybereason suggests CSOs have their teams dig more thoroughly into the data as a means of preempting (or at least identifying) attack trends. Like a flock of ducks to decoys, threat actors tend to follow patterns in how they approach their targets. The trick is learning how your system behaves, and what constitutes an “anomaly” within it, and that requires more than what the audit trails and firewall settings are reporting:

  • Just like checking the weather conditions before heading out into the wilderness to catch that unsuspecting prey, threat hunters have to completely understand the environment, and what is happening in and to it. That means collecting copious amounts of data from multiple sources within your system (endpoints and beyond).
  • Because “malware” seems to be the weapon of choice, the hunters at Cybereason say it’s important to have the ability “to collect and compare data against threat feeds and blacklists to confirm the existence of known threats.”
  • Collecting the data is only part of being effective in defending against a breach. The ability to process the information for trending and further analysis, pivot off what is collected, and extrapolate reasonable conclusions on which red teams, can help security teams set their sights on more refined defense mechanisms ahead of an incident. “This allows the team to connect seemingly unrelated threats and understand the full scope of an attack,” the Cybereason team adds.

Given the recent spate of IoT attacks, combined with Anon’s Twitter post from Oct. 26, CSOs might consider another look at those sensitive points of access. According to one FBI report, “Botnets comprised of IoT devices can be used to conduct unprecedented and powerful attacks that can take down Web sites,” much like the IoT attack we saw in September against our friend, Brian Krebs.

“Be prepared”

Any young man who has ventured out with the Boy Scouts knows that two-word phrase can cover a lot of ground. The same is true when preparing appropriate contingencies against the potential onslaught of IoT attacks that many security experts say are just over the horizon. The FBI suggests having a look at basic system housekeeping as the best way to at least reduce the risk of compromise.

Compliments of Hoover’s Hunters, here’s a seven-point checklist CSOs might consider as preparation, at the very minimum, ahead of whatever hunting season they plan to undertake:

  1. When was the last time you required those system passwords to be refreshed? Respected cryptologist and security legend, Bruce Schneier suggests that while it depends on what the password is used to access, “any password-changing policy needs to be chosen with that consideration in mind.” Here’s Bruce’s take on keeping those passwords fresh and complex.
  2. Check with your IT administrators and teams to ensure common vulnerabilities are patched. The OWASP gang suggest “Just-in-time Patching” to “externally address the issues outside of the application code.”
  3. Review hardware and software applications. Are they tuned properly? Are those default services that came with those new boxes wiped clean? Symantec suggests removing default services “reduces the attack surface” that can be exploited.
  4. Prepare a DDoS mitigation strategy ahead of time, and keep a vigilant watch for social engineering tactics that target sensitive information. According to analysts at Forrester, “The availability of an organization’s critical systems depends on its ability to adapt and scale across its online infrastructure and protect it from these types of incidents.” Forrester’s two-phased mitigation plan can be accessed through this link.
  5. Develop and apply an incident response plan that includes DDoS mitigation (and be sure to practice this plan ahead of an incident). FBI adds: “This plan may involve external organizations such as your ISP, technology companies that offer DDoS mitigation services, and law enforcement.” Also, be sure the plan lists points of contact from all third parties.
  6. How’s your data back-up and recovery plan? Is your organization maintaining copies of sensitive and proprietary data in a separate and secure location? Computer Weekly’s Paul Kirvan says, before organizations write a DRP, they should consider performing “a risk assessment (RA) and/or business impact analysis (BIA) to identify the IT services that support the organization’s critical business activities.” The global standard for IT disaster recovery is published as ISO/IEC 27031,
  7. How dependent is your organization on public facing Web servers? The National Institute of Standards and Technology provide comprehensive guidelines on how to secure web servers via this published source.

You can learn more about how to address the DDoS problem via the latest CERT reports.

And while November tends to kick off the “SAD Season,” a time that usually sees elevations in boredom, anxieties associated with the onset of “Cabin Fever,” and other oft-reported motivators behind bad online behavior, recent history suggests hacktivities don’t seem to get any greater than those that occur at other times of the year. (Fact is, hackers just don’t care about your feelings!) The FBI reports that while Anonymous and other groups have often tipped their hands to foreboding moments in the past, like in November 2011’s “Operation Fox Hunt” and “OpFacebook,” although both of those threats came to no avail.

Still, a little fall housekeeping before heading out into the woods could save some headache on the IR side, when/if that next IoT attack compromises your organization’s CIA.

And be careful where you point stuff!


U.S. Navy Veteran Drew Williams has a core philosophy about life and work: "Keep busy, stay engaged, and always be productive." Whether as a writer, video producer, lecturer or educator, Drew has been involved in information risk management since the mid-80s. He has developed and published Information Security standards and guidelines.

During the late 1990s, Drew contributed to re-tooling security policies for some of the largest financial institutions in the world, and worked on early adoption of GRC standards and frameworks (SOX, ITIL, ISO27799, CObIT). An original contributor to the HIPAA Security Policy (1995-1996), Drew wrote one of the early security policy guides, "HIPAA Code Blue."

As former product manager for what was the world's top Host Intrusion Detection System (AXENT/Intruder Alert), Drew also contributed to IT security initiatives (IETF / NIST), and worked with MITRE to build the Common Vulnerabilities Enumeration (CVE) framework. Drew served on the President's Council on Critical Infrastructure Security (precursor to DHS), and worked on the NIST's "Common Criteria" directives.

Drew co-authored some of the industry’s first Incident Response & Information Security Risk Assessment Services while head of the SWAT Team at AXENT/Symantec (1997-2002), and from 2006 to 2011, Drew hosted Asia's "Hacker Halted" security symposium.

As founder of Condition Zebra (2011) Drew developed information security readiness programs & mission-critical risk assessments for ministries of defense throughout Asia. He also co-developed post-graduate programs on cybersecurity at Utah Valley University and Southern Utah University, the latter where he also serves as a member of the faculty in the Graduate Program.

Drew also initiated the first "Gold" funding opportunities for the annual Black Hat Briefings in Las Vegas in 2000. A former speaker at CSI/FBI and N+i events during the 1990s-2000's, Drew is also a member of the “Founder’s Circle” at the annual RSA Security Conference, and has been a contributing source in broadcast media, including MSNBC, CNN, and NPR, and has been featured in USA Today, The Washington Post and publications throughout the US and Europe.

The opinions expressed in this blog are those of Drew Williams and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.