Guest post by Sean Clapper
HPE Security Senior Consultant, Solutions Innovation
There are many skillsets that complimenthunt operations and matching individual talents to the hunting process allows for more specialized concentrations. It’s often difficult, or even impossible, to find individuals that carry complete security knowledge in every domain, and they will always have a work preference.
In smaller operations, individuals share responsibilities which might open gaps or weaknesses in the process. Larger enterprise operations have the capability to fill the specialized hunting roles; for example, the team could consist of Intelligence Analysts, Network Security Analysts, Data Scientists and Incident Responders. The Hunt Incident Responder could also be a shared resource with CSIRT (Computer Security Incident Response Team) to help bridge the gap in joint remediation efforts. It is important that the entire team has full transparency on all hunts from start to finish and that formal channels exist for feedback loops and lessons learned, which enables continuous improvement.
There are 3 levels of skill necessary to a good hunter:Understanding the business Understanding security Content engineering Analytical models and paradigms Data science Forensics and incident response
Below, we’ll take a deeper look into these qualifications.
Understanding the businessCategory: Business context
Skill: Core business knowledge
Fundamentally, the hunt team needs to understand the core business, applications, systems and network for the organization they are trying to protect. This is important when providing context to network data flows, user activity, and server and lab environments. Analyzing logs without this context compromises the potential effectiveness of Hunt Intelligence. In-depth understanding of the business, the purpose, function of the systems and users provides necessary insight during analysis. This becomes particularly important for the “Crown Jewel Analysis," where hunts focus on areas where critical infrastructure is supporting the organizations core mission.
Understanding securityCategory: Security analysis
Skill: Networking devices and OS's
Security analysts need a solid understanding of networking devices and computer operating systems. Hunt analysts constantly review raw system & network logs as well as packet captures. Analysts should have a deep understanding of the technology and software producing the logs to provide context to abnormalities.
Skill: Endpoint analysis
Endpoint analysis provides greater context in security threats and activity. This type of analysis can include memory dumps, I/O activity, user activity, etc. This stage of the hunt can provide more conclusive evidence on what is happening at the host and user level. Hunt analysts should be able to navigate OS logs and explore local endpoints with relative ease.
Skill: Network attacks
Hunt analysts should understand how network attacks, vulnerabilities and exploits work. This includes the capabilities and limitations of their current security prevention technologies. Analysts possessing scripting and programing skills are able to spot common attacks and suspicious activity.
Category: Detection content engineeringSkill: Content engineer
Though hunts are manual, the goal is that insights are learned and plugged back into detection content inSIEM, IDS/IPS, AV, etc. Customizing detection technology to the local environment improves the overall security posture and increases response time to threats.
Analytical models and paradigms
Category: Analytical modelsSkill: Analytical frameworks
Hunt analysts require familiarity with various analytical frameworks and analytical models such as the diamond model, crown jewel analysis and the cyber kill chain. For example the Diamond Model details the fundamental aspects of malicious activity and uses analytical concepts to discover, track and counter both activities and advisories [CCIATR].
Skill: Analytical mindset
The analyst mindset or rational is important for success in hunt. This includes being aware of analytical or cognitive biases. For example, an analysts could spend three days on a hunt that turns up nothing, and in hopes to redeem their efforts, will invest even more time hoping previous time won’t be wasted. This is called escalation to commitment or the "sunk cost fallacy." The escalation of commitment refers to a pattern of behavior in which an individual or group will continue to rationalize their decisions, actions, and investments when faced with increasingly negative outcomes rather than alter their course [WIKI].
Prioritizing hunts and allocating time is important to hunt operations. There should be limits to the amount of time spent on any particular hunt or activity. Hunts should be planned, their outcomes thought-out and the time spent justified. Hunting without structure or limitation will hinder capability and decrease effectiveness overall.
Category: Data scienceSkill: Data science basics
Data science techniques are employed throughout the hunting process. This includes extracting knowledge from structured and unstructured data through the use statics, data mining and predictive analytics, etc. Data science can decrease time to detect as well as provide additional insights into malicious behavior that was previously unseen. Internal capabilities can be leveraged from the field of data science such as machine learning, statistics, text mining, data munging/scrubbing, risk modeling, SIEM content, visualizations.
The use of interactive visualizations to quickly find security threats in large sets of data can also be extremely beneficial. Visualizations allow analysts to see patterns and anomalies in data that would otherwise remain unnoticed. Leveraging this technology and toolsets provides an even greater visibility into cyber threats. Analysts should be familiar with the available tools and capabilities. An analyst with the skills to build their own mathematical models would be formidable within this task.
Forensics and incident response
Category: Forensics and incident reponseSkill: General incident handling
When a true positive is detected, hunt leads the containment, eradication and recovery for breaches. This allows hunt to function as an end-to-end security capability, from initial Intel alert to remediation. Hunt can also coordinate with an existing CSIRT or in some cases directly escalate incidents. In either scenario, the ideal Hunt team will work closely with CSIRT & SOC on a regular basis.
Analysts apply incident response processes, threat intelligence, and digital forensics to investigate infected environments. They investigate how and when the breach occurred and determine the impact and scoping of an incident. This can include investigating damaged systems, stolen data, and insider threats and provide containment and remediation. Hunt Incident Responders have specific trade craft for dealing with outbreaks and tracking root causes.
Skill: Breach frameworks
Responding analysts use the analytical frameworks to formally investigate beaches and assess impact. For example the Timeline Analysis is used to investigate a se