Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Threat Hunting as an Active Defense


The current reality is that numerous organizations don’t realize hackers have already compromised their systems. Today, enterprises routinely fail to detect attacks in an effective and timely manner. As a result, companies have had to suffer a massive loss in terms of penalties or compliance issues. Even governmental organizations are no exception.

In 2010, WikiLeaks revealed some 391,000 classified U.S. documents that helped incite the Arab Spring in Tunisia. This had been the biggest unauthorized revelation of classified data to date. While the shock has settled down, the grave repercussions of the leak were felt many years thereafter. But who actually was to blame for this act? A few months passed before an Army private who exploited his privileged access to the sensitive material was suspected to be the sole player. This incident could have been discovered much sooner through a technique called threat hunting.

Threat hunting is the process of repeatedly monitoring, detecting and isolating threats that are advanced enough to exploit the existing security solutions of networks. Other techniques, like attribution as an active defense, can also reduce the impacts of advanced threats and minimize the detection delta. In addition, tools like the molehunt and the web bug server can be utilized as an active defense in threat-hunting processes.

How is Detection Delta Critical for My Organization?

When it comes to detection of threats and adversaries, the time factor is a critical element to consider. “Detection delta” is the disparity of global median time between detection and compromise. The cybersecurity company FireEye issued an M-Trends 2017 Report which stated that the global median time (detection delta) from compromise to the discovery has been dropped from 146 days in 2015 to 99 days in 2016. Though significant decrease occurred, organizations often still remain oblivious of the breach for over three months.

During such a long period of undetected operation, the attacker can transfer 60 GB of data even at a paltry dial-up speed of 56kbps. Likewise, if each customer’s record in your company consumes 2KB of memory space, then you would lose a total of 29,935,000 records. The situation can be even more disastrous if these records hold the personally identifiable information (PII) of the customers, thus opening the affected company to severe penalties and the customers to identity theft and fraud.

In this scenario, the role of threat hunters is crucial because they can significantly decrease the detection delta. The less time between breach and detection, the less information is lost, and the less risk to the company.

What is the Relationship Between Incident Response and Threat Hunting?

As the name suggests, incident response (IR) is a systematized approach used to deal with the aftermath of a security breach (also known as a cyber-incident) with the principal goal of mitigating damages and reducing costs and recovery time.

IR plays a crucial role in threat hunting. According to Gartner, the outcomes of threat hunting largely depend on the competence of the cyber-incident response team (CIRT) and maturity of the security operations center (SOC). The organizations that have a robust security environment develop a set of procedures to deal with viruses, malware, wireless attacks and other threats. By comparison, a new company may have only a generic response plan or a less-secure security posture. In both circumstances (whether normal security is weak or strong), threat hunting acts as an additional and reliable security defense. The IR and threat hunting must be working harmoniously to achieve effective results.

There are various hunting actions that a CIRT team can use to identify adversary activities during the IR process. Using this information, the CIRT team will be able to develop threat indicators. Furthermore, an automated IR can also detect incidents using threat hunting data.

How Can Offensive Countermeasures Help in the Hunt?

At various times, malicious insiders are more dangerous than external attackers. In fact, insiders can leak sensitive information such as your corporate secrets to your competitors or military secrets/intelligence reports to enemies. To prevent this type of incident, threat hunters use offensive countermeasure techniques.

Offensive countermeasures consist of various techniques used in traditional threat-hunting operations to effectively pursue human adversaries. They mainly focus on three different active defense categories which are commonly denoted by the 3 As (AAA), namely: Annoyance, Attribution and Attack.


Attribution is the primary method of hunting the malicious insiders. Attribution is directed towards understanding who the attacker is and what are his motives. Performing a successful Attribution is not a piece of cake, as attackers use various obfuscation techniques to hide their identities, such as dead-code insertion, registrar reassignment, instruction substitution, subroutine reordering and code integration. In addition, poor detection capabilities or lack of overall security also invite insider threats.

Techniques like Endpoint Detection and Response (EDR), Data Loss Prevention (DLP), and other similar solutions are deployed to thwart potential insider threats. DLP may produce noise and generate alert fatigue when alerting on encrypted files. In order to minimize alert noise, deploying active defense techniques such as the SIEM system is a viable solution. However, before implementing these techniques, a legal department must be consulted because legal advice is the key to success when implementing any information security program.

Legal Advice

A legal advisor reveals all technical points that insiders can raise to defend themselves. The legal counsel also suggests proactive measures with regard to the legal defense of your organization. Illustrating network boundaries is especially important to ensure network security: warning banners will notify the bad guy and insiders to restrain from leaking any data and information because they are closely being monitored and, in case of detection, they will face serious consequences. Before hunting insiders with offensive countermeasures, engagement of management and legal counsel are indispensable.

In addition, the organization should use web bug server technology (as described below) to prevent deliberate data leakage.

The Web Bug Server

Web bugs are a set of techniques aimed at hiding a bug inside a website or document. The web bug server alerts the malicious insider not only about his bugged document, but also about close monitoring being performed around him. The web bug server is primarily a command and control (also known as C2) server, and functions best when set up outside the organization’s infrastructure.

An example is Amazon’s Web Services (AWS). The attackers mostly embed these bugs in Microsoft Office documents that can be run on the HTML page.


Molehunt is the next step to the web bug concept and can be utilized for further attribution when the insiders are already known. By creating the list of known insiders, hunters can easily build a hunt campaign by entering that list into a python script.

Final Remarks Experts have begun to realize that protection of your corporate critical data and information, such as PII and military or intelligence secrets, is indispensable. Unauthorized disclosure can have grave repercussions for your organization. To prevent these incidents, organizat

Viewing all articles
Browse latest Browse all 12749

Latest Images

Trending Articles

Latest Images