Dr. Vincent BerkThe days of fire-and-forget network security may be far gone, but the fog around “active defense” is still very thick. This article outlines the three most common mistakes companies make when standing up a cyber-hunt capability.
1.) Failure to recognize security as a human game.
Computers don’t hack computers. People hack computers. It is a human on the other end who tries to steal your data, deface your website, or ruin your reputation. When your defensive capability is focused on building static defenses and responding to incidents, you will find yourself falling far short.
More specifically, risk assessments, firewalls, email scrubbers, and access control devices are only static defenses. They are walls you build around your land to keep the bad guys out. But when you build a wall, the bad guy will adapt by learning how to go over, under, or around it. The game is highly dynamic in nature. Your security architects will assess the landscape and place defenses, but how will they know if the defenses are working?
Cyber hunters are skilled individuals whose sole task it is to seek, discover, and track the bad guys in and around your network. They build “case files” of: who is trying to get in, what they are trying to do, what techniques they are using, and, most importantly, what assets they have already compromised. Only when all the evidence has been collected is it the right time to shut down a hacker!
2.) A cyber hunter does not need “write” access to your network.
A cyber hunter is not an incident responder. You should not be replacing your incident responders with cyber hunters, and you should not task your incident responders with cyber-hunting responsibilities. Cyber hunters need to collect telemetry, and analyze this telemetry. They are not the ones to “act.” The work product of a cyber hunter is a file with all collected evidence and a recommended plan of (counter-)attack.
Considering the seriousness of the threat, cyber hunters should certainly not be acting alone. The appropriate response to collected evidence of compromise is something that incident responders should be reviewing and implementing. Since most attackers will quickly gain more than a single foothold in your organization, it is important hunters find them all—before asking the responders to shut an attacker down.
Incident response is very reactive in nature. Cyber hunting is pro-active and investigative.
3.) Visibility is king.
“Some” telemetry is not enough. You need all. Simply collecting log or alert data will leave you completely blind to a smart attacker. It will also turn your cyber hunter into an incident responder. Keep in mind that “no evidence of compromise” is NOT the same as “evidence of no compromise.”
It is also important to realize that the data a cyber hunter is going to need tomorrow may not be obvious today. The better you are able to equip your cyber hunter with visibility, the better your chances of defending your network. This means collecting packets, collecting logs, collecting NetFlow, and comparing it all to threat intelligence from inside as well as outside your organization.
Collect “all” this as telemetry — meaning: keep it! Don’t collect, aggregate, and junk it if no immediate evidence is found. Instead, keep weeks or even months of forensic history on all your data. Hunters will often find themselves searching back for things they didn’t know weeks ago.
And finally: try to keep as much of your telemetry collection “out-of-band” as possible. The better you shield your data sources, the less likely it is that attackers will be able to get to them. Once hackers get into your telemetry, your hunters are blind.
