Crouching Threat Hunter, Hidden Adversary

By Alex Valdivia, Director of Research at ThreatConnect

Many security teams are reasonably proficient at responding to an attack. That is, when they know they’re under attack. The problem is that the guards stationed at the wall are generally just on the lookout for approaching armies, not realizing the danger hiding in the shadows. Ninjas are silently sneaking into the castle, and the guards too often have no idea. For too many organizations, by the time the team finds out they’re about to go to war with cybercriminals, they’ve already lost the first battles.

They don’t need more armor or thicker walls – they need threat hunters. Unlike those armored guards manning the walls, threat hunters provide a more agile and human way of identifying threats already on the network. More like detective work than guard duty, threat hunting entails the exploitation of known tactics, consistencies, motivations, and other known information about an adversary in order to identify and contextualize related intelligence. In other words, threat hunting helps to sleuth out the more human dimensions of a bad actor as well as the behaviors that provide crucial information about security incidents or weaknesses that might otherwise go undetected.

While threat hunting is considered a proactive strategy, it also comprises reactive and retroactive components.

While threat hunting is considered a proactive strategy, it also comprises reactive and retroactive components. When an organization identifies the pertinence of an adversary, the team wants to not only identify intelligence that will be relevant in the future, but also to determine whether information related to that actor might be related to past activity. Properly implemented, this generates a feedback loop between the proactive and the reactive, with operational functions informing strategy and using threat intelligence processes to focus on relevant information.

Take a simple example: a company receives an email with an attachment that may or may not be malicious. Initial steps include identifying information about the email and about the infrastructure involved in sending the email, as well as any infrastructure with which the attachment is designed to communicate. Next, analysts identify the specific tactics or consistencies of the bad actor. For example, if a malicious command and control domain can be identified from the document, then analysts can direct their attention at WHOIS and other registration records. This allows the threat hunters to start asking questions such as: Where was the domain registered? When was it registered? What else is hosted at the IP connected to that domain? How black is the blackness of a ninja’s belt?

The bread and butter of threat hunting, however, is sleuthing out those clues about the threat which center on human intelligence. Behavior patterns can be exploited by the SOC team to identify other information related to the actor. Documents often contain multiple artifacts, some of which may be distinctive enough to determine the template or network being used by the adversary. Threat hunters then focus on the human patterns identified through these artifacts. Shortcuts, workarounds and code re-use can give rise to a useful sketch of the bad actor’s goals, tools and capabilities.

From an order of operations perspective, identifying adversary behavior takes priority over unmasking the adversary.

From an order of operations perspective, identifying adversary behavior takes priority over unmasking the adversary. Other actors may be using the same techniques or infrastructures, but importantly, this procedural methodology still constitutes a concrete attack pattern that corresponds with a specific set of actions to remediate.

Enriching an organization’s security posture with active threat hunting provides a number of benefits. Foremost, it helps to uncover security incidents and hidden threats lurking in the background of a network. By discovering activity that has already breached a company’s defenses, proactive threat hunting can help to clear away persistent threats and remove malicious presences. With mean dwell times of roughly 78 days, businesses may be shocked to find how long those ninjas have been hiding in the shadows. They’ve practically set up shop.

Effective threat hunting also reduces investigation time following an incident. Information related to the actor can help a SOC team to identify the scope and causes of the current incident, as well as forecast its eventual impact. Critical data can then translate into actionable decisions and lessons learned.

Finally, threat hunting helps to provide analysts with a better understanding of the nature of their organization’s security. SOC teams gain a more cohesive and holistic view of their network’s structure, highlighting vulnerabilities, weak points, and critical points of contact. This also allows analysts to better anticipate future threats, as well as to contextualize the nature of previous incidents.

Finally, threat hunting helps to provide analysts with a better understanding of the nature of their organization’s security.

While traditional methods of cyber defense revolve around reactive security, bad actors have become increasingly sophisticated. The enemies’ highest grades were in stealth, and their Improved methods and tactics for masking their presence have allowed many bad actors to maintain advanced dwell times on company networks, constituting a persistent yet hidden threat, for months or years on end. Proper threat hunting provides a way to combat these bad actors by uncovering them where they’re hiding, identifying relevant information, and providing actionable insights.

When ninjas are hiding in the shadows, you need more than just guards on the wall.

About the Author

Alex Valdivia

Alex Valdivia leads ThreatConnect’s research team, an elite group of globally-acknowledged cybersecurity experts dedicated to tracking down existing and emerging cyber threats. He has spoken at B-Sides Las Vegas, DEF CON Skytalks, and has guest lectured for threat intelligence courses at Johns Hopkins University, Metropolitan State University, and the University of South Florida.