If I read another article in which someone claims to make a profound quote about organizations being compromised,...
I'll scream. Many of the quotes are a form of the following statement: "There are two types of organizations, those that know they are compromised and those that do not know they are compromised."
Seriously? Tell me something I don't know. Rather than stating the obvious, there is another, more relevant quote: "There are two types of organizations, those that are finding and detecting attacks and those that are sitting on the sidelines ignorant of the problem." Security does little to no good unless it has actionable steps that can be performed (such as implementing mini risk assessments or employing offensive countermeasures). Bottom line: If you are in business, active cyberhunting -- actively looking for signs of compromise in an organization (at both the network and host level) and controlling and minimizing the overall damage -- must be a part of your security program because it is a key part of any defensive posture -- and if it isn't, it should be.
The core principle of information security revolves around the concept that "prevention is ideal, but detection is a must." In most organizations, prevention has been the primary focus for the last several years and is probably as good as it is going to get. Now is the time to turn the focus on detection, with cyberhunting being a key component of that solution.
In hunting, the two key metrics you use to measure success are as follows:
Dwell time: Focuses on how long an organization is compromised. Being compromised for a short period of time is acceptable; being compromised for over a year is unacceptable. Since many attacks are very stealthy and can slip past traditional security measures, hunting is a key component of finding the adversary and minimizing the overall dwell time.
Lateral movement: Focuses on the amount of damage that is caused by the adversary. Often when an adversary breaks into an organization, it is not the system that contains the information they are after. They have to set up a pivot point and slowly move deeper into the network until they find the critical information they want. This movement within the network is known as lateral movement. Hunting can find an adversary after they break in, but before they have compromised the critical data. By interrupting the lateral movement, organizations can contain the amount of damage and minimize the overall impact of an attack.
The problem with cyberhunting is that it needs to be focused and action-oriented. Many organizations get frustrated because hunting in a large organization is equivalent to losing a ring at the beach and trying to go back the next day to find it. The surface space is too large. By understanding how the adversary works through threat intelligence, and focusing in on critical assets, hunting can be a manageable task. The following is a checklist that can be used to put hunting into action:
- Identify the most critical data or information to your organization;
- Determine which business processes utilize or access this information;
- Identify all of the systems and networks that support the key business processes;
- Acquire tools that can help with the correlation and analysis required for proper hunting;
- Gather information about the traffic flowing to the key systems/networks;
- Gather information about the operations of the servers;
- Utilize threat intelligence to understand the threats and exposures to your organization;
- Utilize tools to start to perform automated analysis of normal behavior and attack behavior;
- Perform filtering of the output of the tools; and
- Respond appropriately to high-risk alerts.
Building effective cyberdefense programs is a constant battle between good and evil. As the adversary evolves, security must constantly adapt to the changing threat vectors. Today, the next level of security revolves around controlling the amount of damage that is caused. The analogy I like to use is that it is okay to get sick, but it is not okay to be put in the intensive care unit (ICU). The difference is how well you respond when a problem occurs. Many organizations are getting embarrassed when they find themselves all over the news; this is the equivalent to a cyber ICU. By focusing on finding, controlling and minimizing the impact of the adversary, breaches can be minor issues instead of major headlines.
About the author:
Eric Cole, Ph.D., is an industry-recognized security expert with more than 25 years of hands-on experience. He is the founder of and an executive leader at Secure Anchor Consulting, where he provides leading-edge cybersecurity consulting services and expert-witness work, and leads research and development initiatives to advance state-of-the-art information systems security. Cole was the lone inductee into the Infosecurity Europe Hall of Fame in 2014. He is actively involved with the SANS Technology Institute and is a SANS faculty senior fellow and course author who works with students, teaches, and develops and maintains courseware.
Learn more about ways to improve endpoint device security