However, if you detected Mimikatz by looking for uncommon processes establishing a handle to LSASS, that would be significantly harder for an attacker to bypass. If you detect Mimikatz based on its hash value it would be trivial for an attacker to change the value of the application, therefore, bypassing your detection. What this pyramid illustrates is the “pain” or effort an attacker will experience if you are able to detect an indicator in each block.įor example, if we were to take the tool Mimikatz as an example. Well, the first thing to make clear is that Threat Hunting is not taking a bunch of IPs and other IOCs and searching for them across your estate. So we now know the benfits of Threat Hunting, but what actually is it? And how can you do it? Good research-based threat hunting takes skill, and analysts will develop their technical knowledge by conducting in-depth research before hunts.If they’re hunting for new and interesting activity each day, they’ll be more engaged and interested in their work. Team Productivity: Analysts will be more productive.You’re not reliant on rules and detections you have, and you can hunt for activity where you have detection gaps.Being Proactive: Being proactive and looking for threats is a better use of time than sitting around waiting for alerts to come in.However, with a Threat Hunting focused approach, you’re forced to hold this mentality, as you’re actively looking for threats and successful breaches. But sitting around waiting for alerts to come in doesn’t practice this mentality. It’s a mentality that analysts are encouraged to have when triaging alerts, “assume there’s been a breach”. Assume Breach: Assume Breach is a common phrase in the industry.What impact would that have? The Benefits What if instead of spending 90% of time reacting to alerts, the focus was switched to a proactive model? Or if 90% of the time was spent Threat Hunting instead. Free time can be hard to come by when you’re closing false positives all day. Some SOCs do already perform threat hunting on their estates, but in most cases this is conducted sporadically when there’s some free time. ![]() However, most SOCs will only perform one Red Team a year, and a lot can change in a year. Red Teams can help find gaps in detection coverage.However, the reality is most SOCs do not have their coverage mapped to a framework. ![]() Using frameworks like Mitre is incredibly useful for finding gaps in coverage.It requires you to have good detection coverage, but also requires you to have a complete picture of your detection coverage and your detection gaps.Detection Gaps: With a reactive approach, you’re sitting relying on the rules that you have to detect the full spectrum of malicious activity.If analysts are used to closing false positives all the time, chances are they’ll wrongly close a true positive as a false positive for rules that are particularly noisy.Investigating and closing the same false positives day after day will quickly cause analysts to become frustrated, and lose interest. Additionally, false positives play a huge role in creating analyst fatigue.But this is not always easy or even possible. Of course, rules can be tuned to perform better and cut false positive noise.Additionally, with IOCs, bad intel from a provider can generate a lot of noise on your estate. They’re not designed to work on your specific estate. Vendors design rules to work on many different estates. False Positives: Many generic alerts can be prone to false positives.In my view, there are a few issues with this approach. A team of analysts sit around waiting for alerts from different tools to trigger, they then triage the alerts and perform an investigation. This typical approach would be what I call a reactive model. The traditional approach being switch on pre-made generic rules from a range of cyber tools like AV and IDS, as well as ingest IOCs from Intel Providers and search for them across the estate. In fact, I believe that Threat Hunting provides more value than the traditional approach that many SOCs take. ![]() The reality, however, is that Threat Hunting is an extremely valuable skill and one that every SOC should have. ![]() You’d be forgiven for thinking that Threat Hunting is just another Cyber Buzz Word/Phrase spreading throughout the industry, the latest term used to push more product and managed services on a SOC.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |