Threat Hunting – a relatively new discipline in Cyber defense
IBM Resilient SOAR, QRadar, Carbon Black Response, QRadar, A10 Proxy
By Rukhsar Khan on Thursday, February 28, 2019
We have identified a shift in the way forensic investigations are conducted today in contrast to a few years ago. Currently, a full-blown deep dive forensic analysis is only done on specific confirmed compromised systems in order to gather additional intelligence. As this doesn’t scale across thousands or tens of thousands of endpoints, the new Endpoint Detection and Response (EDR) market has evolved over the last couple of years. Key players like Tanium, Crowdstrike and Carbon Black Response are providing real-time sensors on endpoints in order to quickly gather forensic artifacts and conduct live response. In our solution draft we will be leveraging Carbon Black Response for the endpoint sensing and for applying a lot of Threat Hunting techniques.
The idea behind Threat Hunting is to shift from a reactive IR model to a proactive approach. In Security Operations, a detection team hands off an alert to an Incident Response team which validates the incident and responds to it in case it’s a true incident. The goal with Threat Hunting is to proactively engage a team and hunt for known adversaries including their applied TTPs in an organization’s networked computing environment. There are multiple different approaches to Threat Hunting. This paper is not intended to introduce the various forms of Threat Hunting.
In our solution draft we will be starting the hunt engagement by consuming the high quality initial triage results generated by the IR team as part of the level-1 analysis. These results will already be augmented by a sophisticated CTI which will be further leveraged by the Threat Hunting team in order to remain focused. We will apply different Threat Hunting techniques and support the IR team in scoping the attack.
Figure 1.5 summarizes the general advantages of Threat Hunting.
A full-blown (deep dive) forensic analysis is very time consuming and doesn’t scale across thousands of endpoints. Should only be considered for confirmed compromised systems in order to gather additional intelligence!
Threat Hunting is a new discipline that has evolved in IR over the last couple of years
It concentrates on TTPs of potential Threat Actors and helps in developing security intelligence for the detection and response team
It’s highly recommended to consume CTI first before starting with Threat Hunting in order to stay focused during the hunting engagement
It’s based on live forensics with an EDR in order to provide quick results
Figure 1.5: Intelligence based IR – TTP based Threat Hunting
In order to converge Security Operations, Threat Hunting and DFIR in this single platform we have defined three stages, namely Stage 1 Analysis, Stage 2 Analysis and Stage 3 Analysis. Stage 1 Analysis corresponds to a Secops Level1 IR team, Stage 2 Analysis to a Threat Hunting team and Stage 3 Analysis applies to a DFIR team.
In contrast to blog Implementation – Overview – steps 0-6 we have extended the amount of phases from 2 to 3 in order to incorporate Threat Hunting. DFIR has been moved from Stage 2 to Stage 3 Analysis phase. We also added an A10 SSL interception proxy for supporting the Stage 1 Analysis. For supporting the Stage 2 Analysis – Threat Hunting phase we integrated with Carbon Black Response. See illustration below.
Stage 1 Analysis - L1 (Secops):
Recorded Future Threat Intelligence (steps 0.2, 5)
Signup for 5-Day Training ClassOperationalizing the MITRE Att&ck framework for Security Operations, Threat Hunting and DFIR
with commercial and non-commercial products and tools from IBM, Recorded Future, Carbon Black, A10 Networks, Volatility and more . . .
This class is about Incident Response in a post-compromised environment.
In this class we will show you the major reasons why Security Operations is currently doing bad and what is required within Security Operations in order to produce high value results that can be consumed by a Threat Hunting and Forensic team. We will also focus on how to streamline security analysis, starting off with the initial triage within Security Operations to Threat Hunting to Forensics in case of an advanced targeted attack by quickly forming up a defense team that is able to collaborate directly from within IBM Resilient as the central hub for Incident Response.
The goal is to rapidly identify and respond to advanced adversaries that have gained a foothold in a compromised environment (post-compromise). The initial triage will be conducted by the Security Operations team (L1) which will hand-off valuable results to the Threat Hunting team (L2) which will in turn produce results that will be consumed by the DFIR team (L3) for a deep dive forensic analysis focusing on a few affected systems out of hundreds or thousands of systems... Read more
Cyber security practitioners or Consultants of Security Operations, Threat Hunting and DFIR teams.
Training class dates:
11th-15th November 2019
13th-17th January 2020
Structured Threat Information Expression (STIX™)
Introduction to STIX, STIX Domain (SDO) and Relationship Objects (SRO).