Why wait until attackers slip up and gives themselves away? Threat hunting is a method for early detection of security incidents. Security specialists actively trawl their own infrastructures on the hunt for traces of an attack – to prevent something an even worse outcome.
Text: Andreas Heer, Image: Plainpicture,
In June of this year, a number of media outlets reported that a large-scale cyber attack had targeted a European telecommunications service provider. “Naturally our ears pricked up,” says Andreas Hunkeler, a security specialist on the Computer Security Incident Response Team (CSIRT) at Swisscom. “And we asked ourselves if our infrastructure could be attacked in this way.”
This sort of public information can be a catalyst for threat hunting – the search for undetected attackers on your own network. “We use different sources as catalysts for threat hunting,” adds Andreas Hunkeler. “In addition to public information, this also includes information shared with us by groups we trust, specialist sources such as the MITRE ATT&CK Framework or talking with colleagues from other CSIRTs.” The lone hunter in cyberspace is, at most, a plot line in a movie. Cybersecurity is all about teamwork, and the same is true of threat hunting. At the end of the day, sharing information about the results with one another helps every company to better protect itself against attacks.
Following the aforementioned attack on the telecommunications company, a safety specialist at Swisscom took on the role of hunter and scanned the company’s own internal infrastructure for traces of an attack. Threat hunting is a method for detecting security incidents. It involves searching for attack patterns that go undetected by automated systems because the pattern is either too complex or too subtle. Andreas Hunkeler explains: “If a user logs in to a system at an unusual time or from an unusual location, is that a cyber attack or a legitimate occurrence? If attackers abuse standard software, how does this differ from legitimate use?” Simple questions that are difficult to answer and, in the case of legitimate use, could result in false positives when detected by automatic systems.
These types of questions are the first step in threat hunting. “First we establish a hypothesis in terms of the kinds of patterns we want to look for,” says Andreas Hunkeler. “This fingerprinting is a complicated process in which we need to compile information from a number of different systems.” This means an innocent system command here, an attempt to log in to a server there – threat hunters need to be able to identify footprints and use them to derive patterns. It’s a task that Andreas Hunkeler enjoys. “It is a creative and extremely exciting aspect of my job. I have lots of room to experiment with various approaches to detecting these patterns.”
Sometimes the pattern is still unknown because the type of attack is new and has not yet been sufficiently documented. “Then we check the infrastructure for anomalies,” explains Andreas Hunkeler. “After all, we know what it looks like under normal circumstances.” This also allows them to discover unknown attacks. And sometimes the threat hunters just need a bit of luck – much like real hunters in the forest.
Once the cyber hunters have detected an attack, they have two tasks: On the one hand, they need to analyse the TTPs (techniques, tactics and procedures), while on the other, they need to fight off the attacker. This is the job of the Incident Handling team. “The objective of threat hunting is to make the results available later on for the automated systems,” says Andreas Hunkeler. Then, in the future, a similar attack will be detected and, ideally, stopped in its tracks by the security infrastructure. This helps Swisscom increase the degree of maturity of its own IT security.
And, if the threat hunters fail to find anything, the hunt is nevertheless a worthwhile endeavour, as Andreas Hunkeler emphasises: “It gives us a high level of certainty that we have avoided a certain attack pattern.” Threat hunting therefore lets you “take the temperature” of your own infrastructure.
And, according to Andreas Hunkeler, sometimes the cyber hunters come across surprising finds. “Once when we were threat hunting we came across a simulated attack that was being carried out by our own Red Team – we had no idea they were doing it.”
More on the topic: