Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
In an earlier blog post we looked at how security operations centre (SOC) teams can shift their services up a gear, through better automation, behavioural analysis and threat hunting. The concept of threat hunting isn’t new to security operations; yet, it’s one of the most misunderstood functions a SOC team performs.
Hunting is about adopting analytical approaches and incident analysis techniques that model attacks and allow analysts to dig into what’s really going on, under the organisation’s hood.
“Cyber Threat Hunting is the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.”
SQRRL, A Framework for Cyber Threat Hunting
To develop a security operations service to be proactive, organisations require a mindset change, from being monitoring focused to a mode of working that is investigation led and remediation focused. This is not an easy transition for most security teams, so let’s look at why this is and explore practical steps to help.
Most SOC teams comprise of mainly junior operations staff, with just 10% being senior engineers, architects, team leaders, account managers and project coordinators. Junior security analysts, such as those on the SOC help desk or rostered onto the monitoring shift team, watch screens all day, every day, for alarms and work on SOC technology platforms, such as the Security Information and Event Management (SIEM) system and the vulnerability management system.
A significant number of your junior analyst team are likely new to the role (within the last 12 months), since the lure of a job in cybersecurity extends to the broader workforce – so security analysts typically have experience on the general ICT service desk, network operations or in server administration. Even though the context of their job has changed to cyber security, the way the SOC analyst role operates in terms of workflow won’t have changed that much. A security analyst’s typical shift is spent looking at alarms and security information, and trying to figure out:
The analyst’s job is largely a thankless task. Most of the alarms they respond to are false positives; which adds no value to the organisation’s security mission, meanwhile real threats slip through the cracks.
For organisations that want to become more proactive and introduce threat hunting, security operations teams need the foundation of junior analysts running SOC technology (SIEM and vulnerability management), but they also need more experienced staff, who might have a background in forensics and penetration testing.
As a SOC manager you should focus on improving automation, especially for threat verification, thus freeing up your analysts’ time to focus on hypothesis generation, investigation, discovery and threat eradication.
Your junior staff can be mentored by the threat hunting team through the first 12 months of their career to develop a more investigative outlook, thus propelling their career and focusing on the analyst role being an apprenticeship role, where future cyber security professionals learn their trade.
To determine the skills and capabilities needed for your new threat hunting team, you need to understand the process and how it applies to your business. Figure 1 shows a four-step process that aligns with the hunt team detecting and eradicating threats, while ensuring that the same threats don’t come back again later and cause more harm.
Starting with a hypothesis, the threat hunter forms a conjecture about a possible threat that may be targeting or already attacking your business, such as a nation state actor attempting to gain access to your secret plans or customer database. To do so, the adversary may target your Internet gateway to gain remote access to your systems, from where they can dump data from your customer database.
The hunter then goes deeper beyond this high-level conjecture, developing specific hypotheses on how the adversary may launch the attack. They could, for example, start with a phishing campaign to dupe a staff member into giving up their credentials, or try blackmail against an employee to have them submit their privileged account details to the attacker, if they have a personal issue or vulnerability. So, forearmed with this hypothesis, the hunt begins.
The threat hunter now uses each hypothesis and assesses the organisation for evidence that the methods used by the attacker have been successful. This means they look through the data (events and security information) for indicators of compromise and attack, looking for evidence that each tool or technique has been used.
The focus of this exercise is to determine which indicators of potential breaches could show threats to have been targeting or active in the environment. Investigators leverage existing analytical tools, such as the SIEM and threat intelligence solutions, while introducing additional tools for data processing and visualisation that help make sense of the noise.
During the next phase, real evidence of an attacks can be revealed, and that evidence is used to build profiles of attacks. The hunter then maps out causality and ensures attacks cannot be repeated in a different mode, by understanding the different tools and techniques they may use to achieve the same objectives.
Building on the previous example, if the attacker is using stolen credentials, phished from a staff member using a spoofed email from the help desk, the investigator’s report can include evidence that the business’s security awareness programme is failing, while providing additional correlation rules for the SIEM (raise an alert if a user is logged on twice from different geolocations) and thresholds to monitor for excessive volumes of data leaving through the organisation’s Internet gateway. It is only through this depth of analysis that threat hunting is successful.
During the discovery phase, if the hunter finds proof of a real attack either in progress of having already happened, they would hand off at this stage to an incident manager. The investigator may remain involved in managing the incident, or they may be tasked to develop the rules and strategies to make sure this attack cannot be successful in the future.
Service improvement comes in at the end of the hunting process, where a deep understanding of how an attack happens (gleaned from the previous three steps of the hunting process) is used to uplift the SOC’s capability and improve the ability to detect similar attacks in the future. The hunter provides instructions to the ICT service management team on how to tighten security controls and system auditing to make sure the SOC can detect and respond to that threat more effectively in the future.
You must invest in your security team’s skills and capabilities and focus on automating the regular, mundane tasks of known-threat verification, while empowering your team with a proactive remit to hunt for threats across the enterprise.
To get the most value from a SOC investment in people and analytical tools, such as a SIEM, your business should focus on building an investigation service that uses methodical, linear investigation processes to determine what could happen during an attack. Your team can then actively going on the hunt to look for evidence of this attack.
Hunting is the natural extension of the process model used by a SOC but demands a shift from a reactive to proactive culture. By undertaking this change, the rewards will almost certainly be worth the effort.
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.