Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
In an earlier blog post we looked at how security operations centre (SOC) teams can shift their services up a gear, through better automation, behavioural analysis and threat hunting. The concept of threat hunting isn’t new to security operations; yet, it’s one of the most misunderstood functions a SOC team performs.
Hunting is about adopting analytical approaches and incident analysis techniques that model attacks and allow analysts to dig into what’s really going on, under the organisation’s hood.
“Cyber Threat Hunting is the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.”
SQRRL, A Framework for Cyber Threat Hunting
To develop a security operations service to be proactive, organisations require a mindset change, from being monitoring focused to a mode of working that is investigation led and remediation focused. This is not an easy transition for most security teams, so let’s look at why this is and explore practical steps to help.
Most SOC teams comprise of mainly junior operations staff, with just 10% being senior engineers, architects, team leaders, account managers and project coordinators. Junior security analysts, such as those on the SOC help desk or rostered onto the monitoring shift team, watch screens all day, every day, for alarms and work on SOC technology platforms, such as the Security Information and Event Management (SIEM) system and the vulnerability management system.
A significant number of your junior analyst team are likely new to the role (within the last 12 months), since the lure of a job in cybersecurity extends to the broader workforce – so security analysts typically have experience on the general ICT service desk, network operations or in server administration. Even though the context of their job has changed to cyber security, the way the SOC analyst role operates in terms of workflow won’t have changed that much. A security analyst’s typical shift is spent looking at alarms and security information, and trying to figure out:
The analyst’s job is largely a thankless task. Most of the alarms they respond to are false positives; which adds no value to the organisation’s security mission, meanwhile real threats slip through the cracks.
For organisations that want to become more proactive and introduce threat hunting, security operations teams need the foundation of junior analysts running SOC technology (SIEM and vulnerability management), but they also need more experienced staff, who might have a background in forensics and penetration testing.
As a SOC manager you should focus on improving automation, especially for threat verification, thus freeing up your analysts’ time to focus on hypothesis generation, investigation, discovery and threat eradication.
Your junior staff can be mentored by the threat hunting team through the first 12 months of their career to develop a more investigative outlook, thus propelling their career and focusing on the analyst role being an apprenticeship role, where future cyber security professionals learn their trade.
To determine the skills and capabilities needed for your new threat hunting team, you need to understand the process and how it applies to your business. Figure 1 shows a four-step process that aligns with the hunt team detecting and eradicating threats, while ensuring that the same threats don’t come back again later and cause more harm.
Starting with a hypothesis, the threat hunter forms a conjecture about a possible threat that may be targeting or already attacking your business, such as a nation state actor attempting to gain access to your secret plans or customer database. To do so, the adversary may target your Internet gateway to gain remote access to your systems, from where they can dump data from your customer database.
The hunter then goes deeper beyond this high-level conjecture, developing specific hypotheses on how the adversary may launch the attack. They could, for example, start with a phishing campaign to dupe a staff member into giving up their credentials, or try blackmail against an employee to have them submit their privileged account details to the attacker, if they have a personal issue or vulnerability. So, forearmed with this hypothesis, the hunt begins.
The threat hunter now uses each hypothesis and assesses the organisation for evidence that the methods used by the attacker have been successful. This means they look through the data (events and security information) for indicators of compromise and attack, looking for evidence that each tool or technique has been used.
The focus of this exercise is to determine which indicators of potential breaches could show threats to have been targeting or active in the environment. Investigators leverage existing analytical tools, such as the SIEM and threat intelligence solutions, while introducing additional tools for data processing and visualisation that help make sense of the noise.
During the next phase, real evidence of an attacks can be revealed, and that evidence is used to build profiles of attacks. The hunter then maps out causality and ensures attacks cannot be repeated in a different mode, by understanding the different tools and techniques they may use to achieve the same objectives.
Building on the previous example, if the attacker is using stolen credentials, phished from a staff member using a spoofed email from the help desk, the investigator’s report can include evidence that the business’s security awareness programme is failing, while providing additional correlation rules for the SIEM (raise an alert if a user is logged on twice from different geolocations) and thresholds to monitor for excessive volumes of data leaving through the organisation’s Internet gateway. It is only through this depth of analysis that threat hunting is successful.
During the discovery phase, if the hunter finds proof of a real attack either in progress of having already happened, they would hand off at this stage to an incident manager. The investigator may remain involved in managing the incident, or they may be tasked to develop the rules and strategies to make sure this attack cannot be successful in the future.
Service improvement comes in at the end of the hunting process, where a deep understanding of how an attack happens (gleaned from the previous three steps of the hunting process) is used to uplift the SOC’s capability and improve the ability to detect similar attacks in the future. The hunter provides instructions to the ICT service management team on how to tighten security controls and system auditing to make sure the SOC can detect and respond to that threat more effectively in the future.
You must invest in your security team’s skills and capabilities and focus on automating the regular, mundane tasks of known-threat verification, while empowering your team with a proactive remit to hunt for threats across the enterprise.
To get the most value from a SOC investment in people and analytical tools, such as a SIEM, your business should focus on building an investigation service that uses methodical, linear investigation processes to determine what could happen during an attack. Your team can then actively going on the hunt to look for evidence of this attack.
Hunting is the natural extension of the process model used by a SOC but demands a shift from a reactive to proactive culture. By undertaking this change, the rewards will almost certainly be worth the effort.
A recent KPMG Report suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks.Read more
The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.Read more
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.