Infosec Hunt
Hi all.
I've seen a few infosec related "hunt" positions advertised (indeed my current position was advertised as such... isn't) but I'm having difficulty finding data that explains what a hunt team is, what they do, and how they do it. Anyone seen one of these in action or know of any documents that explain this? best i've seen yet is the comments section of a SANS blog post.
I've seen a few infosec related "hunt" positions advertised (indeed my current position was advertised as such... isn't) but I'm having difficulty finding data that explains what a hunt team is, what they do, and how they do it. Anyone seen one of these in action or know of any documents that explain this? best i've seen yet is the comments section of a SANS blog post.
OSWP, GPEN, GWAPT, GCIH, CPT, CCENT, CompTIA Trio.
Comments
http://itpeernetwork.intel.com/cyber-security-hunter-teams-are-the-next-advancement-in-network-defense/
“The measure of an individual can be difficult to discern by actions alone.” – Thane Krios
Thus we have to operate under the assumption that we have been compromised and now have to find them. As we find them we can plug the holes and develop policies to allow us to catch them earlier. The end game here is detection and remediation while limited the effect an attack has. A win nowadays is getting compromised and being able to say "they only got X number of Y".
SAN SEC511 is a course that covers hunt teaming extremely well and teaches you the tricks of the trade. Continuous Monitoring is the big thing with hunting. You have to know what to look for and setup a means to detect it. As an example, a systems log is suddenly cleared for an unknown reason. Now depending on your monitoring tools you might have a two scenarios:
Scenario A: you have no monitoring or weak monitoring in place thus you miss it and are compromised. If the person is good, they're doing everything low and slow (like BBQ). They're mapping your network and finding out exactly what's out there. From there they'll start establishing beach heads, areas where they can come in when needed in the event their initial point is taken out. They'll establish a persistent presence and will blend into your everyday operation. After some time, they'll find their point of exfiltration and begin getting whatever it is they're after out.
Scenario B: you have monitoring. You're team is watching and while they might miss the initial compromise, they catch the clean up from the entry point (logs are cleared, new software is installed, weird program running in the background, etc). Now since you have the monitoring in place you are able to go back through the logs and note that in the past eight months the server logs have never been cleared. Uh-oh. Thus you begin to isolate, investigate and remediate. You should be declaring an incident, informing your management team (providing updates on a regular basis) and following your incident response plan. It will probably be months before you can say "we have a clean bill of health", but the point is you limited the exposure. Maybe you catch it in the beginning and they get nothing, but even if you get it in the middle that is still a victory.
I've seen cases where a compromise was caught within the first 24 hours and the perp didn't get a chance to get what he was after out. I consider that to be pretty successful. Now if you don't learn from what lead to the infiltration you have no business remaining in your position, but if you do learn and update your processes you'll be even better prepared. Most of the people who are compromising companies have a very specific playbook and if you can get them off script at even just one step of the process it throws them off big time.
In the end, it's a big game and you need to play to win. Having a hunt team or being a member means you are looking at the overall security posture of your organization. It means that you have a comprehensive security program that deals with end users, policies, procedures and the technical aspects that make up the posture you are wanting to achieve. The process has to be treated as if it were alive, continually evolving so not to be sedentary.
Probably a lot more than you needed, but I was bored at lunch.
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff
The Rob Lee's put together a nice introductory paper which places interested parties on the correct path as it relates to what hunting is - it can be found here, in the SANS Reading Room. They use the Hunting Maturity Model (HMM) as a reference to help identify how mature an organization's hunting efforts are, and to illustrate what further maturity would look like.
The HMM framework was developed by David Bianco, who managed the Hunt Team for Mandiant at one time. More on HMM here.
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff
Something along the lines of irregular account usage, also download and analyze malware/exploits and understand their behavior, get an idea how it will show up in your logs and craft a search criteria for it.
To me, "hunting" is a human looking for things happening now--either evidence of active intrusions (e.g., scanning or failed logins happening now) or remaining evidence of past intrusions (e.g., suspicious files or connections left established between hosts).
I'm wondering where people draw the line between "threat hunting" and business-as-usual security monitoring.
There are some good resources posted to this thread. I'll see what I can dig up to help the_Grinch decided on his thesis topic.
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
Profiling the characteristics of malware/exploits will also help in the hunt. If a malware had a characteristics behavior change, or notice a characteristics that your currently detection won't picked up, this would result in the hunt to look for that characteristics present logs. If it does not have lots of false positives, then you can refine/add your current rules to pick up the characteristics on glass.
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff
ThreatHunting Home
Hunting is not automation, monitoring, or threat intelligence. Automated alerts is what monitoring looks at. It's also one of the things successful hunt teams produce. Monitoring is for the most part automated where hunting is not. The hunting team is trying to develop methods to find these threats so it can be automated. Threat intelligence along with high value targets help steer hunting activities.
For effective hunting you need to know your network and have access to information when needed. The best way I have seen to achieve that is to involve all areas of IT in the hunting process. Your network engineers know the network, your system engineers know the systems, etc. The more involved they are in the process the better the hunt team can function. That being said the hunt team is not comprised of engineers but is comprised of analyst. Not saying one is better then the other but it’s two completely different methods of thinking.
Hunting is a very data driven activity. Logs, intelligence data, collected files, and network traffic captures all go into information that needs to be utilized by hunting team. Knowledge of Data Science is needed to help utilize the information collected and one of the areas that has typically been a weak area in hunting.
As far as “realtime" vs “historic" hunting in most cases it’s typically over more recent data (last hour-last month) but not realtime. Realtime is a misnomer in my opinion. The only type of realtime in computer security i see is active prevention such as firewalls or IPSs that are actively denying stuff. Everything else is near-realtime or historic.
A day in the life of a hunting team is hard to pin down as their environment and information received will heavily change what they do. Think hunting as every day you have to do one or more science projects. These science projects are based on a logical hypothesis of your network or something on the network work. Then following a loose implementation of the scientific method till you have proven or disproven your hypothesis. If you prove your hypothesis it may be looked at as something that can be automated and or documented for monitoring.