While manufacturers may use antivirus software to protect their systems from known forms of malware, some attackers are not detected. Threat Hunting is a process where cyber threat hunters will actively search for attackers that are hiding within a network. During a threat hunting engagement, cyber threat hunters will look over the system and the devices on the network for Indicators of Compromise (IoCs). IoCs are clues for how a threat actor is communicating to compromised devices, and what changes have been made to compromised devices to aid the cybercriminal in their efforts.
Indicators of Compromise are found through analyzing network traffic, analyzing devices for recent changes in settings, and looking at login logs to detect abnormal login attempts. To help verify IoCs, cyber threat hunters, and endpoint security products use cyber threat intelligence. Cyber threat intelligence is an elaborate list of known IP addresses, IoCs, attack styles, and known configurations that hackers and cybercriminals use to compromise and launch attacks. While there are various methods of finding IoCs, the easiest way for finding IoCs is to analyze network traffic for unusual behavior, odd port usage, and perfectly timed repetitive web traffic.
Hunting for cyber threats
While businesses use antivirus software to help protect their systems from known cyber threats, they do not understand that cyber threats still exist. Cyber threat hunters help companies discover advanced persistent threats (APTs) and other stealthy threats through a process called cyber threat hunting. In this article, we will cover what cyber threat hunting is, understand what indicators of compromise are, discuss how analysts use cyber threat intelligence, and give examples of where you can find signs of a potential threat actor.
What is cyber threat hunting?
Cyber threat hunting is the process of actively searching for malware or attackers that are hiding within a network. Cybersecurity solutions such as antivirus software and firewalls help protect systems from known attack methods used by hackers. Threat hunting is a supplementing technique that focuses on identifying sneaky footholds within the network where that attacker can be hiding and not focusing on the vulnerabilities that currently exist. During a threat hunting engagement, cyber threat hunters will use various tools to look for what are known as indicators of compromise (IoCs). Think of IoCs as the clues that help a detective solve a case. IoCs help paint a picture detailing what a hacker is doing, and what the attacker has done to hide their tracks. Threat hunting occurs after a security breach has occurred, and performed towards the end of incident response.
Where to find common Indicators of Compromise?
During a threat hunting engagement, analysts will often focus their attention on three areas. The first area that the analysts will look for clues of hidden attackers is what is happening on the network level of the business. Cyber threat hunters will look at the network traffic and the network configuration to see if there are any irregularities. One standard method used is session packet recordings, where the analyst inspects the contents of packets sent across the network. Session packet recordings also provide real-time information on how an attacker passes the commands and files in and out of the network. Focusing on this area can help the security teams understand how an attacker is accessing the system, and communicating with compromised machines.
The next area that analysts will focus their attention when on a threat hunting engagement are the hosts, and any logs that contain any changes to the settings or files on those systems. Recent changes to a system's settings can also help the analyst understand what the attacker changed on systems found on the network, as well as identify what files were accessed. The final common area that cyber threat hunters will investigate are the artifacts and log files of logins and login attempts. In the case that an attacker has gained access to a privileged account, it is essential to immediately suspend the account and review what actions and changes have occurred.
In some cases, an administrative or privileged account can discreetly distribute malware. Due to privileged accounts having individual permissions, there is a lower chance of any red flags to be noticed. While these are common IoC locations, no two threat hunting engagements are the same.
Cyber Threat Intelligence: Knowing is half the battle
Beyond knowing where to look on the local network, cyber threat hunters also need to understand the landscape of what websites and IP addresses are considered harmful. This information is often called cyber threat intelligence. Cyber threat intelligence consists of an elaborate list of non-reputable IP addresses and identifiable trends such as actors, tools, and tactics used in past attacks. To protect a network, analysts also use cyber threat intelligence to secure the systems better. System administrators and security teams use cyber threat intelligence to block known malicious IP addresses and creating specific policies for devices on the network to prevent threat actors from making changes to device settings. Some advanced endpoint protection services often use various cyber threat intelligence sources to improve the effectiveness of the product's function.
What are TTPs?
When performing cyber threat hunting assessments, cyber threat hunters will compare the indicators of compromise to known TTPs. TTP is an acronym used to describe the Tactics, Techniques, and Procedures that are typically associated with a cybercriminal group. Tactics cover the tools used to breach or perform any action to the target network initially. Techniques include the methods that the attacker used to perform actions against devices on the network. Procedures are the steps taken by the attacker to perform a function on the network or device. Cyber threat hunters often compare IOCs to known attack TTPs. Many TTP models, such as the Mitre ATT&CK model, covers numerous known attacks and breach behaviors over the 12 phases of a cyber attack. These TTP models are useful to security teams in two ways. First, TTP threat models help provide a background to understand the breach better. Second, TTP models offer insight into how the analyst can safely remove and prevent the threat from reaccessing your network.
How can I identify potential Indicators of Compromise?
One of the best ways to identify potential IoCs is to review network traffic logs for unusual outbound network traffic. In many cases, firewalls are reliable for blocking network traffic from unknown or untrusted sources. However, if a device within the network is compromised, this change in network traffic directly affects the way that the firewall will operate. Misconfigured firewalls will sometimes trust outbound communication due to the origin of the connection starting internally. When reviewing outbound traffic logs, look for web addresses that contain misspelled names or have geographical irregularities. Also, look for unusual outbound network traffic that occurs during odd hours or web traffic that use strange port numbers. Web traffic that occurs during non-operating hours is an excellent example of an IoC. Foreign ports used for outbound traffic can be the result of an untrusted or unknown process that is running on your devices. One last method that can help identify IoCs when looking at network traffic is to identify web traffic that occurs precisely in a given time. Repetitive traffic can indicate that a device is communicating back to the cybercriminal. Other methods of identifying IoCs can include the following:
- Log-In red flags
- Increases in database read volume
- Bundles of data in the wrong place
- Suspicious registry or system file changes
If you suspect that you may be affected by a silent cyber threat, we can either confirm your suspicions or put you at ease. Our team can comb your network to identify suspicious traffic and find hidden risks.
As manufacturing companies invest in smart manufacturing, data analytics, web applications, and work from home models, businesses increase their exposure to loss. Leadership teams need empowering with greater certainty that their company and its employees are safe from cybercrime organizations that seek to harm.
The lack of strategy to focus on essential asset protection priorities creates much confusion for leadership teams, so time and money are misallocated. The lack of oversight means limited accountability and diminished results for the time and money invested.
As a proud supporter of American manufacturing, Certitude Security® is working diligently to inform leaders and facilitate essential asset protection priorities for manufacturing businesses throughout the United States. If you are interested in learning about the empowerment services that Certitude Security® can offer, visit our website or coordinate a time to speak to a team member today.