SANS and Infocyte Detail a New DFIR-based Approach to Threat Hunting
This post was last updated on August 10th, 2021 at 06:05 pm
If an attacker had a foothold in your network today, would you know it?
Whether your defenses were successfully evaded or an analyst misinterpreted a critical alert, chances are the attacker has entrenched themselves for the long haul. The act of searching for these well-hidden and persistent threats is called threat hunting.
Last week forensic expert Alissa Torres from the SANS Institute and Infocyte’s co-founder Chris Gerritz hosted a Webinar on Forensic State Analysis: A New Approach to Threat Hunting. In it, they discussed how to adapt Digital Forensics & Incident Response (DFIR) techniques to scalably and proactively hunt for unknown threats across an entire enterprise network. If you missed the webinar here are some highlights.
First and foremost, Alissa and Chris clarified what they mean by threat hunting as it’s become a trendy term used to describe everything from EDR to Behavior Analytics, and everything in between:
Definition: Threat hunting is the process of proactively and iteratively searching through networks to detect threats that have evaded existing security controls.
Goal: Reduce Dwell Time of Attackers
This led to a discussion on the two common mindsets when it comes to today’s security ops:
1. Reactive: Alert > Investigation
- Sec Team receives an IDS alert re: anomalous traffic to/from a host
- Sec Team investigates and analyzes that host
2. Proactive: Assume Breach > Hunt
- Hunter searches through available data sources or directly surveys each host
- Hunter looks for anomalies, malware, or unauthorized acct activity
The consensus given their expertise tracking down hidden compromises in both enterprise and military environments was that organizations need to adopt a proactive stance to combat today’s advanced and persistent threats. The latest industry stats support this. For example, last month The Black Report, a white paper that contains specific tactics used by hackers, cybersecurity experts, and CISO and CSOs to attack and defend systems, found that widely used defensive tactics are unreliable and that 60% of hackers are able to infiltrate targets within 12 hours. An additional 81% were able to identify and exfiltrate sensitive data in 24 hours. The report also found that it can take days, weeks, to months for organizations to detect a discreet intrusion, citing the average response time as 250 to 300 days.
The webinar provided an in-depth technical overview of the common compromise detection methods used by security and incident response teams and examples of how to use these for triage, including:
- Anti-Virus Scan
- Network Traffic Anomalies
- Scanning Hosts with Indicators (IOCs)
- Log Triage / Historical Search of Events / Behavior Analysis
- Enterprise Forensic Data Collection & Analysis (Stacking)
They also explored practical methods of applying DFIR techniques (Enterprise Forensic Data Collection & Analysis/Stacking) to enterprise-scale threat hunting using a methodology called Forensic State Analysis (FSA). FSA arms hunters with an effective and efficient methodology to hunt without relying solely on sophisticated security infrastructure, sensors, or big data. The webinar provides an extensive overview of how enterprises can hunt at scale with FSA, because as Alissa put it:
“Detecting stealthy, invasive malware on one system is a
victory in BATTLE.
Developing an enterprise detection method is a victory in WAR.”
Watch the Webinar to learn more about the pros and cons of each approach to detection and how to improve the speed and efficacy of an enterprise hunt program using FSA and Infocyte HUNT.