You’ve had a data breach or security incident, and that’s bad news. However, on the bright side, now you have concrete insights into the malicious actors’ tactics, techniques, and procedures (TTPs). Your new insights enable you to look across your enterprise environment for other traces of the malicious actors’ activities since they might use the same or similar TTPs. In other words, you’re ready to go threat hunting.
Threat hunting is a proactive exercise to look for cyber threats that are going on undetected in an organization. It is often a hypothesis-driven activity, informed by threat intelligence and information sharing from industry organizations and peers. In our scenario, threat hunting isn’t entirely proactive, since, in it, we’ve already experienced a security incident. In our scenario, threat hunting is not driven by intelligence or information, but by TTPs and Indicators of Compromise (IOCs), which are evidence that the network’s or environment’s security has been compromised; therefore, it’s known as attack-specific threat hunting.
Immediate Response
In the case of attack-specific threat-hunting, organizations should rally their security and technology teams and ensure they understand the attack-specific threat hunting for a specific actor or threat that is underway, as well as the TTPs and IoCs. Note that by utilizing the TTPs and IoCs, your organization can now look at the enterprise and data sources such as logging and user and entity behavior analytics (UEBA) to look for additional traces of the malicious actor activity.
Uncovering Malicious Actor Activity
Malicious actors often tend to persist in an environment, moving laterally across systems and environments. This is after the malicious actor has conducted other steps in the cyber-attack lifecycle such as initial recon, compromise, and establishing a foothold. Armed with the initial reconnaissance and foothold, the malicious actors tend to escalate their privileges and explore other systems to pivot to and ultimately exploit as part of their attack campaign.
Organizations can optimize their tooling and platforms to identify things such as specific traffic flows, file signatures, and other behaviors that indicate further activity by the malicious actor that was observed during the initial incident and breach. This can help them discover other areas of the enterprise where the malicious actor has moved laterally, exploited additional systems, and gained further footholds. It can also help identify additional data that may be at risk, as that is typically what malicious actors are after, either for exfiltration, ransom, or tampering.
It is very possible and even likely that further malicious activity will be discovered. When this occurs, the incident command and associated teams should be alerted so that they can ensure the systems are properly triaged and ultimately remediated. This iterative exercise of attack-specific threat hunting and associated incident response activities will help the organization identify further malicious activity and stomp it out across the enterprise to ensure the threat is fully eliminated, at least to the best of its ability, and that the risk to the organization is addressed.
Final Thoughts
After this attack-specific threat hunting is completed, the organization should also have a much more comprehensive picture of the malicious activity as well as its impact on the organization in totality. This allows the security team and its leadership to properly brief executive leadership on what the organization experienced and how to move forward. This informs activities such as communications, legal, and more, which we are covering in additional articles as part of our series on what to do if you’ve been breached.
Want more cybersecurity insights? Visit the Cybersecurity channel:
