From Event Gatherers To Network Hunters
When David Bianco examined a company’s Web browsing logs, it did not take long for a pattern to appear.
At regular periods, nearly a dozen systems across the network would all request data from the same Web page. Because the company, who Bianco declined to name, captured network data, additional analysis revealed that all of the suspicious systems downloaded small binaries. By running those executables in a virtual machine, Bianco, a network hunter, was able to identify the cause of the problem — an attacker using specialized malware.
Bianco, whose official title is Hunt Team Manager at incident-response firm Mandiant, does not like to wait for automated systems to flag suspicious behavior. As a network hunter, he goes looking for it. It’s a role that more companies should develop because it allows them to run down attackers in their networks before they do damage, he says.
“The goal of hunting is not only to find the evil in your organization,” he says. “The goal of hunting is to explore methods that let you find the evil in your organization, and — when you find those methods — you polish them up so you don’t have to hunt for the same stuff again.”
Companies that only wait for their security information and event monitoring systems to alert them to anomalies are missing a key resource in the fight against online attacks: inquisitive security analysts. By being more aggressive within their own networks and hunting down signs of suspicious behavior, network hunters can minimize the time between infection and detection, says Will Gragido, senior manager of advanced threats research and intelligence for security firm RSA.
“A proactive defense is something that organizations should aspire toward,” he says. “I don’t think there is anything wrong with advocating a proactive defense because it is not the same as hacking back.”
While only organizations with mature network security groups typically have the capability to hunt for anomalies in their networks, it is a skill that should be developed within any security group, he says.
Network hunters exploit weaknesses that hamper all external attackers: The attackers do not know the layout of the target’s network, so they will do things that insiders would never do as they poke around the network and discover its topology, say Dan Kaminsky, chief scientist at White Ops, a firm focused on securing the online advertising business.
“They actually don’t know the network they have broken into; they have to discover it,” he says. “So you want to find these rare signals that reveal the attacker’s actions in real time.”
Companies looking to start developing the needed skills for network hunters should begin at the end of the cyberkill chain, says Mandiant’s Bianco.
Kill-chain analysis models the steps that an attacker must take to achieve his or her objective. The cyberkill chain, a concept first introduced by Lockheed Martin, consists of seven steps: reconnaissance of the target, creating an attack, delivering the payload, exploiting the target, installing tools, establishing command and control, and leveraging access to take action. Most companies embarking on their first hunt should look for the most serious activities at the end of the kill chain: signs of data exfiltration and command-and-control activity, Bianco says.
[For the cybercriminal lions out on the Internet, your company is full of zebras. Defenders should not just protect the herd, but pay attention to those who stray, experts argue. See Five Ways To Better Hunt The Zebras In Your Network.]
Data exfiltration may look like large amounts of traffic from a sensitive server or smaller amounts leaving at frequent intervals. Command-and-control traffic generally is HTTP requests with suspicious or unknown destinations. Where they look depends on what a hunter wants to find, he says.
“It’s like saying, ‘If I’m going to hunt birds, I look in the trees, and if I’m hunting deer, I look at the ground,'” Bianco says.
Once a network hunter finds the attacker or malware in the network, they can turn their knowledge of how to pinpoint the attack into rules for the company’s network and security equipment. By fusing the internal information with external threat data, a company can take an internal investigation and turn it into a rule set that can automatically detect such attacks in the future.
It’s that ability to improve security in the future that makes network hunting so valuable, says Adam Meyers, director of intelligence at security services firm CrowdStrike.
“The big challenge is, how do you operationalize intelligence information?” he says. “When they are hunting for things on their network, that is where they are getting into the operationalization of the data.”
Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.