FlowTraq > Blog > Cyber Threat Hunting Tips > Cyber Hunting is No Safari

Cyber Hunting is No Safari

Dr. Vincent Berk
By | June 23, 2015


In 2013, Richard Stotts and Scot Lippenholz from Booz Allen Hamilton wrote “Cyber Hunting: Proactively Track Anomalies to Inform Risk Decisions,” an article that captures the essence of the seismic shift that is needed to keep sensitive data on the correct side of your network border. Far greater is their reality than they probably understood when they initially wrote the article.

At FlowTraq, we’re frequently invited to help equip select individuals – chosen for their significant knowledge of networks and cyber threats – to be part of exclusive “cyber hunting” teams.

These are not the operators configuring switches and routers, and they are also not the analysts that pore over collected logs in SIEMs. These are small, specialized teams that actively seek things that are amiss, track intruders, and catalog the actions of known enemies.

We call them the “network cowboys.”

They spend their time chasing whatever piques their interest through complex networks, often comprising dozens of locations, and tens of thousands of systems. Their biggest discoveries are preceded by a simple: “Now that’s interesting…” And their biggest victories are never known, because the crippling data exfiltration did NOT happen. More and more organizations are coming to realize that a small and dedicated team of network cowboys may be their best bet in preventing the embarrassing data leaks that can be found in the newspapers every morning.

What sets the network cowboys and cyber hunters apart from regular incident responders is that they are given full rein to investigate ANY network activity – incident or no incident. They’re typically not constrained by playbooks or extensive procedure sets, and they’re not bogged down by an ever-growing inbox of “to-do” and “must-do” tasks. The experience of these individuals typically allows them to gain a deep understanding of traffic patterns, what is normal, and what is curiously abnormal. This is a skill that is acquired through years of incident investigation and experience. It cannot be learned in a classroom. And that’s why this is hard.

Hunt teams are often struggling for sufficient access to the telemetry they need to chase the threat and fully understand it. And passive telemetry is most valuable; above all, they realize that an intelligent adversary cannot be stopped trivially. And every move to block an adversary will educate them on your capabilities, so act carefully. It is very important to pick the right weapons before you pull the trigger. Stealth is key, which means that much of the tracking data is gathered quietly and continuously. This is where FlowTraq has been a powerful ally.

NetFlow is ubiquitously available. All routers, switches, firewalls, and load balancers can export it. And few attackers would find it strange to see large streams of it crossing a network. Using FlowTraq’s scalable framework, network cowboys can collect a 1-on-1, un-sampled, forensically accurate track record of traffic across all network planes – which is then rapidly searched during the hunt. When tracking an adversary, speed is of the essence – therefore, NetFlow is the data source of choice. Answers on week-old data come back in seconds, months-old in minutes. Only when absolutely necessary will a full packet capture trace be needed, and the analyst will know exactly what to query a fullcap engine for when the time comes. The details are in the NetFlow.

Often single communications – small, periodic, or curiously timed – enable the analyst to discover stepping stones, command&control channels, and possible data exfiltrations. What sets the cowboy apart from your NSOC operators is that the cowboy chases the UNKNOWN threats, while the NSOC monitors for known malware, known C&C channels, and other known viral information. The communications that the cyber hunter is looking for typically do not set off any alarms anywhere – except for the mental alarms in the cyber hunter. I must therefore stress that you cannot simply replace your NSOC. Cyber hunters are a distinct and separate capability that you must consider deploying.

But even with the right mandate, telemetry, and tools, the job is not an easy one. As any defender knows: for every action there is a reaction. Blocking traffic, moving assets or sensitive data, etc. are only effective for a short time. The adversary will realize a defense was put in play, and will react accordingly. New vectors WILL be tried. If you build a wall, your adversary will figure out how to crawl under, climb over, or run around it. If you’re not continually watching, you surely will fall victim. And even when you are watching, you are never truly safe. But with a good team of network cowboys, you’re just that much safer.

Cyber hunting is no safari. Sometimes the tiger wins.