You may feel you don’t have the resources for a cyber hunt team, but you are certainly under threat from hard to find adversaries! Ultimately, cyber hunting is a mindset, more than a job title!
Start with the assumption that the bad guys are already on your network and they have the intent, capability, and opportunity to do harm at any time. They are also watching what you are doing, and changing their game, as you react to them.
Your job is to take on the cyber hunter mindset and find adversaries before they do harm.
Get in the mind of the attacker
It is important to acknowledge that behind every attack is a human which means you are not up against a computer but, a person or a group of creative thinkers. Like in the children’s game of Clue, you have to use deductive reasoning to narrow down the list of suspects, the possible murder locations, and the possible weapons.
As you take on the mindset of the attacker, you begin to understand how sabotage or espionage in your network might take place:
Knowing your network, utilizing your toolset and your creative thinking, you can effectively plan work to raise the bar, forcing the intelligent adversary out in the open.
Assume they have control over more than you know about
It takes on average about 197 days to detect a breach on a corporate network and identify an entrenched hacker. By a similar token, it is very likely that when you do discover a compromise you are not seeing the full extent. This means the adversary likely already has more assets under his or her control than you are aware of.
By taking immediate action, you will show your hand, and force the intruder to be more careful. Although the battle is won, the war is lost. The intruder is still there, and aware you may be watching. Instead, change your technique and begin by learning as much as you possibly can about the intruder. Find out how the intruder is controlling the compromised asset, and search the network for additional evidence and footholds. Then take action all at once, and eradicate the intruder completely.
By learning what the bad guys know about you, you will know more about your adversary then they know about you, and you are subsequently in a stronger position to “win”.
Expect your attacker to change based on what you do.
Network defense is a game of cat and mouse. It is not a one-shot attack and cleanup cycle, but instead an ongoing battle between you and the cybercriminals. As you change your defensive posture with additional access controls, firewalls, and detection technology, the intruder evolves to avoid tripping the tripwire.
In addition to these traditional fortifications, you must observe patterns of connections, patterns in logs, or connection behaviors that are not expected in your normal course of business. By knowing your environment, you may detect anomalies that betray the intruder.
The essence of anomaly detection is discovering deviations of what is normal — but this is hard, as most malicious activities are actually quite “normal” from a mathematical perspective. However, the human mind is fantastically able to combine many pieces of diverse evidence, even if they are not anomalies perse. You have to be observant and curious to detect stealthy anomalous actors on your network.
Ready To Change Your Mindset?
The best cyber hunters are curious, passionate and proactive. They know how to leverage multiple tools. They understand their threat landscape and their organization well enough to ask the right questions and find the answers and they change their mindset by:
With the right framework and tools, you can learn the art of actively seeking out, tracking, and disabling the most skilled and dangerous network intruders. Are you ready to become a cyber hunter?