menu
Webinar: Top Tips for Effective Cyber Threat Hunting Watch Now
FlowTraq > Blog > Cyber Threat Hunting Tips > Cyber Hunting Is A Mindset

Cyber Hunting Is A Mindset

By | June 6, 2018


Facebooktwitterlinkedin

You may feel you don’t have the resources for a cyber hunt team, but you are certainly under threat from hard to find adversaries! Ultimately, cyber hunting is a mindset, more than a job title!

Start with the assumption that the bad guys are already on your network and they have the intent, capability, and opportunity to do harm at any time. They are also watching what you are doing, and changing their game, as you react to them.  

Your job is to take on the cyber hunter mindset and find adversaries before they do harm.   

Get in the mind of the attacker

It is important to acknowledge that behind every attack is a human which means you are not up against a computer but, a person or a group of creative thinkers. Like in the children’s game of Clue, you have to use deductive reasoning to narrow down the list of suspects, the possible murder locations, and the possible weapons.  

As you take on the mindset of the attacker, you begin to understand how sabotage or espionage in your network might take place:

  • How would someone gain access?
  • How would one exfiltrate data?  
  • Where are my assets located, where are my weak spots?  

Knowing your network, utilizing your toolset and your creative thinking, you can effectively plan work to raise the bar, forcing the intelligent adversary out in the open.

Assume they have control over more than you know about

It takes on average about 197 days to detect a breach on a corporate network and identify an entrenched hacker.  By a similar token, it is very likely that when you do discover a compromise you are not seeing the full extent. This means the adversary likely already has more assets under his or her control than you are aware of.

By taking immediate action, you will show your hand, and force the intruder to be more careful. Although the battle is won, the war is lost.  The intruder is still there, and aware you may be watching. Instead, change your technique and begin by learning as much as you possibly can about the intruder.  Find out how the intruder is controlling the compromised asset, and search the network for additional evidence and footholds. Then take action all at once, and eradicate the intruder completely.

By learning what the bad guys know about you, you will know more about your adversary then they know about you, and you are subsequently in a stronger position to “win”.

Expect your attacker to change based on what you do.

Network defense is a game of cat and mouse.  It is not a one-shot attack and cleanup cycle, but instead an ongoing battle between you and the cybercriminals.  As you change your defensive posture with additional access controls, firewalls, and detection technology, the intruder evolves to avoid tripping the tripwire.

In addition to these traditional fortifications, you must observe patterns of connections, patterns in logs, or connection behaviors that are not expected in your normal course of business.  By knowing your environment, you may detect anomalies that betray the intruder.

The essence of anomaly detection is discovering deviations of what is normal — but this is hard, as most malicious activities are actually quite “normal” from a mathematical perspective.  However, the human mind is fantastically able to combine many pieces of diverse evidence, even if they are not anomalies perse. You have to be observant and curious to detect stealthy anomalous actors on your network.

Ready To Change Your Mindset?

The best cyber hunters are curious, passionate and proactive. They know how to leverage multiple tools. They understand their threat landscape and their organization well enough to ask the right questions and find the answers and they change their mindset by:

  1. Getting in the mind of the attacker
  2. Assuming that the bad guys have more control over your network than you think
  3. Expecting the attacker to change their behavior based on what they do defensively.

With the right framework and tools, you can learn the art of actively seeking out, tracking, and disabling the most skilled and dangerous network intruders.  Are you ready to become a cyber hunter?