Light Dark
March 18, 2020 By Sue Poremba 3 min read
Threat Hunting

How good are your sleuthing skills? Do you savor Agatha Christie novels and figure out who did it before the big reveal? If so, the skills you use to read a good detective novel may also help you discover the origins of cyberthreats. With serious threat hunting techniques (the kind taken directly from books and TV shows that solve a crime in 60 minutes or 300 pages), you can discover the origins of a cyberattack and mitigate it before too much damage is done.

That was the lesson that Maya Horowitz, director of threat intelligence and research at Check Point Software Technologies, shared at CPX360. “If there was a hack,” she told the audience, “then there was a hacker.”

Fortunately, analysts can position themselves to respond effectively to attackers by employing the same threat hunting tactics as fictional detectives like Hercule Poirot and Miss Marple.

Do You Know How Cyberthreats Begin?

Detective novels, crime shows and whodunits all inspire audiences to try to assemble the clues and identify the bad actor before reaching the end. Everyone may have a different theory — until that theory is blown up by another discovery.

That’s the thing about sleuthing: Everyone uses a different logic pattern to get to the end result, and it may take long discussions and compromise to agree on one conclusion. But in my observation, so much time is wasted worrying about how we got to the end that we miss what happens at the beginning. As any author can tell you, the first chapter or the first five minutes set up the story and introduce key clues to how it ends. Knowing where and how cyberthreats begin can go a long way in developing a solid incident response plan.

Of course, at the start of a book or the latest episode of Law and Order, you don’t know what you should be paying special attention to. You just know a body is on the floor in the middle of a crime scene. You need to know how this happened. You need to know who did it — the source of the attack.

Step by Step, Network by Network

You need to be the detective of your own network, said Horowitz. Threat hunting requires intimate knowledge and diligent investigation of your logs. This will provide the clues as to why this victim — or, in this case, a sensitive cluster on your network — was targeted rather than the top boss with the corner office.

In the book, you’ll receive background on both the victim and the boss: who their friends were, where they liked to hang out, when you could expect to see them appear or disappear in the office, etc. That information hints at who the suspects might be. The guy in accounting has been seen hanging out at the victim’s favorite bar each night, but she rebuffs him. Of course he’s a suspect. But when he proves during questioning that he was out of town on the fateful night, the search continues.

In cyber sleuthing, you’re after similar details. Maybe a spear phishing email was sent to the company with malicious files that downloaded malware, shifted clusters and mimicked other applications on the network, spreading more malicious files. The logs provide the patterns you need to find the anomalies: Why did the attacks only happen in a four-hour time period, and why weren’t there any attacks at all during the month of February? Now you need to do a little more research, perhaps by studying the profiles of other attacks that took place around the time of your own case.

The more you dig, the more you may find traces that tie the attacks to specific threat actors or techniques. Once you have determined how they got into your network in the first place, you can develop your incident response plan accordingly.

Collect Clues Before Disaster Strikes

Fictional detectives are given intentionally bad clues or bumbling tactics to keep the story interesting for the reader. Cyber sleuths need to be more straightforward when they begin investigating cyberthreats. Not only do they need to know the network infrastructure intimately, but they also need a solid understanding of who accesses that infrastructure, as well as their behaviors and habits.

Regular audits can reveal weaknesses and strengths, but they can also open doors that make it easy for bad guys to enter. The key is recognizing patterns found in logs. It’s being aware. Detectives work on hunches — maybe something doesn’t feel right or seems out of character. Having a sense for when something is wrong in your network can help you discover a problem before your data is stolen.

With the cyberthreat landscape constantly shifting and more people working remotely, the ability to sniff out a potential cyberattack and find the bad guy is more necessary than ever. Who is your company’s Miss Marple? Every company needs a cyber detective if you want to thwart the bad guys.

 |  |  |  |  |  |  | 
Sue Poremba

More from Threat Hunting
October 30, 2023

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

October 6, 2023

Reflective call stack detections and evasions

6 min read - In a blog published this March, we explored reflective loading through the lens of an offensive security tool developer, highlighting detection and evasion opportunities along the way. This time we are diving into call stack detections and evasions, and how BokuLoader reflectively loads call stack spoofing capabilities into beacon. We created this blog and public release of BokuLoader during Dylan’s summer 2023 internship with IBM X-Force Red. While researching call stack spoofing for our in-house C2, this was one of…

August 16, 2023

SIEM and SOAR in 2023: Key trends and new changes

4 min read - Security information and event management (SIEM) systems remain a key component of security operations centers (SOCs). Security orchestration, automation, and response (SOAR) frameworks, meanwhile, have emerged to fill the gap in these capabilities left by many SIEM systems. But as many companies have begun reaching the limits of SIEM and SOAR systems over the last few years, they have started turning to other solutions such as extended detection and response (XDR). But does this shift spell the end of SIEM…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature