Light Dark
December 12, 2017 By Aubre Andrus 2 min read
Threat Hunting
Network
Risk Management
Topics

Hansel and Gretel have wised up quite a bit since their harrowing childhood experience with the Evil Witch. Their narrow escape garnered them a lot of attention, so it was no surprise that they went on to become expert threat hunters as security analysts for the forest.

Back in the day, Hansel and Gretel used breadcrumbs as a simple way to (hopefully) find their way back home. It was a defense that didn’t end well for them. Now Hansel and Gretel spend their days following a different kind of breadcrumb trail: a trail of suspicious behaviors. But why would they put themselves in danger again?

That’s because these breadcrumb trails can lead them to advanced persistent threats (APTs). It’s actually an offensive strategy to help identify well-organized, well-resourced malicious actors — the kind that break through without tripping any alarms. The siblings fell for one of those threats before when they foolishly stepped into the candy-filled home of the Evil Witch, but they won’t let her get hold of a helpless kid ever again.

The Role of Threat Hunters in the Forest

So how will they do it? You see, threat hunters are very deliberate. They know which breadcrumbs lead to serious threats and which don’t. But to start, Hansel and Gretel must first figure out the answers to three questions:

  1. What is their most valuable possession to protect? In the forest, it’s children.
  2. Who would be after this valuable possession? Why, an Evil Witch, of course!
  3. What tactics, techniques and procedures (TTPs) would this person use to breach the network? The sweet smells of candy and cake, for one.

Now Hansel and Gretel can set a baseline for what is normal. How many kids are in the forest on any given day? Does the forest usually smell like delicious baked goods? Has the Evil Witch purchased bulk candy lately? What is considered too close to the Evil Witch’s property?

When any of these data points break out of the norm, Hansel and Gretel know they must act before it’s too late. Thanks to threat hunting, they can close the gap from the time of compromise to the time of detection. No more kids will go missing on their watch!

Follow the Breadcrumb Trail to Security

With IBM i2 Enterprise Insight Analysis and QRadar SIEM, Hansel and Gretel follow a breadcrumb trail that will prevent the evil witch from ever capturing another child.

You can also follow breadcrumbs that lead to your end goals before it’s too late. IBM i2 can help you stop malicious actors in their tracks — whether they’re cunning witches or crafty cybercriminals — in record time.

Finding breadcrumbs in a crowded forest may seem impossible, but narrowing your focus on those clues can help you pinpoint the biggest threats facing your organization. Threat hunting is the ideal, proactive way to identify risks and mitigate them before they become breaches.

Listen to the podcast: The Art of Cyber Threat Hunting

 |  |  |  |  |  |  | 
Aubre Andrus
Children's Book Author

More from Threat Hunting
October 30, 2023

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

October 6, 2023

Reflective call stack detections and evasions

6 min read - In a blog published this March, we explored reflective loading through the lens of an offensive security tool developer, highlighting detection and evasion opportunities along the way. This time we are diving into call stack detections and evasions, and how BokuLoader reflectively loads call stack spoofing capabilities into beacon. We created this blog and public release of BokuLoader during Dylan’s summer 2023 internship with IBM X-Force Red. While researching call stack spoofing for our in-house C2, this was one of…

August 16, 2023

SIEM and SOAR in 2023: Key trends and new changes

4 min read - Security information and event management (SIEM) systems remain a key component of security operations centers (SOCs). Security orchestration, automation, and response (SOAR) frameworks, meanwhile, have emerged to fill the gap in these capabilities left by many SIEM systems. But as many companies have begun reaching the limits of SIEM and SOAR systems over the last few years, they have started turning to other solutions such as extended detection and response (XDR). But does this shift spell the end of SIEM…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature