{"id":1570,"date":"2017-09-12T20:17:32","date_gmt":"2017-09-12T19:17:32","guid":{"rendered":"http:\/\/www.halkynconsulting.co.uk\/a\/?p=1570"},"modified":"2017-09-12T20:17:32","modified_gmt":"2017-09-12T19:17:32","slug":"threat-hunting-essential-every-business","status":"publish","type":"post","link":"http:\/\/www.halkynconsulting.co.uk\/a\/2017\/09\/threat-hunting-essential-every-business\/","title":{"rendered":"Threat Hunting – essential for every business"},"content":{"rendered":"
\"Equifax
Equifax – Needed good threat hunting<\/figcaption><\/figure>\n

Lots of articles, blog posts and webcasts talk about threat hunting. Despite this few, if any, organisations do it. This is a mistake.<\/p>\n

Security hit the headlines again recently, when Equifax admitted to a breach<\/a> exposing around 143 million records of personal data. While details are still emerging, it looks like the attackers compromised an external website and exfiltrated the data. There are no specifics on the attack yet but it takes time to copy out that much data1<\/sup><\/a>. Good threat hunting uses this time to detect attackers. This would have allowed Equifax to implement countermeasures to minimise the breach2<\/sup><\/a>.<\/p>\n

Any organisation can threat hunt. Threat hunting uses your existing security controls to identify attackers before they can destroy your business. It doesn’t replace anything. You cant use it to replace your AV or firewalls, no matter what vendors say. Hunting doesn’t mean you can get rid of your incident response teams.<\/p>\n

In our experience, effective threat hunting simply makes everything else work better. The hunts give your IR teams better data to work from. Lessons you learn from hunting helps establish more effective controls. \u00a0In short, good threat hunting makes everything better.<\/p>\n

Every organisation should hunt threats on their network. You don’t need to buy anything new and you can do it with your own staff. This post gives some tips to get you started but nothing beats experience and formal training. Halkyn Security offer a threat hunting service, which includes helping set up your teams to hunt. However if you want formal training we strongly recommend SANS<\/a> courses, at least for key staff.<\/p>\n

Cyber Security and Threat Hunting<\/h2>\n

Traditional security focuses on established controls. This is your firewall, endpoint antivirus, mail filter and similar tools. A very good example of traditional security is the Cyber Essentials<\/a> scheme. As the name says, this is essential.<\/p>\n

Next you need to ensure a way to respond to incidents. From Talk Talk to Equifax, it is apparent that incidents will continue to happen. As a result,\u00a0incident response really does matter<\/a>.<\/p>\n

Even with this in place, problems will still happen. Advanced Persistent Threat might be a marketing term, but the reality is persistent attackers exist. Criminals, or nation states, will spend time subverting your controls.<\/p>\n

Here lies the problem. If an attacker can bypass your controls, what triggers your incident response process? Often, sadly, it is public notification when other people discover your breach.<\/p>\n

\"Threat
Threat Hunting – The IR Equation<\/figcaption><\/figure>\n

Defending your information relies on a simple equation. If the time to detect (D) the attackers and the time to respond (R) to the attack is less than it takes the attacker (A) to complete their mission, you win. If it isn’t, the attacker wins. The fundamental goal of threat hunting is to speed up your side. This is how you win.<\/p>\n

When the dust settles, it turns out most breaches last months. Attackers spend time moving around. They collect sensitive data. The data is hoarded into staging servers. Eventually, the attackers exfiltrate the data. At this point it is too late for anything other than a PR exercise to limit the damage. However, in the weeks and months before this your organisation has thousands of opportunities to detect and defeat the attack. Threat hunting really does make the difference.<\/p>\n

Threat hunting for beginners<\/h2>\n

You agree threat hunting is a good idea, now where do you start? This guide can help but remember nothing matches either skilled staff or bringing in dedicated threat hunting teams.<\/p>\n

To get started, think of each threat hunt as a way of testing a theory. Build a theory. Decide what evidence would support it (or disprove it) and then collect the data.<\/p>\n

Every environment is different so we cant give you a specific examples for your network here. However, we can provide some examples you might want to tailor:<\/p>\n

Threat hunting example scenarios<\/h3>\n

Here are some example threat hunting scenarios. This is not an exhaustive list and the idea is you will build on this to develop good practices for your own organisation.<\/p>\n

Network Threats<\/strong><\/p>\n