This article discusses some of the fundamental issues that need to be identified and resolved before any Cyber Security Team embarks on the journey to Threat Hunting.
Audience: Security Leadership & SOC Managers- Article does not delve into Threat Hunting technical and operational aspects
Security Leadership in organizations is responsible for establishing and maintaining healthy and secure hygiene of their IT & Network Infrastructure with no unknown risks buried beneath the surface.
Threat hunting is a proactive approach that helps the entire organization have a conviction about their Security Posture based on the results of their exercises and not based on the lack of anomalous activities seen. It aids the above-mentioned objective by changing the operational gear & mindset for the security operations team by proactively going for the hunt, contrary to the norm of waiting for occurrence or identification of anomalous activity.
It is, however, unfortunate that attaining a proactive approach defined by Threat Hunting remains a dream for many security operations team.
I would like to digress a little to help the readers establish and understand the context and our long-held beliefs which need to be reviewed to deal with the challenges.
Information Security Controls are broadly classified into administrative, technical and physical controls, and then these controls have their respective functions which can be detective, preventative or corrective etc.
If we look closely, these security controls are applied through people, process or technology and together, these security controls work in equilibrium to establish and maintain a secure posture.
When it comes to Security Operations or Managed Security Services offered by various organizations, we often focus more on having the right people in our team and the technology to support our objectives of efficient Network Security Monitoring & Threat Hunting which is completely justified however there are procedural or process-related issues that are often overlooked and continuously impair the Security Operations’ capability to hunt threats proactively.
It is imperative that we, as Security Operation Managers or Security Leaders, must consider all the factors of the equation at play, critical to equip teams to perform Threat Hunting.
I’ve explained below some of the process-related issues that impair the Security Operations capabilities to embark on a Threat Hunting Journey.
1. Blind Zones & Ambiguous Understanding of the Network.
Security Operations efficacy is largely tied to its horizon and understanding of its Network architecture.
Lack of clear understanding with regards to organizational infrastructure, its purpose and placement in the entire Network Architecture makes MSS (Managed Security Services) & SOC feeble in identifying anomalies let alone starting any Threat Hunting exercises.
Slack in Administration of the Security Solutions
A hypothetical figure above shows that the Security Operations only has 26% visibility of the Network Horizon due to limited integrations of Network Infrastructure with the SIEM. Additionally, this 26% visibility can be further impaired due to the reasons discussed below and subsequently blur the horizon over its IT/Network Infrastructure.
Security Operations act as the ears and eyes of the entire IT Infrastructure, but what if these ears are eyes are impaired due to a reckless approach in the administration and health of the Security Solutions itself.
3. Gaffes in Security Solutions Acquisition & Security Architecture Design.
In Threat Hunting, hypotheses are validated by the evidence brought forward by different Security Solutions including SIEM, EDR, Identity & Access Management Solution or TIP etc.
These pieces of evidence, when collated, help to validate or invalidate a hypothesis. However, when these solutions are not appropriately administered, they impair or further aggravate the problem.
Some of the examples of Slack Administration are given below:
1. Dysfunctional SIEM Collectors causing no collection and aggregation of logs from relevant sources.
2. EDR sensors turned off.
3. Not all Intelligence provided by intelligence providers sent to Threat Intelligence Platforms due to nonexistent APIs.
Each security solution brought on board should be fundamentally driven by a Risk-Based Approach where each Security Solution acts as a Control with its control objectives. It is imperative that the implementation of these Security Solutions be done with a thorough Project Management Life Cycle that contains Initiation, Planning, Implementation & Closure.
While planning for the implementation of a Security solution, you must refer back to the risk you intended to treat, and all security solutions must undergo an Acceptance Testing stage to ensure that the implemented Security Solution (Control) is treating the risk and delivering the value which was determined during Planning Phase.
Consider an example of a Security Operations team that observes Reconnaissance attempts in abundance but does not have Packet Capturing solution to understand further how various adversaries are crafting their malevolent packets to evade detection. Often determined threat actors are performing the evaluation of the probing responses by capturing the traffic. Traffic responses from the maliciously crafted packets often give an indication of the underlying OS to the threat actors and using this information they can move ahead in Cyber Kill Chain to plan their attacks while security operations deprived of such a solution would only have to contend with blocking IPs at the Perimeter Firewall.
Another example of inappropriate security solution acquisition is that of an IDS brought on board with the purpose of detecting any anomalous traffic traversing through the network. However if an IDS only detects and alerts the security analysts over the suspicious traffic seen traversing through the network, but does not demonstrate the actual raw traffic considered suspicious by an IDS, then it will render Security Teams to be chasing ghosts and making noise all the time without understanding the actual traffic due to unavailability of traffic stream which triggered the alert.
These decisions are made either during onboarding, planning, or implementation phase, and therefore it is critical to evaluate their impact on the overall efficacy of the Security Operations teams.
4. Lack of Documented Procedures.
5. Lack of Orientation Sessions & Collaborations.
Lack of Documented procedures forces the Security Operations to rely on their understanding, experience and gut feeling instead of following the procedures defined and established for early detection, containment, mitigation and remediation of the incident.
This impedes in the overall growth and maturity of Security Operations as it moves from one incident to the other due to the lack of a structured and defined approach.
If Knowledge Harvesting is an Organizational Culture, then it can also permeate through Security Operations and negatively affect the capability to engage in Threat Hunting. Threat Hunting is a Collaborative exercise and requires different members of the Security team to work together and learn through each other’s’ experiences.
Therefore an environment where every player keeps cards closer to his/her chest does not add value to the overall goal of Threat Hunting.
These issues and blind zones create a mound of mess and restrict the Security Operations or Managed Security Services to become a noise-making department, opening trouble tickets for any anomaly seen without adopting any analytical approach.
Such SOC or MSS are unfortunately incapable of creating a narrative around possible threats buried beneath the surface and therefore do not provide assurance of Security Hygiene of the Organizational IT Infrastructure.