Many organizations are enthusiastic to adopt threat hunting as part of their cybersecurity arsenal, but in our experience, the key to success is to develop a thorough understanding of the benefits and less-obvious limitations before embarking on any enterprise level threat hunting program.
In this blog we describe how and where you might get the most out of using deception to augment your threat hunting capability, based on a mix of open source proprietary research, interviews with SOC manager and CISOs, and reports published by Gartner.
“Threat hunting is a proactive technique that combines security tools, analytics, and threat intelligence with human analysis and instinct.”
This definition includes two particularly important words; proactive and combines. Threat hunting is not a passive operation, it’s not automated and is largely depending on human analysis. Consider whether you have the right tools, analytics and threat intel to assist a threat hunting program; this will directly impact the quality of the hunt. Our advice is to focus on the quality of your data, not the quantity, because the higher the quality, the more bespoke it is to your organization and the lower the risk is of producing a hypothesis or results that render themselves meaningless.
What does a threat hunter look like?
This person or team of people must have in depth network knowledge, and be capable of mapping the network out in their minds. Their expert understanding of apps and systems enables them to recognize tell-tale signs that indicate the presence of an attacker, that automated security toolset wouldn’t pick up.
They’re likely to be in high demand with a full time ‘day job’.
Is it realistic to deploy this resource on a hunt for a prolonged period of time? Can you use resources that a MSSP might make available?
The three priorities for establishing a threat hunting program
Identify key stakeholders and articulate outcome. Key stakeholders are the people who you’ll look to for budget to contribute to the threat hunting operation and support the costs associated with deploying analysts as threat hunters. Be prepared to clearly explain what they’ll get in return.
Get your legal team on board. Often, threat hunting activities involve trawling the entire network for data – some of which may be confidential. Data privacy laws can vary across different geographies, so it’s important to ensure all activity is law-abiding with the support of your legal function.
Define a hypothesis. Your hypothesis will be triggered by something like threat intel, a previous hunt, historical incidents or analysis. It could be a structured hunt including some of these triggers, or it could be entirely unstructured and ad-hoc, perhaps because you don’t have the data sets available to drive the hypothesis. We advise caution when it comes to unstructured hunts; in our experience they tend to be unruly and are very difficult to justify. Triggers don’t only help define the hypothesis, they also help determine what level of priority you’ll need to assign to the hunt. The hypothesis won’t form overnight, so expect it to go through a number of iterations.
So what are the key benefits of using deception for threat hunting?
Here we identify four main key benefits of using deception to hunt cyber threats. Critically, we’re reducing the window of opportunity for the threat actor by detecting them quickly and moving them out of the production environment. The benefits of this are twofold – we’re able to increase the resilience of business networks and systems as well as maintain the integrity of the brand. The exercise helps to reduce the number of attack vectors leaving a business exposed to cyber attack, and thereby limit impact on business services. Finally, we’re not simply relying on technology, we are proactively hunting threats in real time.
And the limitations of threat hunting?
Who in your organisation has the capacity to realistically do this task? The CounterCraft Cyber Deception Platform helps to alleviate common pain points encountered with threat hunting, including addressing issues and concerns around resource, time and limited results that negatively impact ROI and could result in the abandonment of a program altogether.
Four ways that deception can help
Threat hunting, integrated with existing defense-in-depth measures, certainly can help find malicious activity inside your networks, but it is resource and time intensive, and requires a lot of intuition to even know where to begin.
Now we’ll explore:
• How deception helps formulate the hunt hypothesis
• How deception provides contextual threat intel (bespoke to your brand and networks) to identify where threats are coming from
• How deception technology can alleviate resource burdens
• How deception can help streamline the hunt
Let’s have a look at the difference between hunting and deception in terms of resource. Threat hunting will require your best cyber resource to expend all their efforts, full time, over a number of days or even weeks. On the contrary, deception requires some intense initial effort, but once the campaign is set up there’s a very low resource overhead. We think there are a number of ways deception can be applied to help resource threat hunting programs.
When and where can deception be used in the context of threat hunting?
For now we’re going to focus on what we think is the best way to start, and that’s using deception as a precursor to hunting. This will extract targeted intelligence to initiate the hunt with the right information. Then, you can use the data gathered post-hunt to deploy measures to ensure your attackers don’t come back as well as drive future campaigns. Using deception during a hunt enables you to control and shape adversary attack paths, and extract different and better information from them, while they’re happening. We agree that this is the most complex use of deception in the context of threat hunting, and we’ll come back to this in detail in a future webinar, and here on the CounterCraft blog.
Each of our deception campaigns is a collection of deception hosts, services and breadcrumbs, known as lures, designed to look attractive to adversaries. We can deploy a campaign internally, which is the traditional way honeypots have been used by organizations to detect lateral movement. Or, uniquely CounterCraft deploys these lures externally, and that’s what provides an excellent precursor to threat hunting. For example, we’ll set up a series of lures on pastebin, or as spear phishing campaigns, to lead attackers to externally hosted campaigns that are easy for the SOC team to set up. Those will let you uncover vital intel to arm your threat hunting team with before they start their hunt.
USE CASES
Below you’ll find examples of external campaigns and insights into what kind of intelligence they’ll give you.
Powershell use case
This scenario is initiated with an external spear phishing campaign involving three key phases; discovery, credential access, and information uploaded to the command and control server. Critically, the interaction we see in real time is displayed as notifications that can be grouped together and assigned to incidents. This information can then be made available to threat hunters and used to formulate hunts. The CounterCraft Cyber Deception Platform then maps the behaviour to the MITRE framework. So we now know that powershell is being leveraged and used specifically against your organization. We can use this Indicator of Attack (IOA) to formulate a hypothesis to detect where powershell is being run in our environment where it shouldn’t be.
Immediately, you have a trigger for a hypothesis and can instruct the SOC based on this credible and contextualized threat intel to increase sensitivity around powershell. This example demonstrates the granularity of the information the platform is capable of producing – it’s critical that it can be passed on the SOC who can then correlate and check to see whether any out or inbound connections have been made with a specific geo-located IP address. Get in touch with us directly, to ask how we create and deploy these campaigns.
This use case demonstrates the platform’s ability to map the technical behaviour of the threat actor to the MITRE framework in real time to provide an understanding of the way in which they’re executing this command, to form the basis of a hypothesis. It also allows us to identify the different techniques the threat actor is using as they move through the deception environment, which may trigger separate hunts in parallel. Without this data, the hypothesis would be very time and resource intensive to formulate.
Mimikatz use case
Credential dumping is an example of an Indicator of Attack (IOA). Known APT groups such as APT1, 28 and Axiom have used this technique. Dumped credentials can be used to perform lateral movement and access restricted data sets. For the purpose of this use case, credential dumping was achieved through the use of MimiKatz. For example, in Windows, the Security Account Manager (SAM) database stores local accounts for the local host, and a number of tools can be used to access the information in the SAM file by using in-memory techniques. Other tools include Pwdumpx, Gsecdump and WCE – however, hunting for these tools wouldn’t necessarily have produced any results.
The CounterCraft Cyber Deception Platform captures this behavior and automatically maps it to the MITRE ATT&CK framework, enabling threat hunters to focus on detecting credential dumping as an IOA across their network, and use log data (both native Windows and Sysmon) to hunt for any tool sets that may facilitate this type of attack.
Why deception should be part of your threat hunting activity
The key takeaway here is that you can run these use cases for months prior to doing your threat hunting, all the while gathering and saving intel in the background for your threat hunting resource to come in, review and see exactly what kind of adversaries are attacking your brand. This pre-hunt exercise doesn’t involve rolling out anything across your internal IT infrastructure or asking for additional servers because it’s deployed on external servers and with one DNS entry change, you’re good to go. Once you’ve completed your hunt and discovered some positive results in the form of activity within your network, you can use deception to set up a monitoring system to capture future recurrences. You might ask, ‘Why not use a SIEM?’ Often, the type of security controls you can enable would involve a lot of false positives. A targeted deception campaign will reduce these false positives to virtually zero.
To learn more, download our recent white paper: Tool up threat hunting team with deception technology. Or get in touch to schedule a demo on how to get external campaigns running.
Further reading on threat hunting and deception: