Browsing category

threat hunting

Artificial Intelligence (AI), Automation, Cognitive Security, Data Protection, Incident Response (IR), Security Information and Event Management (SIEM), Security Intelligence & Analytics, Security Operations Center (SOC), threat hunting, Threat Intelligence,

Maturing Your Security Operations Center With the Art and Science of Threat Hunting

Your organization has fallen prey to an advanced persistent threat (APT) after being targeted by a state-sponsored crime collective. Six million records were lost over 18 months of undetected presence on your network. While your security operations center (SOC) is fully staffed with analysts, your threat hunting capabilities failed to detect the subtle signs of threat actors moving laterally through your network and slowly exfiltrating customer data.

How did this happen?

It all started with a highly targeted spear phishing attack on your director of communications. He failed to notice the carefully disguised symbols in an email he thought was sent by the IT department and logged in to a spoofed domain. This credential theft resulted in the spread of zero-day malware and slowly escalated account privileges. While some of the criminals’ behavior triggered alerts in the SOC, your analysts categorized the incidents as benign positives. Your organization is now facing a multimillion-dollar cleanup and a serious loss of customer trust.

Why you need to master threat hunting

Why You Should Hunt Advanced Threats Before They Strike

Situations like the one described above are all too common in our industry. The majority of successful exploits attributed to human error fit a small series of predictable patterns that exploit known vulnerabilities in an organization’s network. As a result, many data breaches can be prevented with effective cyber hygiene tactics.

Advanced threats are a smaller proportion of incidents, but they are typically undetected and cause the most damage. In addition, the rise in state-sponsored crime and criminal activity on the dark web has created an ecosystem that fosters open exchange between the world’s most sophisticated and skilled criminals.

The cost of a serious breach is also trending upward. According to Ponemon, the average cost of a megabreach that results in the loss of more than 1 million customer records is $40 million. And more than 60 percent of data breaches have links to either state actors or advanced, organized crime groups, according to Verizon. APTs that evade detection can result in dwell times that range from three to 24 months, further increasing the total cleanup cost for a data breach.

How can security teams fight these kinds of threats? The majority of enterprise SOCs are now at least three years old, according to a recent study from Exabeam, and are increasing in maturity. While human analysts and manual research methodologies can act as a firewall against many risks, there’s a need to scale SOC intelligence and threat hunting capabilities to safeguard against APTs.

What Is Threat Hunting?

Threat hunting can be defined as “the act of aggressively intercepting, tracking and eliminating cyber adversaries as early as possible in the Cyber Kill Chain.” The practice uses techniques from art, science and military intelligence, with internal and external data sources informing the science of statistical and cognitive analysis. Human intelligence analyzes the results and informs the art of a response. Last year, 91 percent of security leaders reported improved response speed and accuracy as a result of threat detection and investigation, according to the SANS Institute.

Threat hunting is not defined by solutions, although tools and techniques can significantly improve efficiency and outcomes. Instead, it’s defined by a widely accepted framework from Sqrrl. These are the four stages of Sqrrl’s Threat Hunting Loop:

  1. Create a hypothesis.
  2. Investigate via tools and techniques.
  3. Discover new patterns and adversary tactics, techniques and procedures (TTPs).
  4. Inform and enrich automated analytics for the next hunt.

The goal for any security team should be to complete this loop as efficiently as possible. The quicker you can do so, the quicker you can automate new processes that will help find the next threat.

The 4 Characteristics of a Comprehensive Threat Hunting Capability

A mature threat hunting capability is closely associated with SOC maturity. The least mature SOCs have human analysts who act as a firewall. As SOCs approach maturity and adopt security information and event management (SIEM) tools, their capacity to reactively investigate indicators of compromise (IoCs) increases. The most mature SOCs take a proactive approach to investigating IoCs, with researchers, analysts, solutions and a clearly defined methodology to orchestrate both investigation and response. A comprehensive capacity for hunting threats is defined by four key characteristics:

  1. Data handling: The ability to handle a deluge of data across siloed networks, including insight into internal risks, advanced activities from external threat actors and real-time threat intelligence from third-party sources.
  2. Data analysis: The ability to correlate a high volume and velocity of disparate data sources into information and, ultimately, intelligence.
  3. Informed action: Resources to increase threat hunters’ skills and easily feed threat intelligence through training, policy and cognitive capabilities.
  4. Orchestrated action: Defined processes and methodologies to hunt threats in a repeatable and orchestrated way that informs proactive security capabilities throughout the organization.

Organizations that fail to increase SOC maturity and adopt the solutions and processes for hunting threats face a number of risks. Relying on manual research methodologies can lead to costly data breaches and permanent brand damage when APTs evade detection. A lack of solutions and methods for an orchestrated IoC investigation process means less efficient and accurate operations. The absence of SOC orchestration encourages heavily manual processes.

The Diverse Business Benefits of Hunting Threats

Using cognitive intelligence tools to enhance SOC capabilities, Sogeti Luxembourg successfully reduced the average time of root cause determination and threat investigation from three hours to three minutes. In the process, the financial institution sped up their threat investigation process by 50 percent and saw a tenfold increase in actionable threat indicators.

Hunting threats can offer a number of benefits to both the business and the security operations center. The outcomes include greater protection of reputation, a more intelligent SOC and orchestrated security response.

Reputation Protection

Falling prey to an APT can cause lasting damage to a brand. One core benefit of implementing a more sophisticated threat hunting capability is the potential to guard against the most costly data breaches, which typically result in millions of lost records or permanent data deletion.

SOC Maturity

SOC analyst stress and falsely assigned benign positives are at record highs. APTs can easily go unnoticed due to the sheer volume of noise, which creates a culture of alert fatigue.

Achieving mature threat detection capabilities can change how analysts work and allow organizations to implement a cognitive SOC. Security analytics platforms enhance human intelligence and reduce manual research, and correlation tools provide real-time insight from a variety of structured and unstructured third-party data sources.

Orchestrated Security Response

With the technological capabilities to outthink adversaries, organizations can inform a proactive, unified approach to incident response (IR) that begins in the SOC. Internal and external data sources augment the intelligence of human analysts, allowing real-time, informed decision-making. Investigations and response can inform action as soon as anomalous behaviors or patterns are detected. The result is a defined process that allows your organization to mitigate threats earlier in the Cyber Kill Chain.

Intelligent Response to Sophisticated Threats

The majority of threats your organization faces each day will fit predictable patterns. While APTs make up a statistically small percentage of incidents investigated by an SOC, sophisticated threat actors use unique tactics and techniques to evade detection in a noisy SOC. These threats are the most likely to evade detection and result in highly expensive cybercrime.

State-sponsored criminal activity and attacks launched by sophisticated crime collectives are increasing. To guard against these increasingly complex threat vectors, organizations need to proactively prepare their defenses. Implementing cognitive tools in the SOC can enable organizations to adopt proactive threat hunting capabilities that leverage both art and science. By combining repeatable processes for threat investigation with intelligent solutions and skilled analysts, organizations can respond to threats earlier in the kill chain and protect their most critical assets.

Read the e-book: Master threat hunting

The post Maturing Your Security Operations Center With the Art and Science of Threat Hunting appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Rob Patey

Attribution, Cyberattacks, Cybercriminals, Cyberthreats, Threat Detection, threat hunting, Threat Management, Threat Monitoring,

The Cyber Attribution Dilemma: 3 Barriers to Cyber Deterrence

Given that the most serious threats in cyberspace are other state actors and their proxies, traditional thinking is focused on deterrence. Yet there are significant challenges for cyber deterrence.

The concept of deterrence was originally developed during the rise of nuclear technology. It relies on second-strike capabilities of opponents and complete certainty of who the opponent is, that it can survive the first strike and that it can strike back. This is known as mutually assured destruction (MAD).

Deterrence strategies have worked well throughout history to deter nuclear proliferation because only nation-states have access to the resources and technologies to get in the game. Of those actors, a basic self-interest in survival underpins the effectiveness of MAD.

There are many methods available for monitoring the mining and use of nuclear materials and technologies, and we have a fairly accurate inventory. In the cyber theater, however, the cyber attribution dilemma essentially nullifies the traditional model of deterrence as previously applied to military strategies in conventional warfare. As mentioned, MAD depends on knowing who your opponent is and understanding their capabilities for a second strike. In the cyber theater, both of these requirements are virtually impossible to fulfill.

What Are the Top Challenges to Cyber Deterrence?

Because of the inherent architecture of the internet and threat actors’ ability to obfuscate the source of an attack, it is nearly impossible to attribute attacks with a high degree of certainty. This results in a cyber attribution dilemma whereby the need to impose the costs necessary for cyber deterrence is juxtaposed with the potential costs of misattribution.

1. Misattribution

Many are concerned about the dangers of misattribution in cyber warfare and the potential escalations it could cause. The current deterrence paradigm of mutually assured disruption — the equivalent of MAD in the cyber arena — has a high risk of escalating into a tit-for-tat exchange as a result of a false accusation.

2. False Flags

Adversaries have historically used false flag operations to make an operation appear as though it was perpetrated by someone else. Because of the cyber attribution dilemma, false flags are much easier to execute in cyberspace, where the challenge of attribution already exists. False flags in cyberspace exploit this existing uncertainty and further compound doubt by casting suspicion on other actors.

3. Plausible Deniability

The attribution dilemma also gives threat actors the benefit of plausible deniability, further reducing the risks and costs associated with cyber actions. If you can’t be certain who is responsible, once again, you can’t impose costs without risking imposing the costs on the wrong actor.

In the Absence of Attribution, Resilience Is Critical

The stakes are high in cyberspace and growing daily. Deterrence rests on enterprises’ ability to impose costs or deny gains. Without the ability to impose costs while avoiding misattribution and escalation, denying gains and surviving cyberattacks through resilience is hypercritical.

Advanced attacks executed by sophisticated actors who know how to stay under the radar often cause the most damage. Adopting threat hunting in your security operations center (SOC) can help reduce dwell time as well as the cost and impact of attacks.

Read the SANS threat hunting survey

The post The Cyber Attribution Dilemma: 3 Barriers to Cyber Deterrence appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Jan Dyment

Cybersecurity Jobs, Cybersecurity Training, Data Classification, Data Management, Security Operations Center (SOC), Skills Gap, Threat Detection, threat hunting, Threat Intelligence, Threat Monitoring, Threat Prevention, Threat Protection,

More Than Just a Fad: Lessons Learned About Threat Hunting in 2018

The year has very nearly come and gone, and some fads that we saw throughout 2018 are going with it. Fidget spinners are collecting dust in cubicles, the mannequin challenge is something only seen in department stores, and the Nae Nae is becoming extinct on dance floors across the country.

It’s no different in the cybersecurity community; trending tools and buzzwords come and go as quickly as viral internet memes. However, one capability that it’s here to stay is threat hunting, a proactive approach to discovering and mitigating threats. The term and practice of threat hunting has actually been around for quite some time, but it is becoming more of a household concept throughout security operations centers (SOCs), governments and private sector companies around the world. This is largely due to studies around the benefits of the practice and real-world use cases that are rapidly emerging.

In the past year, we learned about the pros and cons of this approach, what it is, what it isn’t and everything in between. Let’s break down some of the lessons we learned about threat hunting in 2018.

Invest in Training and Methodology Before Technology

When a new security capability gains momentum in the industry, most companies’ first investment is in the tools to get them started. The same is true when it comes to investments in threat hunting, where an emphasis on methodology and tradecraft is paramount.

A key finding from the SANS 2018 threat hunting survey revealed that the No. 1 investment area for threat hunting is still technology, although respondents indicated that the lack of trained staff in numerous areas was an important reason why they did not perform threat hunting or why they did not perform it as effectively as they should. The tools are only as good as the trained professional. This is as true with threat hunters as it is with construction workers, and it should not be forgotten.

Training and hiring the right people is especially important since threat hunting requires individuals with a knowledge of intelligence analysis and an understanding of the technical aspects of the SOC. Currently, threat hunting falls within a skills gap, which means finding a trained threat hunter to use the tools that a company has invested in is like finding a unicorn.

Going into 2019, organizations that practice threat hunting should take a holistic look at their programs and, if it’s lacking, assess whether it’s the fancy tools or the lack of trained cyberthreat hunters that is the issue. Similarly, organizations that are new to the threat hunting game should evaluate the threat hunters they have or plan to hire before pulling the trigger on the latest tools.

Threat Hunting Is Only as Effective as Your Intelligence Framework

To launch an effective threat hunting program, you also need access to the right data. In terms of efficiency and accuracy, this should consist of internal data from the company mixed with external deep web, dark web, open source and third-party threat intelligence that provides context about threats manifesting through global cybercrime networks.

The SANS survey showed that a solid blend of internal, self-generated intelligence augmented with a combination of external data sources can reduce overall adversary dwell times across organizations’ networks. But it is more than just the access to the data itself; an organization could have access to all the data feeds in the world, but if it lacks the ability to provide context and formulate actionable hypotheses, then the data is next to useless.

In the counterterrorism community, we always said that intelligence drives operations. Yes, we needed access to the right data, but more importantly, we needed the ability to fuse all sources of data and develop actionable advice for operators. It’s the same with threat hunting: Data is key, but there needs to be a way to ingest, fuse and analyze data to formulate hypotheses about threats.

Threat Hunting Is Here to Stay in 2019

Going into 2019, the cybersecurity community will continue to learn about the world of threat hunting and how organizations can implement an effective threat hunting program. Just like the fads that will inevitably come and go in 2019, there will be new cybersecurity tools, methodologies and lessons in the new year. Due to the tangible benefits that organizations are seeing after implementing threat hunting programs, it’s apparent that the practice is not just another security fad.

As organizations train analysts on methodology before technology — and explore how to close the threat hunter skills gap, get access to the right data and generate actionable hypotheses to uncover threats — we will continue to learn how effective a threat hunting program can be when properly implemented.

Read the SANS 2018 threat hunting survey

The post More Than Just a Fad: Lessons Learned About Threat Hunting in 2018 appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Jake Munroe

IBM X-Force Incident Response and Intelligence Services, Incident Response, Incident Response (IR), Security Services, threat hunting, Threat Intelligence, Voices of Security, X-Force,

Visit the Subway System of Cybercrime With Security Consultant Francisco Galian

It took a group of Spain’s best hackers to awaken Francisco Galian’s passion for cybersecurity.

Francisco was in his last year of university in his native Barcelona, and as he was looking for a topic for his final thesis project an unforeseen opportunity presented itself: A security startup based on campus was developing a new threat intelligence platform. Though Francisco — then studying telecommunications engineering — didn’t intend to enter the security field at the time, he thought it could be a good learning opportunity.

“To me, it was incredible seeing what the hackers were doing, learning from them,” he says. “I just totally loved it. I was learning a lot and hearing all these battle stories.”

From In-House Intelligence to Security Consultant

Those “battle stories” must have been inspiring, because Francisco dove headfirst into security. He worked in cyberthreat intelligence before moving in-house, combining his telecommunications degree and newfound love of security by working with the likes of Cellnex and O2 Telefonica as the security lead.

Those days, he says, were “massively different” from his current work as a security consultant at IBM X-Force Incident Response and Intelligence Services (IRIS) EMEA. Working for just one company requires an intimate understanding of its infrastructure, and it adds the complications of navigating the internal politics that can make life tough for security teams. It can also lead internal teams to become complacent, Francisco believes.

“If you’re a company, you should be receiving attacks every single day just because you have public assets,” he says. “That doesn’t mean that these are very naughty attacks and everything is wrong, no. You just have to see them because you are exposed to the internet.”

Nowadays, Francisco worries when he hears that a customer hasn’t had an attack in a while. He remembers his own days in-house and knows it’s just when you think you’re safest that attacks hit you hardest. Too often he’s spoken with customers who think they’re fine, only to have the threat hunters tell them they’ve been fully compromised for months.

The Secret Subway System of Cybercrime

He explains it with an analogy. Let’s say you work in a bank in a city with an underground transport network. Now, you walk along the streets and you walk into your office, and you don’t think about the network operating underneath you; it’s invisible to those above ground. But underneath the streets, the bad guys are moving all the money out of your bank accounts.

“The thing is, you were blind — you were not looking for it, both in processes and infrastructure,” Francisco says. “That’s the big reality. People working just in one company, sometimes they struggle to understand that.”

Francisco now spends his days on-call to be parachuted in when times are tough for IBM clients. He jokes that Friday at 5 p.m. is the busiest time, as the weekend looms and internal teams haven’t been able to crack the problem.

Francisco uses his vast knowledge of cybersecurity to help with incident response, to find the issues and to help rectify and protect. He talks about one banking client that found its website defaced by threat actors; he needed to investigate the incident to determine whether it was a compromise in their infrastructure or the DNS provider’s. Remarkably, he had that one solved in three hours.

IBM X-Force IRIS security consultant Francisco Galian

Cryptojacking Is This Year’s Big Threat

The major threat trend this year has been in cryptojacking, wherein a system is compromised not to lock it with ransomware, but to use its computing resources to mine cryptocurrencies. The largest incident Francisco has worked on saw thousands of machines compromised within one company. That attacker was clever: They set a low threshold for the zombies, which meant the CPU wasn’t maxed out, making it harder to detect.

“The thing is, if for whatever reason they get pissed off, they can just shut down a huge part of your network,” he laments. And he’s seen that — threat actors who get annoyed and start to play around, or worse.

“Our day-to-day is just once a year for most companies,” Francisco says of the team focused on incident response and digital forensics. Customers come to the team when they have a severe incident they can’t handle internally. Every week it could be a new incident, a new threat, a new investigation — and when there are no new cases, the team is preparing customers via simulations and scenarios to help them be ready when the time comes.

“My aim is always to push for the efficiency, to find clever ways of doing stuff, automating tasks,” Francisco says. “That’s what I learned from my sensei from my early days. He was crazy about that — he automated everything even when he was pen testing, attacking, defending, and I’ve embraced that fully.”

‘The Answer Is Not Always in the Coffee’

And yet Francisco is not tech-obsessive. When he’s finished saving networks, you’ll find him outside playing sports — far from the computer’s glare. It’s a need to “disconnect,” he says; to have an escape. He jokes that he learned he had to have his “own life” after his first few years working in security.

And he finds staying fresh makes a big difference when you’re in the midst of responding to a big incident. “I’ve learned this from bad experiences,” he says. “You just have to find your own ways of disconnecting, and to me, sport is one of the best. If you can go and be outside, it’s going to be always better.”

That fresh mind is key when he’s in the midst of a situation and trying to work out his next move, battling the threat actors that inspired his career so many years ago. Laughs the Spaniard, “The answer is not always in the coffee!”

Meet IBM Master Inventor Rhonda Childress

The post Visit the Subway System of Cybercrime With Security Consultant Francisco Galian appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Security Intelligence Staff

Artificial Intelligence (AI), Data Protection, Data Security, Incident Forensics, Incident Response (IR), Malware, Ransomware, Security Intelligence & Analytics, Threat Detection, threat hunting, Threat Protection,

Following the Clues With DcyFS: A File System for Forensics

This article concludes our three-part series on Decoy File System (DcyFS) with a concrete example of how a cyber deception platform can also be a powerful tool for extracting forensic summaries. Using that data can expedite postmortem investigations, reveal attributing features of malware, and characterize the impact of attackers’ actions. Be sure to read part 1 and part 2 for the full story.

File System Overlays as Blank Canvases

When using Decoy File System (DcyFS), each subject’s view contains a stackable file system with an overlay layer. This layer helps protect files on the base file system, providing data integrity and confidentiality. The overlay also acts as a blank canvas, recording all created, modified and deleted files during suspicious user activity or the execution of an untrusted process.

These records are essential to piecing together what happens during a cyberattack as the overlay provides evidence of key indicators of compromise (IoCs) that investigators can use. To demonstrate the forensic capabilities of our approach, we created a module that analyzes overlays for IoCs and tested it with five different types of malware. The IoCs were sourced from the ATT&CK for Enterprise threat model.

DcyFS and the Forensics of Malware

Let’s take a closer look at the five malware types we identified with DcyFS’s analysis module and the IoCs collected through the file system overlays. We’ll also discuss how the file system actively helped protect critical systems from malware in our tests.


Most malware is designed to persist on an infected endpoint and relaunch after a system reboot. The exact mechanism for persistence is dependent on whether the malware gains access to administrator privileges on the endpoint. If it does not, then the malware will typically modify user profile files that are run on startup.

Malware running with escalated privileges can modify systemwide configurations in order to persist. This is achieved by dropping initialization scripts into the system run-level directories. In certain cases, malware will create reoccurring tasks that ensure the malware is run on a schedule, persisting across reboots.

Each time a piece of malware modifies a system file, the changes are recorded on DcyFS’s overlay, enabling the forensic analyzer to easily identify malicious activity. Furthermore, since DcyFS provides per-process views to the malware, no file changes by the malware persist across the global file system view. This also means the malware is not restarted on a reboot.

Dynamic Link Library (DLL) Injection

Some malware, such as Umbreon and Jynx2, are not executables, but rather libraries designed to be preloaded by system processes. The libraries replace important system application programming interface (API) calls to change the functionality of a running application. In this way, an Apache web server can be turned into a backdoor, or a Bash shell can be hijacked to mine bitcoins in the background.

In Umbreon’s case, the malware replaces C API calls such as “accept,” “access” and “open” to hide its presence on the file system from an antivirus system or the system user. Umbreon also creates a user, and hides its presence using injected API calls. Such file system changes are identified by DcyFS, as is the injected malicious library. Furthermore, since the library is only loaded in its own view, it cannot be injected into any process running on the system.

Binary Downloaders (Modifiers)

Cybercrime is a mercurial commodity business, where large criminal syndicates rent access to extensive botnets to other attackers. These bots are designed to send malicious spam or download various pieces of malware, such as banking Trojans, bitcoin miners and keyloggers, to collect stolen data that can be monetized by the syndicate.

With administrative access to an infected endpoint, bots will try to download malware into many system directories, creating redundancy in hopes that the defender will miss one when detected. As a result, newly installed binary downloads on a file system are a key IoC.

Aside from downloading new binaries, malware can also alter existing system binaries to make them secretly engage in nefarious activities. While running on DcyFS, these binary modifiers only appear to modify the overlay they can access — they are unable to modify the applications in the global view of the base file system. Consequently, they are never truly executed, but the modified binary appears prominently on the overlay, where it can be extracted and analyzed by a forensics team.


Typically, skilled attackers will try to cover their tracks to evade detection. One way of doing this is by saving malware into hidden files, such as any file starting with a period, or modifying programs such as “ls” or “dir” so that malware files are ignored when the contents of a directory are displayed to a user.

Another technique for hiding one’s presence is to remove entries from a user’s history profile or deleting task entries that conduct antivirus scans. Finally, killing or deleting antivirus software is another mechanism for ensuring that malicious activities are not uncovered. With DcyFS, each step used to cover one’s tracks is highlighted on the file system’s overlay.

Ransomware and Beyond

Ransomware has become a prominent part of the attack ecosystem, wreaking havoc on individuals and companies alike. The Erebus ransomware, for example, cost South Korean companies millions of dollars in ransom payments to rescue their own and their customers’ data.

Recent ransomware attacks have capitalized on strong, asymmetrical encryption as the main technique to hold victims’ data for ransom. However, other malware, such as KillDisk and Shamoon, simply destroys important files and cripples system infrastructure without the option to undo the destruction.

When dealing with ransomware on the endpoint, the malware attempts to run through directories and locate preconfigured file extensions to encrypt. When that process begins, our forensic analysis looks for indication of encryption in the overlay file system, such as file MIME type, to find evidence of a ransomware attack. It can also characterize attacks by measuring their information footprint in the file system. The DcyFS forensics analyzer generates three indicators that estimate the impact of the following file system changes introduced by programs:

  • Binary differences — Average percentage of modified bytes across copied files.
  • Information gain — Average information gain across copied files measured as the difference between the entropies of base and overlay files.
  • Write entropy — Average write entropy across overlay files.

DcyFS also actively protects files from ransomware using the overlay. This allows the ransomware to “believe” it has succeeded, but enables the user to subvert the attack without any damage to critical infrastructure.

Humanize Your Security Problems With DcyFS

DcyFS is a security Swiss army knife. On one hand, the file system is a passive sensor, monitoring access to one of the most important commodities companies have: their data. It is also a forensic tool, allowing security practitioners to collect key evidence when an attack occurs. On the other hand, DcyFS is an active security control that can hide and help protect data while baiting attackers into revealing themselves.

Our research team believes that tools like DcyFS will be a big part of the next generation of cyberdefense. Agile and versatile tools of this kind not only identify attacks as they occur, but actively engage and react to the attacker. They turn security from a technical problem, as it is often cast, into a human problem, where adversaries and defenders engage like they do on any battlefield.

The post Following the Clues With DcyFS: A File System for Forensics appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Teryl Taylor

Cyberthreat, Human Factor, Security Operations Center (SOC), Skills Gap, threat hunting, Threat Intelligence, Threat Management,

Know Your Enemy: The Art and Science of Cyberthreat Hunting

From Rome to Mexico City, as my IBM Security colleagues and I have traveled the world teaching cyberthreat hunting, we’ve found a multitude of differing opinions about who is and isn’t a target for cyberattacks.

One attendee at a recent workshop even stated: “My bank isn’t a target for a cyberattack because our country isn’t seen as a major globalized economy.”

The reality, however, is that your organization is always a target. Whether you’re a target of choice or a target of opportunity, it’s not a matter of if you’ll be attacked, but when. There’s even a possibility that attackers are already dwelling within your network and have been for some time.

Watch the on-demand webinar: Know Your Enemy — Proactive Cyber Threat Intelligence and Threat Hunting

Make the First Move With a Strong Cyberthreat Hunting Team

One of the best ways to get out ahead of malicious actors is with cyberthreat hunting, the act of proactively and aggressively eliminating adversaries as early as possible in the Cyber Kill Chain. The quicker you can locate and track your adversaries’ tactics, techniques and procedures (TTPs), the less impact attackers will have on your business.

Know Your Enemy

So what types of skills does a cyberthreat hunting team require?

Security operations center (SOC) analysts define cyberthreat hunting as reactive indicators of compromise (IoCs) that lead to an investigation of an incident. IoCs are typically generated by internal security systems such as security information and event management (SIEM), incident response, intrusion detection systems (IDS) and intrusion prevention systems (IPS), and endpoint management tools.

Military and law enforcement intelligence analysts, however, define cyberthreat hunting as the process of proactively identifying, intercepting, tracking, investigating and eliminating IoCs before they impact national security, critical infrastructure and/or citizens.

The truth is they’re both right. There’s a tectonic shift occurring in the cybersecurity community with the convergence and blurring of lines between SOC and intelligence analysts. The challenge is that SOC analysts are not formally trained in intelligence life cycle analysis, and intelligence analysts are not formally trained in incident analysis and response.

The knowledge gap between these two skill sets is quite significant and has to be closed and integrated to build a fully functioning and productive cyberthreat hunting team. It’s also critical for SOCs to grasp the common denominator in both internal (reactive) and external (proactive) cyberthreats: the human element.

Put Methodology Before Technology to Close the Skills Gap

Security teams should take proactive steps to close the skills gap and mature their SOC. First, start with the basic definition of cyberthreat hunting provided above. Next, develop an understanding of the intelligence life cycle tradecraft and apply it to both security and intelligence operations. Finally, create a priority intelligence requirements (PIR) matrix that asks the logical questions of who, what, where, when, why and how regarding the analysis of global, industry-specific, geographic and cyberthreats applicable to your business.

SOC Maturity Chart

There’s no magic button or technology that will solve all of your security challenges. Through the integrated elements of people, processes, data and technology applied to the “know your enemy” intelligence methodology, you can fully gain insight into how cybercriminals are seeking to target your organization. Putting methodology before technology will serve you well in defining your adversaries’ TTPs and the methods they might use to target your organization.

In a world where the enemy potentially has access to infinite time, money and resources, it’s absolutely critical for the cybersecurity industry to close the knowledge and skills gaps, truly understand the art and science of cyberthreat hunting, and apply that understanding to proactively stop threats before they become a problem.

Watch the on-demand webinar: Know Your Enemy — Proactive Cyber Threat Intelligence and Threat Hunting

The post Know Your Enemy: The Art and Science of Cyberthreat Hunting appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Sidney Pearl

Incident Response, Incident Response (IR), Security Intelligence, Security Intelligence & Analytics, Security Operations Center (SOC), threat hunting, Threat Intelligence, Threat Prevention,

Don’t Get Caught Off Base: Make Threat Intelligence a Security Imperative

“Offense wins games, but defense wins championships.” You’ve probably heard this old adage with respect to professional sports, but the proverb can also shed light on the importance of threat intelligence in cybersecurity operations, where weak defense can result in much more costly repercussions than a home run by the opposing team.

When it comes to protecting your organization, a security operations center (SOC), like a good baseball team, needs a strong defense to prevent attackers from scoring, predict the offense’s next move and proactively hunt for threats. To do so, security teams need to understand the different types of threat intelligence and the value that each contributes to the decision-making process at different levels of the enterprise.

Make Your Draft Picks

All SOCs are not created equal. They come in different shapes and sizes, but they all share the goals of protecting their organization and fighting malicious actors. The right threat intelligence at the right time empowers your team to block attacks in real time and helps mitigate the risk of attackers affecting your brand and reputation. So how do you choose the right threat intelligence for your organization?

Right off the bat, the threat intelligence landscape is complex. Offerings are plentiful and confusing, and there are many variables unique to your organization and industry that you should consider. Without clear goals and objectives, the task may seem daunting, but it can be simplified once you understand how to maximize the three types of threat intelligence: tactical, operational and strategic. Let’s dive in to each type so you can begin formulating a winning threat intelligence strategy that covers all your bases.

Defend Against Stolen Bases With Tactical Intelligence

Numerous external and internal threats expose your organization to threats on a day-to-day basis. Some of these turn out to be false positives while others turn into successful attacks. Without proper context, the vast amount of information available to your team to monitor threats can be overwhelming, and too many false positives can fatigue your analysts and cloud their judgment to identify real threats.

Tactical threat intelligence is technical data obtained from daily monitoring and analysis. This helps your security team detect and prevent unknown attacks. With this type of intelligence, analysts can better differentiate between potential threats by using indicators of compromise (IoCs) such as IP addresses, URLs and hashes. Tactical threat intelligence empowers your SOC to make immediate decisions to act against real-time threats that pose a significant risk to your organization.

Throw a Curveball at Attackers With Operational Intelligence

With repetition and practice, professional athletes improve on their game. The same is true for your security team. With experience, analysts can develop the skill of identifying threat patterns and attacker methodologies to proactively hunt for threats, leading to a stronger defense and more effective incident response.

Operational threat intelligence is a combination of technical data and profound analysis of threat groups, malware families, and tactics, techniques and procedures (TTPs). This type of threat intelligence will help your organization make better day-to-day decisions on task prioritization, threat mitigation and resource allocation.

Three Strikes, You’re Out With Strategic Intelligence

The beauty of sitting in the nosebleed section is that you get a bird’s-eye view of the game. Strategic threat intelligence is similar in that it’s most valuable to the highest levels of your organization, and it impacts critical companywide decisions. This type of threat intelligence is a real team effort; although it’s nontechnical in nature, it typically builds on top of tactical and operational threat intelligence.

Strategic threat intelligence explains the motivations of attackers, identifies future trends and considers current geopolitical events. With this information, executives can make informed decisions to mitigate future risk by enhancing security through refined organizational structure, improved internal processes and policies, and increased spending on resources and capabilities.

Hit Your Threat Intelligence Program Out of the Park

Now that you have a basic understanding of threat intelligence and how it adds value to the decision-making process at different levels of an enterprise, you can set your goals and objectives and use them as a filter to evaluate, compare and select the right combination of threat intelligence. Every organization is unique, but with the right resources in place, your team will be ready to play in the big leagues.

Register today for the X-Force Exchange and X-Force IRIS webinar, “Threat Intelligence, Cover Your Bases!” on Sept. 19

The post Don’t Get Caught Off Base: Make Threat Intelligence a Security Imperative appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Paola Miranda

Advanced Persistent Threat (APT), Endpoint Management, Security Information and Event Management (SIEM), Security Intelligence, Threat Detection, threat hunting, Threat Intelligence,

A Beginner’s Guide to Threat Hunting

Threat hunting is a popular buzzword in cybersecurity at the moment, but what does it mean? How do you know if you should be doing it, and where do you start?

To threat hunt means to proactively search for malware or attackers that are lurking in your network — and may have been there for some time. They could be quietly siphoning off data, patiently listening in for confidential information, or working their way through the network looking for credentials powerful enough to steal key information.

When Traditional Protections Fail, Threat Hunting Sniffs Out APTs

Basic security hygiene and properly implemented antivirus, firewalls and other automated security tools should stop the majority of threats from getting in. But once an attacker has sneaked into your network undetected, there’s often not much to stop them from staying there.

On average, cybercriminals spend 191 days inside a network before being discovered, and that’s more than enough time to cause some damage. In contrast to a forensic investigation, which is designed to work out what went wrong after an attack, threat hunting aims to track down these waiting attackers and stop them in their tracks before they have the chance to cause real damage.

Although your automated security tools and tier 1 and 2 security operations center (SOC) analysts should be able to deal with roughly 80 percent of threats, you still need to worry about the remaining 20 percent, which is more likely to include advanced persistent threats (APTs) that can cause significant damage.

Threats that are unsophisticated, automated or untargeted should be easy to detect or block, but those that carefully evade the tools designed to stop them typically come from advanced persistent attackers — groups or individuals who directly target your organization and network. Compared to a basic hacking attempt, an APT demands significantly more effort and attention from the SOC and response team.

What Do You Need to Start Threat Hunting?

Before you start, it’s important to ensure that your organization is actually ready to threat hunt. You should have a fairly mature security setup capable of ingesting multiple sources of information and storing it in a way that lets you access it. A basic set up should include automated blocking and monitoring tools such as firewalls, antivirus, endpoint management, network packet capture, and security information and event management (SIEM). You will also need access to threat intelligence resources so you can look up IP addresses, malware hashes, indicators of compromise (IoCs) and more.

Finally, you will need a tool that allows you to bring together your disparate data sets and slice and dice them in a way that reveals insights with the least possible effort. Threat hunting can involve a massive amount of information, so while it is a human-led effort, you’ll certainly need some computer assistance to make the task more manageable.

Once you have all the tools in place and working together, you will also need a team with enough people to manage the technology and data. Threat hunting is never going to be the first priority. To start, it may not even be a full-time role — just a few hours a week of one person’s time.

There is no set threat hunting process that will apply to every company, so your team must have expertise in your organization’s network. Without being familiar with your systems and knowing how everything is supposed to look, it will be impossible to determine how to best hunt for threats.

How Do You Know What to Look For?

Before starting a threat hunt, you need to set some prioritized intelligence requirements (PIRs) — the questions that will drive your threat hunting efforts and the answers that will drive decision-making within the organization. Ask yourself, for example, is data being exfiltrated from my organization?

Your PIRs will depend on what matters the most to your organization and should be agreed upon in advance by C-level executives and stakeholders. They will also change over time. Once you have set your PIRs, you should decide which IoCs to look for based on an informed hypothesis. For example, certain changes in traffic flows could indicate data exfiltration.

Threat hunting is an advanced and complex task, but with the right people, technology and questions, it can make a massive difference to your organization’s security and prevent major problems before they occur.

To learn more about threat hunting, read the IBM solution brief, “IBM i2 Enterprise Insight Analysis for Cyber Threat Hunting”

The post A Beginner’s Guide to Threat Hunting appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Louise Byrne

Network, Security Information and Event Management (SIEM), Security Intelligence, Security Intelligence & Analytics, Security Professionals, Security Solutions, threat hunting,

Not Your Grandfather’s SIEM: 5 Signs That You Should Reconsider Your Current SIEM Deployment

Born next to firewalls, network access controls and vulnerability assessment tools, security information and event management (SIEM) systems have been around for over 15 years and have now reached a high level of maturity and productivity. As a result, today’s SIEMs are not the same as they were in 2004.

So what of the claim that SIEM is dead? The answer may be simple: SIEM has gone through a tremendous change pattern, so it’s not the same tool set we once knew. Here are five signs your current SIEM deployment may be outdated, and what to look for going forward.

1. Dependence on Static Collectors and Span Ports

Gone are the days when SIEMs only consumed firewall and access data. Today’s SIEM needs to accept a higher volume and variety than ever before. Highly specialized data sources from the network and/or endpoint are also dictating new collection capabilities, such as extra-long log entries with rich context, log buffering and throttling optimized for cloud storage. One especially critical need is the ability to quickly adapt to new log sources to maintain maximum visibility. If you feel weak on visibility, you may lack the right data sources and look for deeper endpoint, network, user or application data.

Visibility may also be restricted to dependency on a switch port analyzer (SPAN). Remember that when your network is suffocated, perhaps by an attack, your SPAN-connected sensors could be missing a lot of data, so have your SIEM collect from more lightweight, ubiquitous sensors.

2. Blocked in the Funnel

SIEMs with only relational databases are disappearing. The need to analyze more data within broad time windows has generated interest in alternative data management concepts such as data streaming, distributed data processing and hybrid on-premises/cloud data storage. These advancements in data management have expanded data searching, grouping and transformation capabilities needed for threat hunting, a process that has been slowly but steadily adopted over the last few years. The bottom line here is that the log funnel from 2004 is likely being replaced with a new “event horizon” approach where the user can select from a variety of data lakes to start the analytic processes and increase detection.

3. Manual SIEM Analytics and Custom Content

Recently, advances in security analytics have been a core issue. SIEMs originally consisted of watchlists, baselining and simple if-then rules, but have now expanded into high-volume data streaming, machine learning and, especially, automation.

In the past, many SIEMs failed because they were labor-intensive and expensive to maintain. The concept of purpose-built security workflows and content to prime the analytic engine started to alleviate this. Modern SIEMs provide both a broad spectrum of analytic processes and content to detect more high-quality threat insight that is prioritized, enriched and aggregated. Advanced SIEM will even help automate and guide through the investigation. The core improvements to look for are speed and quality of detection. If your analysts are acting mostly on threat eradication (i.e., looking at signs that an endpoint is compromised) instead of more proactive attack or risk indicators, it’s time to rethink the analytic content and processes.

4. Inefficient Usage

SIEM typically has two type of users: creators of analytics and consumers of analytics. Creators configure and load the system with analytic content. These are the advanced users who help drive the SIEM forward. Consumers of analytics are your tier-1 and tier-2 hunters and risk officers who log on to review dashboards, alerts and reports and engage in searches enabled by the creators.

The challenge comes when there are very few users of both combined with inefficient usage. It indicates that your SIEM may be stuck in log management mode, constrained to static detection and threat management evolution because your environment has halted. Modern SIEMs help here by providing a library of analytical content — easily accessible and optimized for specific use cases without need to restructure or implement complex upgrades.

5. Cost to Scale

Cloud adoption, new threats and a need for more thorough investigations often drive SIEM costs substantially. An interesting side note here is that SIEM practitioners don’t own the moment when your organization is hit with an advanced threat or new cloud monitoring needs, letting costs sneak in through an open door. What security teams do own, though, is how to prepare for data consumption strategies that won’t break the bank, prebuilt analytic processes and rich ecosystems of tools pre-integrated with the SIEM to support your monitoring and investigation needs into the next decade.

In the past, SIEMs definitely had their challenges, but more than 15 years of dynamic fluctuations between attackers and defenders has hardened and pushed security analytics methods forward through evolution. If you feel your SIEM hasn’t evolved with shifting threat environments, perhaps it’s time to rethink it.

The post Not Your Grandfather’s SIEM: 5 Signs That You Should Reconsider Your Current SIEM Deployment appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Bart Lenaerts

Command-and-Control (C&C), Incident Response, Indicator of Compromise (IoC), Malware, Network, Threat Detection, threat hunting, Threat Intelligence,

How to Leverage Log Services to Analyze C&C Traffic

Command-and-control (C&C) servers are the machines attackers use to maintain communication with the compromised systems in a target network. These servers issue commands to the compromised systems, ranging from a simple “Are you (still) there?” request to data exfiltration instructions and full remote control commands. The type of C&C traffic entirely depends on the malware and the attacker’s objective.

Although a C&C server is used to control the compromised systems, it’s usually the compromised system that will contact the C&C from inside the victim’s network and then wait for further instructions. This is because most modern networks have a very strict inbound filtering policy, making it impossible for attackers to directly contact the compromised machines from an external network.

What Causes C&C Traffic?

Simply put, compromised machines drive C&C traffic. The majority of the machine is compromised by malspam, or malware delivered via spam. This malware is hidden in legitimate-looking PDF or Microsoft Office documents. The victim opens the document and then unknowingly facilitates the installation of the malware. A user who falls victim to malspam is often not even aware that abnormal activity is taking place.

Once installed, the malware sends out a beacon informing the attackers that it has been successfully deployed. After this, the malware can sit idle on the system and regularly check in with the C&C servers for further instructions.

The set of C&C servers can be built into the malware configuration section. From an attacker’s perspective, this is not always very reliable because this type of infrastructure can be brought down or blocked more easily. That’s why malware sometimes makes use of a domain generation algorithm (DGA) to define which C&C server it must contact. A complex algorithm makes it more difficult for defenders to block access to the C&C servers, which is why detecting the DGA-generated domains can be challenging. A good first step is to paste the domain name into a service like Cymon, which will quickly analyze it and determine whether it is suspicious.

Using Network Time Protocols (NTP)

Timestamps are an important element during incident response. They tell us exactly when something happened and serve as reference points for building a timeline of an incident.

If your logs are not time-synced, you’ll have to take into account the different time skews when tying together log elements from a variety of sources. Not having your systems synced to a central time-server will make building the timeline based on the C&C communication much more difficult, prone to errors and resource-consuming.

Leveraging Log Services

Most malware will use a Domain Name System (DNS) to resolve a C&C server address. The log files of your internal DNS server are a crucial source of information. Make sure they contain the client queries and, ideally, the answer that was returned. Not all malware will make use of DNS to reach the C&C servers; sometimes it will reach out directly via an IP address. Note that DNS traffic itself can also be used as a communication channel.

Corporate environments often require that users’ web traffic goes through a filtering proxy. The web proxy logs are also helpful for detecting and analyzing C&Cs. Security teams can spot traffic related to already-known attack campaigns by using threat intelligence feeds. Most proxies will also support block lists based on these feeds.

Not all C&C communication has to be web-based; it can also happen via email. Although email logs rarely contain the full conversation, the metadata can be helpful. Verify with your legal department under what conditions storage and access to this information is allowed.

Firewall logs can shed light on other forms of C&C communication via internet relay chat (IRC) or peer to peer (P2P) exchange, for example. This traffic will be blocked in most corporate environments, but seeing an outgoing connection attempt might be enough to tip off an investigation.

Netflow records contain information that allow you to spot C&C traffic among large sets of network flows. Similarly, as with the firewall logs, it might not always give you all the required traffic details (e.g., payload), but one of the advantages is that it can also track internal flows. This is useful to detect an internal connection proxy that is used as a relay to reach external C&C servers.

If you have the infrastructure for recording full packet captures, this can be a very useful resource for hunting for C&Cs. Make sure the packet data is indexed and easily searchable. The searches can be based on the information previously found via the firewall logs or netflow records.

Obviously, log information coming from your security devices as an intrusion detection system (IDS) or internet provider security (IPS) serves as another good source of information to find C&Cs or other intrusive software.

Last but not least are the logs from your endpoint protection or filtering solution.

What Are the Different Types of C&C Communication?

There are many different types of command-and-control traffic. Let’s take a closer look at four of the most common.


A beacon is sent when a host has just been compromised; this is essentially the malware “calling home” to the attacker. A beacon is also sent as a sort of heartbeat to inform the attackers that the host is alive. This can happen at regular intervals or as a result of a system event, such as a reboot.


The answer from the C&C to a beacon can be a command that needs to be executed by the compromised host. The execution of this command can be done instantaneously or queued for later processing. Some commands also give a somewhat interactive remote shell to the attacker on the compromised machine.


An exfiltration is the answer from the client to the command execution request from the server. The answer can be sent immediately after the request, at regular intervals — as part of the beacon, for example — or at a dedicated time. The payload of the client response can be the result of a command or the exfiltration of documents or emails stored on the system.

Connectivity Check

A connectivity check is used to verify that the host still has internet connectivity. This check can happen at regular intervals — such as before a beacon — and when it fails, the malware can retry or alter its configuration. In some cases, it will automatically remove itself from the system. It can even go so far as to wipe the entire system. The connectivity check can be done to the attackers’ infrastructure or to nonmalicious infrastructure, such as public DNSs or web servers. This makes it harder to detect.

Depending on the environment where it has been deployed, the malware can use different stages of C&C traffic, apply fallback communication channels or use multiband communication, meaning it splits communication between different protocols.

How to Decode C&C Communication

Before you can start decoding C&C communication, you need to collect traffic. This can be time-consuming and, in many cases, will only return limited results. In addition, a lot of the traffic will be encoded (or enclosed in an encrypted channel), making analysis even more difficult. To add to the complexity, if you don’t know what exactly is in the traffic, you have no way of determining whether the malware is simply sending out a beacon or exfiltrating confidential company documents. By the time you have fully analyzed the traffic, the attackers may have already achieved their objectives and left the environment.

In some cases, you should still attempt to understand what’s in the traffic, but you’ll have to weigh the benefits of spending time on the analysis and accepting the risk against immediately containing the incident. One alternative might be to deceive the malware by redirecting the traffic to a honeypot while containing the incident at the same time.

There are also modular Python frameworks that can assist you with decoding the traffic, such as Dshell, developed by the U.S. Army Research Laboratory, and ChopShop, developed by MITRE. Although these tools are great for rapidly decoding traffic, they only provide the basics for working with C&C traffic. Another approach would be to analyze the malware that caused the traffic. This requires basic malware reverse engineering capabilities.

Before you can start analyzing a sample, you must first obtain a sample from a compromised host. Regardless, you should build a list of compromised hosts based on the initial detection of the C&Cs and pivot through the indicators when shifting from analysis to the containment phase of incident response.

Using Threat Intelligence to Detect C&C Traffic

You can detect C&C traffic in your log sources by using threat intelligence that is either produced by your own team or that you receive via threat sharing groups. This intelligence will contain, among other information, the indicators and patterns that you should look for in the logs. A very practical approach would be to verify the presence of these indicators in your proxy, DNS or other log sources.

Another approach is to create statistics on the information in your log sources and search for anomalies and temporal correlations. Things to look for include:

  • Direct IP connections, typically for malware that doesn’t make use of DNS;
  • Web requests with an unusual HTTP protocol version;
  • User agents that are not commonly used in your organization. Do not blindly trust user agent information, however, since this can easily be crafted;
  • Excessive size or a repeating pattern in the size of HTTP requests;
  • Persistent connections to HTTP servers on the internet, even outside regular office hours;
  • Repeated requests for the same web resource, possibly on different domains, with a similar parameter format;
  • Requests to a social network site outside regular office hours. Attackers can encode their commands textually in a page on a social network and present them like legitimate messages;
  • Alerts on DNS queries for domains that have only recently been registered;
  • DNS responses that have a very low time to live (TTL);
  • Repeated requests for domains belonging to a dynamic DNS service or requests for URL shortener domains;
  • Statistics for DNS queries on the full qualified domain name (FQDN), focusing on the second-level domain. Be aware that this can also generate lots of false positives due to content delivery networks (CDNs);
  • Netflow statistics for workstations that establish a high number of connections or flows; and
  • Firewall log entries indicating outbound IRC or P2P traffic.

Detecting C&C traffic can be a complex problem to tackle if you don’t have proper log collection and correlation tools. Once you have those, you can start using the results from your own analysis and the information received from peers to hunt down previously undetected malware incidents based on C&C traffic and indicators.

The post How to Leverage Log Services to Analyze C&C Traffic appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Koen Van Impe