Story image

Make the pre-emptive strike against cyberattacks with threat hunting

23 Jul 18

Enterprise organisations up to speed on the current cyber threat landscape know that it’s not a matter of if they will be breached, but when.

Most solutions available in the market are reactive point solutions, and companies are increasingly looking for a proactive approach that can stop attacks before damage is done.

In a 2018 survey of 461 cybersecurity professionals, Crowd Research Partners found that respondents spent much more time (60% of the time) reactively investigating security incidents through activities such as alert triage than they spent proactively seeking out threats (only 40% of the time).

As such, organisations with mature security operations are starting to implement formalised threat hunting teams.

Threat hunting starts with the assumption that bad actors have already breached perimeter defences and are operating inside the environment.

The goal is to proactively detect malicious activity by forming hypotheses about how attackers may have penetrated defences, which systems are compromised, and what data they may have accessed.

However, it can be difficult to execute without the ability to mine network traffic within a realistic timeframe to return useful results.

Highly accurate, highly fresh data is critical for detecting and disrupting active attack activities.

Real-time network traffic analytics (NTA) can generate authoritative, indexed and complete data to serve as a trusted source of information and a high-fidelity starting point for threat hunting. With a high-confidence indicator that malicious actors are active, hunters can “pull the thread” to uncover related activities, intended activities, and opportunities for interception and containment.

The challenge today has been gaining real-time visibility into post-compromise or late-stage attack activities. Attackers have bypassed (and usually deactivated) endpoint detections and hidden their actions as normal traffic to sneak through firewalls without triggering alerts. Detections sparked by IDS/IPS and SIEMs are too slow or too drowned to gain attention. However, threat hunters have a new option for gaining visibility and starting points for their hunting based on observed network activity.

ExtraHop Reveal(x) collects raw network traffic, mining it in real time at 100 Gbps per appliance and automatically discovering client and server assets, and distilling petabytes of traffic per day into manageable and meaningful, structured and indexed data.

The ExtraHop platform performs two critical roles in threat hunting: automated threat detection and active hunting by security operators.

The real-time approach feeds advanced behavioural analytics with high-confidence detections. These findings are based on authoritative network data, and they link directly to transaction records and relationships that allow security teams to proactively find and explore suspicious activity and behaviours in an efficient and timely manner. It also immediately detects some irregularities that hunters will see as worth an investigation. Optional matching with external threat intelligence can help hunters leverage other industry research on emerging and known threat indicators.

The comprehensive dataset created by the ExtraHop platform is available to security operators in an intuitive, visual user interface with a flexible workflow, allowing different teams or individuals to optimise the platform according to their needs.

This intuitive user interface also has a low learning curve, allowing new operators to be effective in a short period of time with minimal training, especially valuable to security teams with high turnover rates.

Automated threat detection

ExtraHop Reveal(x) utilises machine learning to continuously monitor all critical assets for security anomalies. These behaviour-based alerts do not require any configuration by security teams.

The ExtraHop platform builds baselines for new devices as soon as they are discovered by the system, providing continuous and complete coverage for dynamic environments.

Automatic anomaly detection provides security teams with a better understanding of what is abnormal in an environment, even if they may not have deep familiarity with specific applications.

These anomalies serve as effective incident investigation start points, include context to help staff determine the level of severity of the event, and provide paths to guide an operator into the detailed metrics and transactions which characterise the anomaly.

Active hunting

ExtraHop is also used as an interactive detection platform by security teams within networks that are suspected of being actively compromised or containing payloads associated with advanced persistent threats.

Data analyzed by Reveal(x) can be explored using natural search language to uncover asset types, groups, user activities, IP interactions, and other interactions and pivot points that hunters commonly use. In addition, the live activity map shows relationships between devices. Various metrics and time-based searches also help hunters track down and contextualize suspicious events as part of the attack sequence.

Threat hunting is an emerging practice born out of a need to detect more sophisticated threats that evade perimeter defences and passive monitoring. Wire data is an unbiased, real-time source of situational intelligence that has not been previously made available to cyber protection teams. The ExtraHop platform unlocks the value of wire data and greatly increases the level of visibility for threat hunting efforts.

You can see the interface below: