Reactive approach. That’s what we’re used to. Ambulances, cops, investigations, usually occur after the fact, in reaction to an incident that has already occurred.
We have already learned that proactive is the way of the future. A hunter who knows what he’s looking for and looks into patterns of activity from collecting intelligence, as well as a dash of luck with educated hunches.
This is what makes Proactive organizations, like LIFARS, so gung-ho about the future. Our Incident Response (IR) team actively scans for patterns and proactively sets out ways to find a new incident. Once this happens, they start with an IR as usual, much like a Reactive organization.
To make the leap from a response team to a hunting team, a change in the ideology is required. So, too, are changes in technology, the mind-set, and subsequent procedures that come with it.
An Incident Response:
Good hunting is entirely pointless unless the team can successfully accomplish the mitigation, remediation, and the recovery phases effectively. If any of the above goes missing, it leads to a large incident load which will cripple your ability to respond effectively. Before setting out on the hunt, it is necessary to have all the tools and processes in place to respond in an effective manner.
Wide Ranging Telemetry:
A capable, good hunting team can get by with a basic indicator, like a simple IPv4 address, in many ways. The more options a team has in obtaining telemetry or data, the better the chances of them identifying and corroborating malicious actions proactively. Good teams always have a plethora of technologies at hand to identify various activities that can be flagged in different ways. For instance, an IPv4 address is useful for:
- Application logs: Such as VPN, Email Server or custom internal apps that an attacker might mark as a target.
- Network Traffic: Traffic detailing and analysis is ideal and oftentimes essential for a long running historical investigation.
- Endpoint Logs: Getting data delivered to the clients directly makes correlating internal activity possible, lateral movement for instance.
Scalability & Automation
Here’s the tricky part about hunting. If you set out to prove a true negative, wherein you’re trying to prove that there is something that actually isn’t bad, it would prove to be an impossible task. This is because it is impossible to definitively prove a true negative. That just means you haven’t dug deep enough to find any flaws within it. A good way of circumventing this problem is by hunting with a wide net and doing so effectively. Scalability and automation in tandem, helps in a long way. The capacity to deploy, run, and collect all forms of data would have to be managed centrally and programmatically.
Hunting, a necessity for the future or a myth?
In some organizations which practice the reactive approach and have stuck to their guns while at it, hunting is proclaimed to be almost mythical. Impossible. Others, like LIFARS, live by it. It is essentially, a frame of mind. An idea of getting things done proactively, rather than a response in reaction. If this is captured in a bottle by your organization, as well, and embraced in the right way, it may change the entire cybersecurity posture of your organization and the way it works. It just may be where we are all headed anyway.