Thinking like an adversary
Impersonating an attacker will help understand how cyber adversaries would act in the context of a specific organization and operation objectives. For example – a cyber operation on a cloud-based software development company with 5K employees would not be carried the same way a cyber operation on a hardware SMB would. To examine possible operation methods, a threat hunter should hypothesize specific Tactics, Techniques, and Procedures (TTPs), understand how these TTPs would appear in specific organizational data sources, and search for them.
Examining known attack behaviors
Despite discovering hundreds of organizational cyberattacks per day, “traditional” security products do not address/document TTPs that are commonly used by cyber attackers. They merely focus on IOCs. Another threat hunting investigation method includes looking at published attacks, and researching attack behaviors in depths. From there, a good threat hunter will build powerful new attack hypotheses, relying on newly discovered attack behaviors and techniques.
Hunting anomalies in known environments
Cyberattackers’ activity is inherently different than that of employees and insiders, because they have different goals. This means that they will always leave traces. Threat hunters can trace anomalies by using different statistical outlier algorithms. E.g.: In an environment with thousands of benign endpoints and only a few that are compromised, specific activities will immediately stand out as anomalous in a statistic analysis. From there, the hard work is understanding whether these anomalies represent a malicious activity or not. An experienced hunter will infuse the statistical analysis with relevant features, differentiators and labels, to raise its efficiency.
A New Chapter in Threat Detection & Response
New Threat Detection and Response solutions push beyond the single point, and rise above data noise
In order to rapidly detect threats and effectively respond, enterprises today need to acquire the following features in threat detection and response:
- Expedites response time
- Provides SOC teams with concrete findings