Security hunting describes the stealthy approach of security experts who ever-so-meticulously seek traces of attacker activities within the organization, acknowledging that the adversary is through perimeter barriers and is already inside performing malicious activities. Security hunters do not wait for the detection alert or indication of compromise triggered by trusted security tools – for then it might be too late. Cunningly, they look for suspicious activities within the organization – unusual, curious, abnormal movements, unfamiliar tools, out-of-sequence actions – that could portend a breach of valuable data and other digital assets.
Proficient security hunters are hard to find. Beyond the necessary personal characteristics, they must understand the organization – including its total IT environment – and what constitutes normal processes and activities. Only then can a hunter set sights on detecting and thwarting security abnormalities.
Security hunters attempt to understand the activities of attackers, painstakingly exploring methods and techniques, and carefully tracking the tiniest footprints. They collect many types of lengthy event logs from network components, systems and assets – such as firewalls, routers and endpoints – and apply a wide variety of queries and searches to the immense volume of collected data. As today’s attacks are often highly sophisticated and quite clever, requiring the piecing together of clues from a wide variety of sources, the hunt is laborious and time-consuming.
To expedite hunting efforts, organizations try to put in place processes and tools that automatically perform some of the arduous work in the hunt for attackers. These can be sets of queries combined with endpoint process-checking and other devices extracted from the hunter’s experience. For scaling – as the volume of attacks is always on the increase – hunters in large organizations attempt to automate many of their more routine activities.
However, identifying and tracking attackers is only half the job. Effective hunting also requires the ability to trap the perpetrator and, once found – to remove it and its danger to the organization’s digital assets. Hunters can achieve much better results by combining tracking with trapping to find and eradicate the attack rapidly and completely.
Today, there are a great many detection (identification and tracking) tools. However, there is not enough emphasis on trapping, resulting in a lack of effective trapping tools and techniques. When implemented well, deception can automate and scale the hunting process, accurately identifying and tracking attackers, and trapping them to protect valuable assets while reducing valuable human resources in this never-ending competition of wits.
Effective deception makes use of two major components: decoys and traps. Located inside the organization’s network, decoys – false endpoints, web servers, database servers, etc. – mimic the behavior of actual assets in the IT environment. Traps, the second component, are planted on assets to lure the attackers into accessing the decoys. Traps come in the form of registry keys, files, emails, cookies, etc.
When hunting, it is vital to place decoys where they are likely to be found by attackers. Likewise, traps should be placed on the assets that are most likely to be infected or that are on the natural trail of attackers making their way toward valuable information. Advanced deception methods use traffic analysis and asset profiling in order to identify network vulnerabilities and strategically place decoys and traps around sensitive and valuable assets.
The more advanced deception platforms combine tracking and trapping capabilities. This combination of deception (trapping) and network analysis (tracking) results in much faster and more accurate threat detection.
Deception enables the organization to thwart attacks even if it is lacking experienced hunters. On its own, deception will do an admirable job automating the defense of digital assets. In the hands of an experienced hunter, deception becomes the ultimate lethal defense.