Insight by LookingGlass

The next chapter in cybersecurity: Advanced threat hunting

Cybersecurity threats at one time came barging in through the front door. Adversaries might be stealthy, in wanting to plant, say, an advanced persistent threat. The point is they produced evidence of their presence. The trick was to find those footprints before they got too far.

Now things are more complicated. That evidence of compromise – what Ronald Nielson, the executive vice president of LookingGlass calls “residue” – may not always be present. Its absence adds to the skills and techniques needed in an effective cybersecurity program.

“In technology, we utilize forensic data. We look at past exploits, and then what I call residue,” Nielson said.

But there’s a big exception, he added. “When you have a really good adversary, they try to clean up after themselves, right? They’re almost better at management and efficiencies than some of our IT teams. They may compromise your system, and you not know it,” Nielson said.

Therefore in some forms of attack there is no residue left in the first place. Referring to the now-famous Solar Winds breach, Nielson explained, “The intrusion didn’t involve malware. It involved intelligence gathering capabilities in the exfiltration, or the collection of intelligence information, by the adversary.”

In such cases, if there is residue, it’s not in a piece of code or an altered setting but rather in the phenomenon of a large quantity of data going to a particular place. Nielson said that standard tools instrumented on agency networks often cannot detect this type of exfiltration or this type of user anomaly.

What you’re looking for “is not digital, like hacker tool residue,” Nielson said. It might be supply chain that has information on attackers’ intentions, their capabilities, and their targeting. “Further, he added, “some of the adversaries actually sell their access. These are not what I call on-net indicators. These are off net. They’re not on your network, but they’re occurring in the digital information space. They can be discoverable.”

Key to discovering and dealing with these emerging forms of cybersecurity threats, according to Nielson, is an updated form of threat hunting. He emphasized, it’s important to understand you can deal with such attacks before data is lost or held for ransom.

He recommends organizations “start instrumenting what I would say is digital intelligence, and present it to the mission operations teams. So they can use it for awareness. They can use it in actually having indicators that they are not seeing yet” with conventional tools. Nielson says off network indicators can reveal the intentions of groups such as Russian hackers.

“We have data, we have indicators, again, not technical ones, but indications that a group wants to hack into healthcare, or they want to hack into the oil and gas industry or water treatment, Nielson said. “And we know they have a motive and an intention.”

Couple that with knowledge of their tools, tactics and capabilities – their tradecraft – and an agency’s defenders can build a picture of what to expect and therefore be ready to prevent a low- or non-residue attack. Said Nielson, “We need to mature this digital preemptive forensic intelligence and then reapply it to our hunting mission on network.”

Third parties that specialize in internet threat hunting can augment an agency’s own work. Neilson said that LookingGlass, for example, monitors basically every internet connection in its intelligence gathering. For their part, agencies will need to continue to look for residue as well. That will become a more challenging exercise as adversaries become more skilled at covering their tracks. Nielson said it will require machine learning and artificial intelligence tools applied to the various data sets acquired by network devices and cyber tools.

 

The concept of threat hunting, initially, was founded on taking this residue (indicators of compromise, malware, etc.) and ensuring that any of those indicators found in your system were something you'd pursue. They had presence and you needed to find them and root them out. But adversaries have changed...and modified their attacks. [With a lot of the recent cyber attacks] there was no residue, no forensic data and hunting in those environments was blind hunting, which doesn't work well. We have to modify threat hunt now and mature it.

Featured speakers

  • Ronald Nielson

    Executive Vice President, LookingGlass

  • Tom Temin

    Host, The Federal Drive, Federal News Network

Sign up for breaking news alerts