The practice of threat hunting is rapidly becoming a critical function for security operations teams. In fact, the practice has evolved from being used by only the most sophisticated security teams and is now becoming standard practice in most SOCs. Going out to find threats and attackers is a great complement to existing detection based security.
While conventional hunters gear up with rifles, bows, or other weapons, cyber threat hunters flush out their prey with a different set of tools; scanners, sniffers, and detectors that can find threats inside their networks that may have snuck past the first line of defense. Finding these attackers is key, but the game starts to change when the hunter goes outside the perimeter in search of threats in the wild.
Hunting in the wild is important for developing broader threat intelligence. It allows organizations to see the kinds of tools they are likely to face, understand the latest techniques that will be used against them, and hear about recent or upcoming attacks against their organization. It also involves engaging with attackers on their territory, meaning that hunters need to hang out in their chat rooms, participate in their forums, converse on their messaging channels, and infiltrate their private groups.
Investigating nefarious actors online can be dangerous, as the places hunters go are likely to be full of malware and people actively monitoring for outsiders. Hunters also face new kinds of threats once outside their home territory. As a result, hunting in this environment requires some additional tools: camouflage and body armor.
One risk facing hunters is the potential for picking up malware and introducing it into their home networks. They must take great care to ensure that any sites they visit don’t infect their computers. At the same time, they may be intentionally downloading dangerous payloads for analysis, and if those get loose they could do significant damage. Hunters need to armor up against this kind of threat to protect their internal infrastructure.
There is also the more subtle danger of being seen and identified while hunting in the wild. When that happens, the hunted may try to turn the tables on the hunters. The first response upon detecting a hunter in their territory is to ban them. It is easy to boot people from chat rooms, block them from websites, or cancel accounts. Once this has been done, the hunter loses access to the threat information they needed, and must start again to regain access to these locations.
More aggressive responses can involve counter-attacks. The attackers may try to ‘hack back’ directly against the hunter, or worse, they may uncover enough about the hunter to punish their organization by launching a DDOS against their website, sending phishing emails to everyone in an organization, or collecting and releasing embarrassing documents. However, if the hunter is properly camouflaged, they will avoid being detected as a hunter at all, and can prevent retaliation against their organization.
Hackers who have detected a hunter can also engage in misinformation. This kind of activity is the hardest to detect. Rather than preventing access to all information, the hacker can provide limited or different information to the hunter. This could include disguising parts of a website, making certain links disappear, or excluding the latest and greatest exploits from lists of tools. This kind of misinformation activity is already in use commercially against competitors and is widely available to attackers.
The camouflage and body armor for hunters does not need to be complicated or unwieldy, but it must provide a few key capabilities.
The hunter’s armor needs to provide effective malware resistance and isolation. Any dangerous code downloaded either intentionally or accidentally must be isolated from the organization’s sensitive data and infrastructure. This can be accomplished using dedicated devices and separate networks, but it is much easier to do with virtualization and VPNs. The key is to ensure that the environment exposed to the hostile environment is separated from vulnerable systems at both the operating system and network level.
Effective camouflage for hunters must protect against three forms of identification. First, they must hide the organization’s IP address. Corporate IP addresses can be quickly associated with the organization, but even other IPs can be a problem. A coffee shop in the company’s building will quickly become associated with that company, and a fixed IP address used for hunting will soon become known to hackers and treated accordingly. IP addresses should be geographically remote from the hunter’s real location, change frequently, and ideally be used by other people for other purposes.
Second, camouflage should also address all the various kinds of digital trackers. Web cookies and super-cookies, account names, and email addresses can all make it easy for the hackers to recognize a hunter when they visit. Some of these are easy to handle, but many require significant effort to remove. The most reliable way to eliminate trackers is to re-image the entire operating system between uses. Virtualization makes this much easier by allowing a system to be quickly destroyed and re-created from a known clean image.
Finally, hunters need to worry about their fingerprints. Browser and system fingerprints are almost unique, and can easily identify hunters each time they return. The cleaner and newer a system, the less identifying patterns have had time to develop. Using a standard virtual machine image will ensure that many other people on the internet have the exact same fingerprint as the hunter, making identification almost impossible.
There is a tremendous amount of important threat intelligence outside the perimeter, but it can be very dangerous to collect it without proper preparation. In addition to the usual tools used for hunting sneaky attacks inside your network, those who hunt in the wild need tools to ensure that they will be anonymous and well protected. Before you leave home to go threat hunting, remember to put on your digital camouflage and body armor.