[et_pb_section fb_built=”1″ _builder_version=”4.4.8″][et_pb_row _builder_version=”4.4.8″][et_pb_column type=”4_4″ _builder_version=”4.4.8″][et_pb_text _builder_version=”4.7.0″ header_2_font=”|600|||||||” header_2_line_height=”1.3em” header_3_line_height=”1.2em”]<\/p>\n
For most enterprise security staff, the answer is b\u0000\u001cHmmm, not sure if thatb\u0000\u0019s for me<\/i>b\u0000\u001d. Itb\u0000\u0019s true that threat hunting is a bit daunting: <\/p>\n
What goals am I going to achieve? <\/i>
What will I do if I actually find an adversary? <\/i>
Do I have the skills needed? Isnb\u0000\u0019t this just going to generate more work and b\u0000\u001cissuesb\u0000\u001d to track down?<\/i>\n <\/p>\n
A recommended approach is to start with limited, clear objectives b\u0000\u0013 ones that you really canb\u0000\u0019t ignore. <\/p>\n
Our first example:<\/b> Post-compromise.
Hereb\u0000\u0019s the scenario: <\/b>you identify the endpoints that have malware on them and you remediate them. But you have no idea if the adversary has established additional footholds within your network.
Since b\u0000\u001cHope is not a strategy<\/i>b\u0000\u001d, you should initiate an active response to try and find him.\n<\/p>\n
Hunting boils down to two steps:<\/p>\n
In our particular case, the hypothesis is b\u0000\u001cThe adversary has compromised additional endpoints using tactics similar to what we saw with the one we found.b\u0000\u001d To test this theory, we can use Deception to deploy assets that are likely to trick the adversary into trying those same tactics on the fake assets. If he does, web\u0000\u0019ll have exposed him.\n<\/p>\n
An Acalvio customer did exactly this in early 2020. They identified and mitigated an infected endpoint, which they determined was compromised via SMBv1. They then deployed a number of fake decoys with SMBv1 enabled (which was a rare configuration in this network). Sure enough: multiple compromised endpoints took the bait and attempted to compromise the decoys, revealing their positions. This made it easy to isolate and mitigate them.<\/p>\n
We should note that this is a much better approach than traditional threat hunting, which uses passive techniques such as log analysis and correlation to test the hypothesis. Itb\u0000\u0019s faster, easier, and more effective.<\/p>\n