Instead of sitting back passively and waiting for cyber attackers to set off alarms, organisations should be pursuing them like a cheetah hunting for its next meal. We know the attackers are out there – they are perpetually trying to break in, and many are succeeding.
The challenge is to start hunting them to find the shreds of evidence they invariably leave behind. First an organisation needs to build a hunting team. Team members should be knowledgeable about the internals of the operating systems (OS) found on their endpoints. The OS will usually be Microsoft Windows, but also Apple Mac OS and perhaps Linux. Threat hunters need to know how these operating systems work at a detailed level, including the following:
- OS process tree structure
- Files used by the OS
- Registry used by the OS (Windows only)
Expertise at this level of detail is important because malware operates within these domains and makes subtle changes to the OS. Threat hunters need to understand what to look for and what ‘normal’ looks like at the business application and human‐activity level — it’s not just about packets on the network and processes in the OS, so anomalies will be more apparent. Those anomalies are the primary sign that malware is lurking on endpoints.
Making the time to threat hunt
It might be necessary to carve out time from the work schedules of existing staff for threat hunting. Depending on an organisation’s size, the time spent threat hunting may vary. In part, it depends a lot on security posture and risk tolerance.
Start with two to four man/hours a week dedicated to hunting. When the results emerge, adjust as needed. It is important to see early results from hunts, to show a return on the time investment…Click HERE to read full article.