top of page

Get in an Attacker’s Head with Behavior-Based Threat Hunting

This guest post was contributed by Shawn Kanady, Global Director of Threat Hunt, Trustwave

Shawn Kanady, Director, Threat Fusion & Hunt at Trustwave)

There are still many cyber threats that automated security alone cannot detect. Today’s sophisticated threat actors can evade detection by most endpoint detection and response (EDR) tools that rely on indicator of compromise (IOC) matching or low fidelity detection rules. In fact, 82% of breaches start with phishing or other social engineering schemes that do not raise alarms from traditional automated security tools.

This is where threat hunting comes in. And not just any threat hunting, but an advanced approach that can stay ahead of the constantly evolving modern adversary – a unique methodology that marries advanced technology with the context and experience of human threat hunters, uncovering 3x more threat findings that previously went undetected by EDR services.

For organizations and security teams working to innovate to keep up with the shifting security landscape, these are my recommendations for rethinking how you hunt.

Hunting for Indicators of Behavior (IOBs)

Traditional threat detection and prevention tools often rely on IOCs, but this is an after-the-fact approach that only provides guidance for countering an attack. IOCs are not enough to prevent an attack before it happens or predict what will happen if an organization makes any security process changes.

Instead, consider using known threat actors' Tactics, Techniques, and Procedures (TTPs) to hunt for Indicators of Behavior. IOBs are necessary not only to add context to threats, but also to map behavioral similarities back to active and inactive cybercriminal groups to better anticipate a threat actor’s next move.

Building a more comprehensive picture of the threat landscape in this way makes it easier to proactively uncover zero-days, hunt for previously unknown security gaps, and identify hidden threats while providing actionable recommendations to mitigate risk to an organization. As new threat hunt findings are discovered, intelligence can be distributed globally to help security teams improve existing threat monitoring tools and services, creating a constant feedback loop to advance security operations and approaches.

Identifying Potential Insider Threats and Security Lapses

Threat hunt teams should employ human-led threat hunts that work around the clock, meticulously and continuously developing thousands of queries across multiple EDR technologies and mapping them to the MITRE ATT&CK framework. By leveraging those queries through automation, teams can hunt for the IOBs of specific threat actors at scale, across all clients and a variety of supported EDR tools at one time.

This new, complete overhaul of previous methodology also helps to identify threats from within an organization’s perimeter more quickly. While hunting our targeted adversary, this approach will uncover general security hygiene issues like unsecured legacy systems, open ports, and human errors like storing passwords on computers. Considering that 95% of cyberattacks result from some form of human error, security teams can’t afford to focus on the threat actor’s part of the equation alone.

Whether they stem from poor adherence to cybersecurity training from employees and leaders alike or an expanding attack surface from cloud integration and the migration of files, having deep insight into unintentional risks in a business' environment raises awareness to opportunities of compromise before an attacker can exploit them and helps advise continual updates to future-proof a company’s environment.

There will always be security breakdowns and lapses that are ready to be exploited. It’s vital to ensure they’re encapsulated when performing a threat hunt.

Detecting What Others May Miss

While it's good practice to look historically to see if a malware campaign impacted you, it's not very proactive. An IOC is a known artifact of an attack that has already occurred and decay over time as the threat actor changes their infrastructure, tooling and malware. A hunt that is solely focused on those IOCs is likely to miss the same bad actor using newly skinned weapons.

Instead, human-led threat hunts based on IOBs can proactively find what others may be missing and discover net-new threats. For example, when our threat hunt team deployed a behavior-based hunt for the Conti ransomware gang and hunted for tactics specifically mapped to their threat profile, we discovered an unrelated Remote Access Trojan (RAT) that had been residing in the client’s network for 11 months.

The Future of Threat Hunting

The modern cyber adversary is constantly evolving and becoming more sophisticated in their attacks. Security teams have advanced to automate much of the threat detection process, but we must continue to evolve and become more sophisticated in how we detect and respond.

Human-led, behavior-based threat hunts should be considered an indispensable component, especially as they can now scale to accommodate an ever-increasing threat landscape. A general rule of thumb? It takes one to know one. While automation can improve security controls, it can’t replace the human element. Pairing human analysis and knowledge base with automation tools can make it easier to identify and disrupt the very human behaviors of cybercriminals, well before a breach ever occurs. ###


bottom of page