By Josh Campbell from Cyborg Security

Image for post
Image for post

It is safe to say that 2020 was a year of “the new normal” for everyone, and doubly so for security teams. Not only has the COVID-19 pandemic been a generational touchpoint, statistics show that is it the largest cyber security event in history. Security teams also received an unwelcome Christmas present in the form of the massive supply chain attack against SolarWinds, affecting up to 18,000 of the world’s largest companies. Overall, 2020 has been a year that organizations and security professionals want to put behind them.

With 2021 finally upon us, many in the security industry are looking at what the industry can deliver. With many organizations looking to optimize processes and technologies, this year’s overwhelming themes seem to be both “optimization” and “proactivity”. …


By Josh Campbell from Cyborg Security

Image for post
Image for post

THREAT HUNTING TACTICS

Threat hunters use a variety of tactics when they are planning a hunt. The tactics describe what is the primary driver for the hunt.

Intelligence-Driven

Amongst threat hunting tactics, intelligence-driven hunting is heavily used in structured hunts. This type of hunting revolves around threat intelligence reporting often involving active exploitation. Hunters, when alerted to this activity will craft their hypothesis and plan their hunt. Intelligence-driven hunts are not built on indicators, instead, these hunts look for specific behaviours of actors and their tools.

Target-Driven

Another of the most common threat hunting tactics is target-driven hunting. It is a tactic that acknowledges that hunt teams have limited time and resources. This type of prioritizes hunting based on likely targets by adversaries. This will often include authentication systems, data repositories, and cloud-based infrastructure. This type of hunting allows organizations to most effectively use limited resources. …


By Josh Meltzer from Cyborg Security

Image for post
Image for post

Introduction

Last week FireEye shared that they experienced unauthorized access and theft of their offensive security tools used by their red team, by a sophisticated state-sponsored adversary. Although the theft of these sophisticated tools will have an impact on future attacks carried out by the adversary, how they accessed the tools was a much bigger problem. Over the weekend FireEye shared more details of their compromise and broke the news that they fell victim to a supply-chain attack involving the IT services company SolarWinds. FireEye reported the SolarWinds Orion software update had a backdoor injected into its code, which SolarWinds believed to have been included in updates released between March and June 2020. It should be noted, however, that some researchers have reported seeing activity as early as late 2019. …


By Josh Campbell from Cyborg Security

Image for post
Image for post

Threat hunting techniques don’t always have to be super advanced or complicated to yield beneficial results. There are a number of threat hunts that are simple to carry out, and which can find hidden threats that may not necessarily be picked up by traditional threat detection tools.

The following three hunts are a perfect way for beginner threat hunters and SOC analysts to dip their toes in the water and start honing their skills before building out a more formalized threat hunting program. …


By Josh Meltzer from Cyborg Security

Image for post
Image for post

INTRODUCTION

Threat hunting activities can generate tremendous benefit for organizations, and not just in finding hidden active threats in the environment. When done regularly, threat hunting can feed SOC threat detection capabilities with additional detection content and improved telemetry about the tactics, techniques, and procedures (TTPs) of threat actors specifically targeting an organization’s assets.

⟶ Click here to download our free white paper with solutions to the industry’s growing content problem.

Often times this long trail of threat hunting ROI can be achieved even with a small investment of time and resources put into an emerging threat hunting program. Contrary to the mystique and misconceptions that have been built up around threat hunting, organizations don’t necessarily need a super advanced program before they start reaping the benefits from running a hunt. …


By Josh Campbell From Cyborg Security

Image for post
Image for post

As organizations continue to mature and grow their threat hunting capabilities, especially as they incorporate more structured threat hunting into their operational cadence, a topic of concern for many of them is detection content. Detection content, sometimes referred to as queries or use cases, is a topic that we have explored before. One of the questions that is often asked, however, is where do organizations get their detection content?

CONTENT SOURCES

Cyborg Security recently conducted a poll of nearly two hundred organizations to see where those organizations were deriving their detection content from. …


By Josh Campbell from Cyborg Security

Image for post
Image for post

Effective post-hunt activity stands as one of the hidden threat hunting steps that cybersecurity organizations can take to maximize the ROI from their threat hunting programs. The measures organizations take to follow-up on their cyber threat hunting findings can often reap big benefits to the security organization when it comes to long-term detection and defense.

USING CYBER THREAT HUNTING TO BUILD THREAT DETECTION CONTENT

While every one-time cyber threat hunt absolutely holds intrinsic value just for the ability to find stealthy adversaries active in an environment, the true value should go beyond that. The long-term gain from a threat hunt rests in the identification of the new tactics, techniques, and procedures (TTPs) that the adversary used to get around the organization’s detection mechanisms. …


By Austin Jackson from Cyborg Security

Image for post
Image for post

Last weekend, Cyborg Security hosted our first Capture the Flag (CTF) event. The CTF was oriented for people interested in threat hunting, cyber defense, blue team, network traffic analysis, malware analysis, and forensics. There were challenges for beginners and more experienced players alike. Congratulations to the teams copo.banget and deadPix3l for a 1st place tie with a high score of 560 points! The solutions for all of the CTF challenges are below. …


By Josh Campbell from Cyborg Security

Image for post
Image for post

As organizations explore the use of threat hunting techniques, one important concept they can benefit from learning about is structured hunting (sometimes referred to as hypothesis-based threat hunting). This type of hunting is still very underutilized by most organizations today, but maturing programs can reap some of the biggest gains from their efforts when they incorporate structured threat hunting into their threat hunting programs.

UNSTRUCTURED VS. STRUCTURED THREAT HUNTS

Structured threat hunting stands in contrast to the more prevailing method of unstructured (referred to variously as adhoc or data-driven hunting) threat hunting.

Unstructured threat hunts tend to be free-flowing ad hoc affairs that are primarily data-driven from internal log sources. Hunters dig through logs opportunistically and leverage simple data manipulation techniques like searching with pivot tables or other methods by analysts, and it often relies primarily on investigative methodologies such as the principle of least seen in order to pick out anomalies in the data. …


By Cyborg Security

Image for post
Image for post

Understaffed security operations teams and overworked threat hunting teams are drowning in data, much of which is unnormalized and uncontextualized. Alerts generated from this data, often through so-called “next generation” ML/AI systems, are only able to reliably detect the most obvious threats and attacks. For enterprises working to create or build their threat hunting teams and functionality, this isn’t working.

To minimize risk and prevent damage and loss, modern enterprises must proactively seek out the most dangerous cyber adversaries lurking in their networks. Yet most are caught in a stalemate of reactive security. …

About

Cyborg Security

Cyborg Security is a pioneer in cybernetic threat hunting, delivering an advanced, actionable threat hunting platform.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store