The Threat Hunting Route to Predictive Cyber Security

Transcription

1 The Threat Hutig Route to Predictive Cyber Security Abstract Withi a icreasigly malicious cyber threat ladscape, our defese mechaisms must mature from beig reactive to proactive ad ally, predictive. For the moder security operatios ceter (SOC), cyber threat hutig is the ext step i the evolutio. With eterprises spedig more tha half a millio US dollars to recover from a breach,1 it's time to ivest i capabilities that ca detect ukow threats before alarms are raised. This will ot oly fortify systems but further improve security cotrols. I this paper, we highlight the differet elemets required for developig cyber threat hutig capabilities ad recommed a structured approach for eterprises across idustries.

2 Ulike covetioal IT security methods, cyber threat hutig is more proactive ad iterative whe it comes to searchig etworks ad datasets to detect breaches that would otherwise elude existig automated tools. This huma-led methodology leverages aalytics or a machie learig platform ad a combiatio of techiques to couter threats. Oce a ew or possible security risk has bee ideti ed, these are categorized ad added to a automated security iformatio ad evet maagemet (SIEM) platform. The maturity of cyber threat hutig practices depeds o a eterprise's preset state of IT security, ad it's willigess to ivest i techology, people, ad processes to further its capabilities. Buildig Blocks for Threat Hutig The success of threat hutig depeds largely o the data available to the security aalyst team alog with a ivetory of tools ad platforms that ca assist i visualizig, aalyzig, ad applyig isights. This will allow the team to look for ew threats which ca be behavior or tred based. I order to build such a framework, eterprises must take ote of: Data visibility wherei there are comprehesive security /evets that iclude etwork traf c ad applicatio usage iformatio alog with relevat threat itelligece reports Tools such as SIEM, data ad user behavior aalytics, rewalls, ad ed poit solutios Security itelligece which icludes updated exploit iformatio, attack vectors, idicators of compromise (IOC), relevat risk treds, ad situatioal awareess Skills with respect to foresic aalysis, ability to thik like a hacker, ad opeess to cotiuous learig Broadly speakig, the cyber threat hutig process has four key stages: Hypothesis created by a huma aalyst o the basis of treds, recet security evets, threat itelligece reports, ad isights gaied through visualized data Ivestigatio usig tools ad techiques associated with liked data aalysis, visualizatios, statistical aalysis or machie learig

3 Ucoverig icidet patters ad lateral movemets withi the etwork Performig aalytics to automate the detectio process for similar icidets i the future Cyber threat huters ca leverage Kill Chai, Diamod, or Hopper models which ca aid i idetifyig threats ad itrusio. These models provide ot oly a structured approach for uderstadig the capabilities of cyber crimials but also extract relevat iformatio from the threat itelligece feeds. It's importat to ote that these models o their ow may ot be foolproof. Equifax's recet breach is a great example of how eve the Kill Chai model o its ow proved to be ieffective.2 Most security teams already have too much o their plates ad may at times be usure about what eeds to be prioritized. Perhaps, a more cohesive approach would be to combie these models' stregths. I fact, the Diamod ad Kill Chai aalysis are highly complemetary. Kill Chai allows the security aalyst to target ad egage a adversary ad 'create the desired effects' idetifyig the right set of data alog with high risk idicators. Diamod model applies scieti c priciples to itrusio aalysis ad provides a comprehesive roadmap o how the threat ca be mitigated. Future-Proo g Cyber Security Apparatus As the rst step, eterprises must build a cohesive approach to ehace ad mature their threat hutig capabilities. This must be supported by a proactive threat moitorig methodology leveragig a robust aalytics platform. While this process mostly relies o correlated alerts, through dedicated threat hutig eterprises ca preemptively idetify possible breaches withi the IT eviromet. Newly ideti ed threats ca be categorized ad added to the security maagemet platform (like SIEM) curretly i use. This will help automatically idetify such threats i the future, thereby stregtheig the overall eterprise security posture. This will also help to detect ad address aws i the curret security framework, ad build o existig capabilities rather tha start from scratch each time there's a data breach. Eterprises eed to uderstad their IT ifrastructure hardware, software, ad etwork resources alog with existig security cotrols, people, ad processes before buildig such a approach. As highlighted i Figure 1, the ext steps will iclude:

4 Network /packet Itroducig ad equippig the data aalytics platform with machie learig ad visualizatio features capable of oboardig huge volumes of out-of-the-box data. Supplyig the platform with the right data sets evets, etwork traf c, ed poit ad applicatio iformatio for visualizig ad aalyzig purposes. Erichig the platform by providig idicators, evidecebased kowledge for trackig advace threats. Visualizig data i terms of assets ad users behavior, alog with etwork treds to idetify exact breach patters ad create hypothetical scearios. Creatig a dedicated ad specialized group of experts to address security issues based o these hypothetical scearios missed by existig SOC teams. Oce suspicious behavior is detected, the threat huter will ivestigate, add threat artifacts to better ucover ad mitigate possibilities of future breaches. Evaluatig the extet of threat peetratio ad data ex ltratio withi a compromised IT eviromet. Itegratig the platform with the automatio egie to automate the detectio process. Data Erichmet Threat Detectio Extet of Threat Dashboard Visualizatio Lateral Movemet Data Aalytic Platform (UBA, ML, AI) Alert Tred Compromised Accouts Data Visualizatio Evet Tred Data Exfiltratio Cotext ad Threat Feeds Idetity Edpoit Server Applicatio Others Figure 1: A ed-to-ed cyber threat hutig approach Automatio

5 Cosider a example where high DNS traf c triggered a data ex ltratio alert. Usig the Kill Chai model, a eterprise ca work backwards to hut for the root cause. Figure 2 highlights a ideal sceario to detect data ex ltratio. Hypothesis Searched for outboud DNS traffic observed high DNS request cout from oe source Ivestigate From proxy log idetified large amout of data (~1.5MB) beig trasferred Ivestigated with edpoit evets through sysmo observed that process svchost.exe established outboud coectio This is commo whe data is beig exfiltrated Svchost.exe is a commo widows process but the process path is uusual Malware delivered through phishig mail Suspicious as Svchost.exe process establishes public coectio Cotiued with sysmo that shows process path from user space ad ot from system dir. Alog with the paret process ID pdf reader Further search with the file ame shows that it was delivered through phishig mail as a attachmet Ucover Figure 2: Detectig Data Exfiltratio However, we also eed to keep i mid the lessos leart from Equifax's massive data breach. Most Iteret applicatios (at risk from exteral attackers) are usually placed i a demilitarized zoe (DMZ). Commuicatios betwee these apps ad the eterprise's iteral systems are more predictable, wherei security teams ca ote the frequecy of access, credetials used, volume, ad so o to build a adaptive behavioral pro le. Malicious activities that usually go uoticed ca be tracked usig user ad etity behavioral aalytics (UEBA). Moreover, eterprises must use cotaiers for applicatios, which provide more protectio tha physical servers ad virtual machies. Usig a Docker le, these cotaiers create applicatio images, which ca be scaed easily before deploymet to discover kow vulerabilities. A vulerable applicatio ca the be swapped out seamlessly oce a update patch is available. But these aloe will ot be able to prevet attackers from exploitig the Kill Chai. Herei, a breach ad attack simulatio platform ca help security teams gai a thorough uderstadig of these threat

6 actors. Across the Kill Chai, aalysts ca ote the differet ways a attacker ca i ltrate, move laterally to a deeper part of the etwork, ad ex ltrate data buyig time for security teams to gure out the best way to break the Kill Chai. Oe ca start with segmetatio to stop the lateral movemet, or simply focus o stoppig data ex ltratio with data leakage prevetio (DLP) solutios. A set of deep packet ispectio (DPI)-eabled patter match sigatures ca prevet attacks similar to Equifax's. Geerally, the attack vectors utilize predictable parameters. Geerally, malicious HTTP requests have a shell commad embedded i a XML object or a malformed header. Security teams ca develop sigatures based o these attack patters, while DPI ca help limit false alarms. Fortifyig the Way Forward It's time for eterprises to adopt a cotiuous process of proactively evaluatig threats that may i ltrate their etworks ad systems, rather tha ivestigate whe the eed arises. This will require establishig dedicated teams ad implemetig platforms to ucover ukow threats, ad ot be limited to prede ed alerts usually co gured i SIEM. As the eterprise security posture matures, it will be easier to de e ad follow a foolproof threat hutig roadmap leveragig arti cial itelligece (AI) ad machie learig to detect breaches ad automate the remediatio process. Refereces 1. Kaspersky lab, Damage Cotrol: The Cost of Security Breaches IT Security Risks Special Report Series, accessed o Jauary 10, 2018, 2. Federal Trade Commissio, Cosumer Iformatio, The Equifax Data Breach: What to Do, September 8, 2017, accessed o Jauary 30, 2018,

7 About The Author Prikshit Goel Prikshit Goel heads the Maaged Security Services as part of TCS' Cyber Security Practice. He focuses o providig security ad IT ifrastructure solutios to the customers by leveragig relatioships with strategic parters ad developig ew offerigs i the security space. He is also resposible for developig traiig framework, accelerators ad a effective competecy pla for both solutio desig ad delivery. He has over 17 years of experiece i the IT space with a focus o Iformatio Security ad Networks. He also holds may idustry certificatios such as PMP, Cisco CCNP ad CCNA, ITIL, BAC, CEH, Spluk, Avaya, ITIL, Six Sigma Gree Belt ad ACS ad is traied i security products such as RSA, Symatec, Palo Alto, ad Cisco across various layers. Cotact Visit Cyber Security page o cyber.security@tcs.com Subscribe to TCS White Papers TCS.com RSS: Feedburer: Tata Cosultacy Services is a IT services, cosultig ad busiess solutios orgaizatio that delivers real results to global busiess, esurig a level of certaity o other firm ca match. TCS offers a cosultig-led, itegrated portfolio of IT ad IT-eabled, ifrastructure, egieerig ad assurace services. This is delivered through its uique Global Network Delivery ModelTM, recogized as the bechmark of excellece i software developmet. A part of the Tata Group, Idia s largest idustrial coglomerate, TCS has a global footprit ad is listed o the Natioal Stock Exchage ad Bombay Stock Exchage i Idia. For more iformatio, visit us at All cotet / iformatio preset here is the exclusive property of Tata Cosultacy Services Limited (TCS). The cotet / iformatio cotaied here is correct at the time of publishig. No material from here may be copied, modified, reproduced, republished, uploaded, trasmitted, posted or distributed i ay form without prior writte permissio from TCS. Uauthorized use of the cotet / iformatio appearig here may violate copyright, trademark ad other applicable laws, ad could result i crimial or civil pealties. Copyright 2018 Tata Cosultacy Services Limited TCS Desig Services I M I 02 I 18 About Tata Cosultacy Services Ltd (TCS)