The Paramount importance of Threat Intelligence & Threat Hunting for Indian Enterprises
Aditya Mukherjee, Security Leader, Accenture
Cyber Threat Intelligence (CTI) is a new yet massively evolving domain in information security today. Since the beginning of time, Information (Knowledge) has always been regarded as a critical form of an advantage in any strategy-making process. CTI over the years has rolled from a previously perceived set of skills and techniques to a well-defined framework with the new infused market requirements spawning from the recent threat activities in the ever-changing IT landscape which has bought sophisticated attacks such as State-sponsored cyber-attacks, Ransomware, APT’s, Zero-days and Hacktivism that is now at the very doorstep of Governments, Big, Medium & Small Corporations alike.
Threat Hunting on the other hand is all about proactively hunting for undetected intruders and signs of potential intrusions in the enterprise environment. Quite simply put, it is the pursuit of abnormal activity in the organization for signs of compromise, intrusion, or exfiltration of data, which is yet not detected by traditional Security Mitigation and Detection tools and Platforms.
Introduction to Threat Intelligence
Threat intelligence lifecycle can be broken down into 5 steps -
1. Planning & Direction - This is the first stage of TI lifecycle which focuses on the expectation from the TI program and how the intel will be consumed and used to derive value for the business.
2. Collection - This stage talks about which sources to monitor, what data is collected, when and how it is collected. This needs to be an iterate process where the feeds are constantly reviewed to improve the injection of quality data.
3. Processing - This stage talks about how the collected intel is processed for consumption. This includes the actual implementation of normalization and contextualization of the data with data enrichment.
4. Analysis & Production - This stage focuses on analysis of the intel to comprehend the value add that the intel is providing.
5. Dissemination - Threat Intel can be pushed in different formats, it can be a Threat intel report which is a human readable format containing research-based artefacts and TTP coverage.
PREPARING TO HUNT
People - Threat hunters need to have a deep understanding of OS internals (Process tree structure, Registry), applications, network tropology & tools at detailed level.
Time - Threat hunting needs to be done in a continuous manner. Which needs dedicated time towards the activity. Once results are delivered, more time can be invested on the same.
Training - Threat Hunting is all about skilled analysis to detect anomalies in the environment. Hence trainings on OS internals, Endpoint application behaviour, threat hunting tools, Incident response procedures & exploitation techniques will help in getting better insights into the target infrastructure.
Procedure - A structured approach, to document and enhance Endpoint baselining, Hunting practices, Response mechanism can better enable the Threat hunting initiative.
Tools - Applications that provide Endpoint (Parent & Child processes, File activity) / Network visibility (IPS, web filtering, firewall logs, & NetFlow tools), Anomaly detection, Data Correlation & Analytics capability & TI integrated with SIEM.
Red Teaming - As a Threat hunter it is important to anticipate how attacks are likely to attack the environment. Hunters need to be familiar with the architecture and data flow with key focuses at gaps & blind spots in the organization.