Sophisticated cyberattacks develop over time, but no matter how good cybercriminals are at covering their tracks, even the best ones leave important clues behind. It’s up to threat hunters to piece these together in a way that details the lifecycle of an attack. That kind of work is challenging, especially at organizations that rely on traditional security products, often forcing threat hunters to think out of the box,

Adding to that challenge, although 86% of organizations are doing at least some kind of threat hunting today, more than half of those are doing it in an ad hoc way. Even if ad-hoc threat hunting produces some modest results, not having a formalized program with clearly-defined methodologies isn’t doing threat hunters any favors, or helping them gain new skills and experiences.

Without proper tools or solid methodology, it’s hard enough for experienced threat hunters to keep up with the demands of fighting in a volatile threat landscape. It’s even more difficult for less experienced analysts to build the skills they need to mature into the threat hunters that are so badly needed today, not to mention the explosive need for that kind of talent in the future. How do organizations support security professionals across the talent spectrum?

Before threat hunters can do their jobs, they first have to tackle the obstacles in their way. They need to identify where all of the siloed information they need is stranded in disparate systems across an organization’s infrastructure, they need to combine and correlate all of that information, and then analyze it to derive the insights they need to perform forensic exploration, and all of that information needs to be accessible quickly and on-demand. They then need to repeat this manual process each time they want to investigate new security events.

Obstacles like these could be conquered by organizations that take a modern approach to security that pulls that information together automatically, including advanced analytics performed on long-term full fidelity network traffic. Lots of security vendors are talking about their advanced analytics capabilities, but most without the benefit of applying those capabilities to the huge body of forensic evidence that long-term, full fidelity PCAP provides.  

Multi-stage Attacks Can’t Hide from State Machines

Using state machines to perform analytics on forensic information is great, but only when you’ve retained those forensics for a long time. That’s because advanced attacks have multiple stages that unfold over extended periods of time. These multi-stage or advanced persistent threats (APTs) are particularly nefarious and account for about a third of all attacks. Using APTs, a cybercriminal can take actions which appear innocuous, but when evaluated as a complete, coordinated series of events reveal the true nature of a complex attack. Combining analytics with long term forensics and a state machine helps account for these complex sequences of events so threat hunters can determine whether an alarm is false or part of a true, larger attack.

Analytics products that can’t keep a long-term state, even those that perform advanced analysis, can’t present hunters with a comprehensive picture of an entire attack. The best most can do is to trigger alarms which, for resource-strapped security teams, isn’t much help. They’re already exhausted from alarm fatigue, and without a way to prioritize which alarms need the most attention, these would likely become noise that they’d just ignore.

More Data, More Visibility

If security teams want better visibility, then they’re going to have to capture high-fidelity forensics. Embedded inside network traffic is a ton of rich metadata like HTTP referrers, IP sources, date and time stamps. Having the ability to perform analysis on that metadata can help analysts fight back against attacks. Take for example this use case: If you can monitor things like SMTP traffic and payloads to create a baseline of normal behavior, you can then identify deviations from that norm which, if paired up with other analytics, can uncover events or datapoints threat hunters can use when testing a hypothesis.

Remember, though, analyzing data isn’t just about finding new threats, it’s also about filling in the missing pieces of information that keep threat hunters from being truly effective. Making these rich sets of data accessible to threat hunters in a quick and easy way is essential if they’re going to find and stop sophisticated attacks.

You Can’t Look Back at Data You Don’t Have

When a network is breached, an attacker dwells there for an average of 146 days. In security years, that’s an eternity! Yet, most organizations that use legacy security products aren’t keeping forensics for anywhere near that length of time because doing so with these products is difficult and costly. That’s left threat hunters and analysts with hours or days of information to work with, which simply isn’t helpful.

The clear answer to this challenge is a modern approach to security that keeps forensics for time periods that exceed the breach window, Working with data that goes back months or even years puts threat hunters in a better position to seek our and to stop attacks. It can also help them discover if a new threat has ever affected their network in the past since they can rewind that recorded history of their network to look for those threats, vulnerabilities and attacks retrospectively. Or, they can even build their own hypotheses and test them out on huge set of data to find unknown threats they can kill earlier to mitigate any impact.

Next blog post