Threat Hunting

Visibility: The Cornerstone of Effective Threat Hunting

Author
Contributing Author
Author
David Ramazetti
Director of Security Services, Novacoast
SHARE:

In today’s security landscape, everyone believes they have the “silver bullet” to prevent breaches. Unfortunately, it’s my uncomfortable duty to tell you that not only will you get breached, there’s a pretty good chance you already have been. We explore this on the blog today and will expand on a future co-hosted webinar.

There is no “silver bullet,” and instead many preventative measures can lead to a false sense of security that puts an organization at an even greater risk of compromise.

Instead, organizations must supplement their prevention measures and should to be asking themselves the more practical questions: do we have full visibility into our environment? How do we proactively identify and mitigate vulnerabilities? What threat hunting strategies are effective?

So what does visibility actually mean? Some will say having an Endpoint Protection solution on your workstations is enough. Others believe a traditional network traffic analysis device embedded within your network means you are covered. Don’t fall for shortcuts. In order to achieve the full visibility required for a truly secure environment you must cover all areas fully—endpoint, network, cloud, and anywhere else your data resides.

Full visibility begins by ensuring all endpoints—server, workstation or otherwise—have security protections in place, such as an EPP or AV along with a fully formed EDR solution. For some the difference may seem slight, but attempting to reconstruct an attack without the rich context provided by quality EDR will quickly show their dissimilarities. From a network perspective, this means carefully and strategically watching traffic at all security boundaries that should exist within a well segmented environment.

This brings up the question of encryption within a network’s boundaries. In many environments that utilize a high rate of encrypted traffic it can be difficult to gain the visibility necessary for effective threat hunting. That does not mean we have to remain blind to this communication, however. We can cover a lot of this necessary visibility by inspecting encrypted network traffic with a form of TLS fingerprinting known as JA3. For increased visibility, we also suggest utilizing SSL/TLS visibility devices at your company’s network egress points, which can provide something close to complete visibility into encrypted traffic. This allows us to determine if any intellectual property is leaking out of the organization. Remember, visibility into what is happening on your networks, endpoints, servers and within your cloud workloads is key.

Lastly, as there is so much network traffic in organizations today it can be a difficult task to find the proverbial “needle in a haystack.” To ease these concerns, we need to setup decoys and “tempt” attackers to access these instead of the network itself. The days of traditional honeypots are gone and instead we need something more. That is exactly what moderns deception technology is: advanced decoys that replicate real device functionality (i.e. Running Apache, Running Oracle, Running IIS) and can produce traffic that replicates a true production environment.

Building further on this technology, modern deception will also be able to plant “breadcrumbs” (i.e. RDP Session profiles, WnSCP Session Profiles) to lure attackers toward these decoys and provide high fidelity alerts. This is a full emulation of a real environment, unlike the static honeypots of yesteryear.

For this reason, we recommend a platform of key essential tools such as network traffic analysis, full scale EDR, and deception technology, along with SSL visibility devices; as a comprehensive visibility solution. With these tools in place, an environment will fully cover every aspect of their enterprise from the endpoints themselves to the bigger picture network and are able to see into today’s most hidden dark spot: encrypted traffic. All of this, coupled with deception, finally allows us to truly and proactively gain the visibility necessary to spot attackers within our environment through effective threat hunting strategies.

At Novacoast, we always hasten to add that tools are the beginning of a solution, not a solution in and of themselves. Ongoing effort, analysis, decision and action are indispensable in a security posture—and while it may be disappointing for some people to hear it, this isn’t ever likely to change. But a complete set of tools is vital for effective threat hunting and furthering your security posture.

Interested in learning more and getting started on your own threat hunting program? Watch our webinar: Tracking the Enemy Through Advanced Threat Hunting – 5 Tactics That Work.

Browse our blog