Stop Threat Actors at an Early Stage of the Attack Lifecycle with Threat Intelligence and Hunting
Threat Hunting • Mar 12, 2020
We use cookies to improve your experience. Do you accept?
Threat Hunting • Mar 12, 2020
Cyberattacks, unlike physical crime, can span over a long period of time without the knowledge of the targeted victims. Threat actors diligently aim to hide their tracks at every step of the way as they lay the groundwork for intrusion into their target systems and networks. With enough knowledge of a target’s cyber defenses, malicious actors can evade detection and the protection measures in place. However, by leveraging tactical threat intelligence and threat hunting processes, security teams can put a stop to bad actors at an early stage to prevent further intrusion into their networks.
The lifecycle or kill chain of a cyberattack can be broken down into multiple stages ranging from the planning stage all the way to the execution stage to achieve the final objective.
Various threat modeling frameworks such as MITRE’s ATT&CK framework, the SANS ICS Cyber Kill Chain, and others divide the attack lifecycle into several stages including:
Reconnaissance - In this initial stage, the attackers identify and analyze their potential targets to know their weaknesses and plan the type of exploits required to infiltrate them.
Initial Compromise - After studying their targets, the threat actors use a specific attack vector and exploit to intrude and gain access to their systems. This may be achieved by exploiting a compromised user account or a vulnerable system.
Command & Control - After entering their target networks, the threat actors take steps to gain persistence and remotely control it, often by injecting malicious payloads such as remote access trojans.
Lateral Movement - After establishing control over their targets, the attackers often spread laterally across the network to compromise additional systems and accounts.
Target Attainment - Having compromised multiple parts of the target network, threat actors can then finetune the final objective of their attack including what data should be stolen, what services are to be disrupted, and more.
Exfiltration, Corruption, or Disruption - In the final stage, the attackers deal the ultimate blow to the target individuals or organizations through invasive steps such as stealing of intellectual property or other sensitive data, corrupting mission-critical systems, and generally disrupting the operations of their targets.
The use of threat Intelligence provides numerous benefits in making security operations more proactive and understanding threat actor behavior more effectively. When it comes to detecting and analyzing threats at an early stage, tactical threat intelligence plays a central role by illuminating a threat actor’s tactics, techniques, and procedures (TTPs).
As per IBM’s 2019 Cost of a Data Breach Report, the average time to identify a breach in 2019 was 206 days and the average time to contain a breach was 73 days, for a total of 279 days. The longer it takes to detect an attacker, the more chances they get to escalate privileges, spread laterally, exfiltrate data, or disrupt systems.
To prevent this, security teams can use threat indicators collected through various sources to map the attacker’s TTPs and predict their behavior. The MITRE ATT&CK framework provides a knowledge base of all existing TTPs that threat actors are known to use across different real-world attack campaigns. Combined with tactical threat intel insights, it enables security teams to collect the right evidence for detecting future attacks and build the necessary countermeasures to prevent attackers from progressing to more advanced stages of the attack lifecycle.
With both CTIX and CFTR, users can leverage the built-in MITRE ATT&CK Navigator to visualize and track threat actor footprints by continuously mapping tactics and techniques against reported incidents. This leads to actionable insights being derived from threat intelligence to inform decisions earlier on in the attack lifecycle.
Along with the use of tactical threat intel, threat hunting activities can boost an organization’s ability to detect sneaky threat actors that may have slipped past certain existing defenses.
In threat hunting operations, security teams first set a hunt hypothesis on the basis of which they look for telltale threat indicators or any anomalous activity in their networks. They validate their hunt hypothesis either through the detection of known indicators of compromise (IOCs) or by looking for specific threat activity based on tactical intel insights.
Thus, the combination of tactical threat intel insights and threat hunting operations can help proactively minimize the dwell time of attackers on target networks, thereby minimizing any potential damages to the target organizations.
The old adage -- “prevention is better than cure” -- applies both in the real world as well as in the realm of advanced cyber threats. In the face of growing threats in today’s connected cyberspace, organizations must aim to leverage the best of tactical threat intel to gain visibility and detect any anomalous activity within their networks at an early stage. Thus, the use of tactical threat intelligence and threat hunting enables organizations to establish a more proactive threat management process.