By Mat Gangwer, senior director of managed threat response at Sophos
Cybersecurity threat hunting is totally unpredictable – it’s why I love my job.
Threat hunters are on the frontlines of fighting cybercriminals. We’ve seen and dealt with it all: from the entry level, apprentice-type attackers to the highly organized and well-funded nation-state attackers. These threat actors – the smart ones, at least – will execute their carefully planned attacks during overnight hours or on a weekend, when they think no one is watching. Unfortunately for them, threat hunters are watching, and we’re always ready to respond.
When it comes to a day in the life of a threat hunter, no two days are the same. On any given Monday, we could be investigating a Sunday evening ransomware attack on an Internet Service Provider, then quickly drop everything to respond to ransomware attack on a hospital where patient lives are on the line, which was the life-or-death situation that my team recently found itself at the center of when a hospital was forced to shut down after being hit by Ryuk ransomware.
There are always new threats, attacks and vulnerabilities – all of which need to be dealt with in different ways depending on the attacker and their tactics, techniques and procedures (TTPs), and the environment that we’re working in. We never know what pulling on one thread will ultimately uncover. But that’s the nature of the game.
Threat hunters crave that unpredictability. It’s what excites us, and where we excel.
Predicting the Unpredictable
Despite the lack of predictability, there are bedrock principles and rules that threat hunters abide by in order to stay one step ahead of attackers. These bedrocks are what we have to fall back and rely on when staring down multi-million-dollar ransomware attacks; they guide us through the most harrowing attacks to stop adversaries in their tracks.
Here are four of those pillars that guide a threat hunter’s day-to-day:
1. We have to be proactive, while incident response is more reactive
Threat hunting and incident response are complementary, but very different. Incident responders do hand-to-hand combat with cyber adversaries. They’re the ones who investigate environments that are already known to have been infected or breached and know what kind of TTPs to be on the lookout for. It’s in most cases retroactive.
Threat hunters, on the other hand, are more proactive. Our role is more of an analytics function, looking at data on a day-to-day basis, identifying abnormalities in that data and parsing the TTPs being utilized.
For example, have we caught a new process or command in an environment? What are some of the most common and least common command executions we’re seeing? Do these less common executions seem malicious? We can only respond once a threat hunt has identified those red flags and/or a potential attack is in the works.
Our job is to do 24/7 monitoring of a customer’s environment and stay a step ahead of attackers: living on the cusp of cutting-edge attacks, performing research on new attack methods, and looking holistically at a customer’s estate for anything that looks out of place.
2. Identifying indicators of attack or compromise — especially when they co-opt legitimate tools
Indicators of attack (IoAs) and indicators of compromise (IoCs) are our telltale signs of compromised environments and/or impending attacks that we find across aggregates of data. These indicators are often specific to certain ransomware groups because cyber criminals tend to follow similar patterns – if it’s working for them, they’ll keep running it until it stops being effective.
IoAs and IoCs have a half-life, though, because threat actors will inevitably change their TTPs once they’ve been discovered. When that happens, the rules and logic we build to detect these artifacts, to identify known threats and activity from threat actors, become outdated. Threat hunters need to be nimble in knowing both when old indicators are no longer relevant and making constantly needed changes to these rules, often supplementing them with AI and machine learning to stay ahead of the curve.
On that front, there are some common signs we keep an eye out for: heavily used utilities, living-off-the-land applications, specific commands and reconnaissance tools like ADFind and Nltest for example. Part of the problem is that these are otherwise legitimate files that exist natively as part of the OS or are commonly used by administrators. Security teams can’t just terminate these files each time, because they do have legitimate uses, but at the same time threat hunters have to be constantly vigilant about if and when they’re being co-opted to do reconnaissance on a would-be victim’s network.
We saw this play out with a Maze attack last year. When the Sophos Managed Threat Response (MTR) team was called in to help an organization facing a $15 million Maze ransomware attack, we saw that in the earliest days of the breach the attackers used Advanced IP Scanner – a legitimate network scanning tool – to create lists of IP addresses that they would target (including those of IT administrators). The attackers proceeded to access a file server via Remote Desktop Protocol, compress files on that server with WinRAR and 7zip, and copy them back on to the primary domain controller with Total Commander – all legitimate tools being used for malicious purposes. These are the indicators that threat hunters have to stay on top of to prevent attacks from occurring in the first place.
3. There’s no one-size-fits-all threat response
While ransomware groups may use similar TTPs – in part because these groups are increasingly sharing toolkits with each other – each threat hunt requires different measures. Sophos Intercept X provides us a simple, one-click operation that isolates a host from the rest of the environment. That gives our team some breathing room to determine next steps, because when you’re dealing with active adversaries, every second you get back on the clock is critical. So, isolating suspected attacker activity on a host is a pretty common response measure.
But depending on how widespread an intrusion is, we can go further in any number of ways, including but not limited to:
- Auditing login information to find a compromised account, then disabling, removing, or changing the credentials on that login
- Removing or terminating malicious processes running on impacted systems
- Examining for persistence or other malicious files left remaining on the system
In the aforementioned Maze attack, because the customer was not using Sophos MTR to begin with, the Sophos Rapid Response team had to engage after the fact, but the same steps still applied: identifying the compromised admin account, identifying and removing the malicious files, and blocking subsequent attacker commands and C2 communications.
At the end of the day, the tactics and targets of a successful threat hunt depend entirely on what access we think the adversary had. And while there are some tried-and-true methods we can leverage, threat hunters also have to rely on a certain level of intuition and experience in knowing when to tweak these methods as the situation calls for it.
4. The job is never really done
One of the exciting but tough things about being a threat hunter is that the hunt never ends. Every threat or red flag or abnormal sign of activity we detect and neutralize is just the first in a seemingly endless line of threats.
These are very real threats to business of all sizes – no one is off limits. Organizations are constantly at risk of a potential attack, and that’s the headspace that threat hunters need to operate in too.
Conquering unpredictability with Sophos MTR and Sophos Rapid Response
That’s exactly why the human-led threat hunting expertise of Sophos MTR and Sophos Rapid Response is so crucial.
Sophos’ lightning-fast, industry-first measures pair the expertise of human threat hunters with 24/7 monitoring to thwart active threats, clean out a customer’s network of cyber adversaries, and then get them back on their feet with minimal costs, damage, and recovery time.
Another key benefit of a threat hunting operation like this at scale is that once we discover a new technique or tool an attacker is using, we can immediately search for it across all other MTR customers, and then deploy automated detections for the entire Sophos customer population.
When facing a constant climate of unpredictability around cyberattacks, Sophos MTR and Sophos Rapid Response provides threat hunters with the reliability and predictability they need to stay on top of threats.