The Gap in Today’s Cyber Security Paradigm

There is a major gap in today’s cyber security paradigm. Companies invest hundreds of thousands and even millions into security tools. Most traditional security tools fall into one of two categories: detection tools, which scan your systems for known threats, and response-based-tools, which focus on removing threats once evidence of a breach has been identified.

Most companies have a slew of detection and response based tools. Many are even passing their compliance audits with flying colors. If existing tools and compliance protocols were enough, then breach detection wouldn’t be a problem. Yet, it is. In fact, it still takes the average company over 6 months to detect a breach.

The truth is that across industries, IT leaders lack an effective approach to answering the following question: how do you know if you’ve been breached right now?

In this article, we’ll walk you through the basics of threat hunting. When done properly, the right threat hunting program will not only answer this question, but also identify signs of a breach within hours or days. That way, you can put out your cyber fires early on, instead of allowing them to damage all of your systems.

The Big Picture: Understanding Risk In The Virtual World (And In General)

“Why have security tools if we’re going to get breached anyway?”

This is a common belief that we hear expressed across roles and industries – from owners and CEOs to IT staff, to workers in the field.

We can all agree that any security company claiming to completely eliminate risk of an attack has credibility issues.

Yet, there are also serious problems with the view that security tools are pointless because risk still exists

Instead of viewing risk (and risk mitigation) as black and white, it’s better to view it as a gradient.

To paint a better picture, imagine the risk of fire in a building. Maybe that building is your home, your office, or another important place to you. No matter how minimal or advanced a fire alarm system, the threat of fire is always there. Over time, regulators have created standards for buildings to help mitigate the risk of catastrophic damage. Smoke and carbon monoxide detectors are only the first level of defense, and yet they save thousands of lives each year.

Commercial buildings that house thousands of people and cost millions of dollars have different standards to mitigate risk. Beyond detectors and initial alarms, There are pump gauges. There are flashing alarms for the deaf, and loud sirens for the blind. There are complex sprinkler systems that pour down water as soon as temperature breaks a certain level.

As the virtual world mirrors the physical world more and more, we can think of cyber risks systems similar to fire alarms/systems. A few smoke and carbon monoxide detectors and a basic alarm system may be enough to protect a small family and a small house from catastrophe. In the same way, basic personal protocols like having a firewall, VPN, 2FA, and endpoint detection, will be enough for most families.

But as we increase size, there is more risk. Larger buildings mean tens of millions could be lost in the event of a burndown. Even worse, hundreds or thousands of lives are at risk. The same is true for the IT systems of many organizations.

In the virtual world, if your IT systems burn down because of a cyber breach or other catastrophic event, the entire business grinds to a halt.

Threat hunting acts like these more advanced fire systems for your organization’s virtual systems – no matter the cause, if it gets hot enough in the room, those commercial sprinklers will fire off. Then, the fire company responds, puts out the fire, and performs a root cause analysis.

In reframing risk, we can also understand why basic secure measures are still important. If we have sprinkler systems, we wouldn’t do away with carbon monoxide alarms. In aggregate, all of these systems are cutting down the largest risk factors. Thus, over thousands of incidents, these systems pay themselves back many times over. And, they create peace of mind knowing that people’s lives aren’t at risk.

Risk is always there, and no one will ever eliminate risk entirely. But by incorporating the right tools and systems, you can mitigate – and in some cases eliminate – the largest sources of risk.

Problem

More containment time = more losses

$1.12M

Average loss from taking longar than 200 days to contain a data breach

$3.05M

Average loss for cyber security programs without AI and automation

$2.66M

Average loss for organizations with an incident response team that did not rehearse the response plan

What To Look For In A Threat Hunting Solution

The main purpose of a robust threat hunting solution is to shorten breach detection times. The best threat hunting solutions detect breaches within hours, instead of the industry average of months. This prevents damage from spreading and ensures that your IT assets are safe.

Furthermore, the best threat hunting tools empower lean teams to do more with less. Leveraging new advances in automation, many threat hunting vendors can cut down on the total amount of time it takes IT and security staff to identify and thwart threats. A robust threat hunting tool will enable your junior staff members to perform advanced, senior level tasks and cut down on the number of events that need to be reviewed. Instead of being numb from false positives and allowing a real threat to slip through, the entire team stays sharp because only true signals of concern are presented.

Finally, organizations have a variety of devices and systems. The best threat hunting tools are compatible across a wide array of devices – regardless of age or operating systems.

The Benefits of Omega’s Threat Hunting Solutions

RITA (Real Intelligence Threat Analysis)

Use Real Intelligence Threat Analysis (RITA) framework to ingest
Zeek logs and detect the earliest stages of cyberattack.

AC-Hunter

Perform Threat Hunting across any
network-connected device with AC-Hunter.

  • Minimizing False Positives

  • Types of False Positives

  • Handling False Positives

Minimizing False Positives in Threat Hunting

False positives can hinder the efficiency of threat hunting efforts. Understanding the different types of false positives and implementing effective strategies for handling them will significantly streamline your threat hunting process, allowing you to focus on genuine threats and keeping your network secure.

/

Types of False Positives

Some common false positives include beacons and strobes, long connections, threat intelligence and blacklisted IPs, DNS false positives, rare client signatures, and certificate issues. By recognizing these types of false positives and employing strategies such as whitelisting specific domains, benign signatures, or IP addresses, you can reduce the time spent on false leads and focus on genuine threats.

/

Handling False Positives

Whitelisting is a popular method for managing false positives, as it removes benign traffic from view while still allowing for analysis by your threat hunting software. Additionally, filtering traffic out from packet capture can save CPU time and reduce storage needs. Implementing these strategies will help you better manage and analyze your network traffic, improving the efficiency and effectiveness of your threat hunting efforts.

To prevent re-analyzing benign or grey traffic repeatedly, consider the following strategies, ranging from the safest (least likely to hide malicious traffic) to less safe approaches (may inadvertently hide malicious traffic).

– IP Pairs: Whitelist connections between two IP addresses, ideal for situations like primary and secondary database servers.

– Server IP: Whitelist a single host IP when multiple internal machines communicate with a single external system, such as an NTP server.

– Subnet of Servers: Whitelist an entire subnet when numerous servers are located in a data center.

– ASN: Whitelist an Autonomous System Number (ASN) to cover all the organization’s computers regardless of their location. Exercise caution when using this method and ensure you trust the organization.

– Client IP: Whitelist specific internal IP addresses with caution, as it may blind you to potential malicious traffic from that IP.

/

Whitelisting Caveats

Keep in mind that proxies and cloud providers can complicate whitelisting efforts: – Be cautious when working with proxy IP addresses. Whitelisting a proxy IP can inadvertently hide malicious traffic going through the proxy. – Use subnet and ASN whitelisting sparingly with cloud providers. Whitelisting a block of cloud-hosted machines can increase the risk of overlooking malicious activity.

Whitelisting With RITA

RITA, the open-source threat hunting tool, doesn’t have native whitelisting, but you can create a text file with IP addresses to exclude from RITA output. Use separate whitelist files for each module if desired.

Filter Traffic Out From Packet Capture

Whitelisting has its downsides, such as the software still needing to process and analyze the traffic. In cases where you’re sure certain traffic types don’t warrant attention, you can filter them out from packet capture. This reduces processing and storage needs, freeing up CPU time for remaining traffic analysis. To implement this with Zeek, add a filter in a “zeekargs=” line in the zeekctl.cfg file.

Ready to Enhance Your Security Posture?

Schedule a personal demo of AC-Hunter today and discover the difference proactive threat hunting can make for your enterprise.