I’m a fan of thought exercises. The more time I can spend thinking through scenarios the more prepared I feel for things that could happen in real life. It’s not unlike thinking about what I need to pack for a hike or a campout. Even if the weather is supposed to be clear and nice I’m still going to pack a rain jacket just in case. I’ve experienced the alternative and it’s not something I want to deal with again.
In the realm of enterprise security, it’s important to think about what threats are out there as well. I’m not exactly talking about the extreme corner cases that might only happen once or twice in the life of a company. Instead, I’m talking more about the kinds of things that could go wrong and lead to a bigger issue. It’s important to get in front of these issues because we don’t want to get caught unaware when they happen.
Frameworks for Finding Problems
During the most recent Security Field Day event, I had the opportunity to see a great presentation from Eric Hulse at Cisco about the art of threat hunting. Here’s the video from that presentation:
Eric does a great job of explaining why it’s important to go on the offensive when it comes to looking for threats. Think about the last few times your security organization has been mobilized to respond to a threat. Was it because you realized there was a hole that needed to be patched? Or was it because you were reacting to a threat that was already being exploited?
The nature of modern enterprise security involves reactive work. Automated systems are good at detected indicators of compromise (IoC) or even finding attackers moving throughout the network. It’s like the alarm going off at your home when someone breaks in through a window or even you hearing someone inside when they shouldn’t be there. You’re already on the defensive by the time you realize something has gone wrong.
With the huge attack surface we have to cover and the growing number of threats out there it’s not all that uncommon to find yourself hopping from incident to incident with no chance to stem the tide before it washes you out to sea. Given the way we look at security it’s not surprising that we’re always playing catch up to the people looking to exploit us. As the famous quote goes, they only have to get lucky once while we have to be lucky every time.
That’s why the change in thinking that Eric talks about in the above video is so critical to changing the way the game is played. Instead of reacting to the threats as they come in, threat modeling and threat hunting instead teaches us to look for the problems before they can be exploited. Like checking your house for potential areas of insecurity or even doing a regular check of critical systems you are thinking about how the attackers are going to try to break in rather than reacting to them already being inside.
Contemplating Outside the Container
For me, the most obvious example of how a threat hunter can uncover some intriguing results comes from Eric’s Notepad example. A simple question is the start: Should Notepad ever connect to the network? Through his analysis he found that not only would it connect under certain circumstances but that it happened quite often because of the behavior of the users. Our behavior was an indicator of a potential avenue of compromise because we use things in unintended ways.
VPNs are another great example. We encourage the use of VPNs to provide secure connectivity to sensitive resources. We want our knowledge workers and our executives to use VPNs because we need them to stay safe and we need our assets to stay secure as well. But what about accessing data outside of regular hours? Should anyone be on a VPN connection at 3am local time? Should the same user be connected via VPN for more than one session? More than five? What if a user traveled to a foreign country and used a VPN per company policy but those same user credentials accessed the company even after the user was back from their trip?
These questions are the way to start a threat hunt. Instead of just making a blanket policy of restricting VPN logins by time you need to understand the dynamics at play. Users may need to access files in the middle of the night right before the end of the quarter. Executives overseas may want to update information at 2am because it’s the middle of the day for them. And a user may want to log into the VPN more than once if they’re using their laptop and their phone. But those use cases are only the start of your hunt.
After you define what might be acceptable you have to define what is problematic. You need to train your security analysts and your systems to look for that anomalous behavior and report it instantly or restrict it from happening. If your executives are traveling out of the country you need to set a limit on the dates when their credentials are able to be used from remote addresses. If you get a report that someone has tried to reuse those credentials outside of that window you need to assume you’ve been compromised and act accordingly. Simple things like that are the heart of every threat hunt.
Bringing It All Together
My daydreaming thought exercises aren’t always specific and that gives me the freedom to explore ideas that I might not have otherwise entertained. However, the framework that Cisco has put in place to explore threats and hunt them to ground is much more comprehensive for actual analysis instead of just idle speculation. Dedicating a part of your bandwidth to this kind of threat exploration is going to reap benefits beyond your wildest dreams.
For more information about Cisco and their threat hunting methodology, check out their Threat Hunting page here.