Good Hunting

The personal blog of Chris Gerritz. I muse on malware, threat hunting, and security incidents. Occasionally more.

Detect and Respond: What's Missing?

It's almost universally accepted that antivirus isn't effective enough and we see breaches in the news every day. Over the last year I've had a lot of conversations around the role of hunt and compromise assessments even within a SOC that does real-time monitoring and response. I hope this post helps clarify.


Prevent, Detect, Respond

To understand the role of threat hunting, we must first understand the current model for enterprise security. Best practices, such as those codified by the NIST Cybersecurity Framework, recommend a prevent (or protect), detect, and respond approach. Roughly stated: organizations should prevent the attacks they can prevent and at least detect and respond to any attacks that get through. Due to the complexity of controls in the modern enterprise and the imprecise nature of discernment, a percentage of attacks will always fall below the prevention threshold and be allowed inside the network. A prompt response action on these is meant to mitigate the threat before damage occurs.

To support this model, the majority of enterprise detection products on the market are designed for real-time continuous monitoring. The drive behind continuous monitoring is to detect attacks as they occur in what we will hereafter refer to as “Intrusion Detection”.

  • Intrusion Detection - "The act of detecting actions that attempt to compromise the confidentiality, integrity or availability of a resource."

On the other side, we have incident response which employs digital forensics processes and tools to identify root cause, damage, and extend of a breach and then restore the affected parts of the network. We refer to the process of detecting active malware and indicators of compromise in response as “Post-compromise Detection”.

  • Post-compromise Detection - "The act of detecting adversaries and malicious software inside the network after it has been successfully compromised. The goal is to reduce the dwell time of attackers and remove them before they can cause further damage."

The Breach Detection Gap

By Example

To illustrate the gap in this model and where hunt fits, let’s map out the possible outcomes of detect and respond using some notional numbers. In our sample organization, we can assume a large percentage of common attacks will be prevented by preventative controls; the hope is that the rest of the attacks will at least be detected or logged and a response action initiated. The reality though is that a percentage of detected attacks will go completely unmitigated ("No Response") due to analyst miss categorization and/or limited resources (i.e. not enough eyeballs on all the alerts). Worse still, some sophisticated attacks have been shown to bypass defenses without detection due to detection technology limits and/or the employment of advanced “zero-day” exploits and techniques.

Notional Intrusion Detection & Response Outcomes

With these results, a detect and respond strategy will completely ignore 4% of attacks, allowing the attacker to persist in the network in perpetuity. In order to address that 4%, organizations should consider employing a layer of post-compromise detection, normally reserved for response, proactively – this proactive application is called Threat Hunting.


Threat Hunting

  • Threat Hunting (“hunting”) as a focused and iterative process to identify previously unknown adversaries and threats already inside the network.

While some of the individual techniques and underlying goals will not be 100% new to the incident responder, hunting represents a paradigm shift in the way we approach enterprise security operations. Roughly, it employs post-compromise detection proactively (before you suspect/know they are in there) to find adversaries and threats that have successfully bypassed network defenses, controls, and monitoring.

Hunt Fills the Gap

Ultimately, hunting reduces the dwell time of attackers that have bypassed defenses, significantly reducing the damage that can occur from long term unauthorized access. In some cases, we’ve seen it reduce this time from a 6+ month average to less than three (3) days.

Over the next couple weeks I'll be posting technical specifics on how best to conduct hunt operations within the enterprise. There are several models to choose from depending on the maturity and sophistication of your infrastructure, but we will concentrate on the model we created that has proven to maximize return on investment and scale-ability regardless of maturity and infrastructure.

Author image
San Antonio, TX Website
Chris Gerritz is a retired Air Force cyber warfare officer and pilot. He now hunts malware for a living as co-founder of Infocyte.