March 18, 2020 By Sue Poremba 3 min read

How good are your sleuthing skills? Do you savor Agatha Christie novels and figure out who did it before the big reveal? If so, the skills you use to read a good detective novel may also help you discover the origins of cyberthreats. With serious threat hunting techniques (the kind taken directly from books and TV shows that solve a crime in 60 minutes or 300 pages), you can discover the origins of a cyberattack and mitigate it before too much damage is done.

That was the lesson that Maya Horowitz, director of threat intelligence and research at Check Point Software Technologies, shared at CPX360. “If there was a hack,” she told the audience, “then there was a hacker.”

Fortunately, analysts can position themselves to respond effectively to attackers by employing the same threat hunting tactics as fictional detectives like Hercule Poirot and Miss Marple.

Do You Know How Cyberthreats Begin?

Detective novels, crime shows and whodunits all inspire audiences to try to assemble the clues and identify the bad actor before reaching the end. Everyone may have a different theory — until that theory is blown up by another discovery.

That’s the thing about sleuthing: Everyone uses a different logic pattern to get to the end result, and it may take long discussions and compromise to agree on one conclusion. But in my observation, so much time is wasted worrying about how we got to the end that we miss what happens at the beginning. As any author can tell you, the first chapter or the first five minutes set up the story and introduce key clues to how it ends. Knowing where and how cyberthreats begin can go a long way in developing a solid incident response plan.

Of course, at the start of a book or the latest episode of Law and Order, you don’t know what you should be paying special attention to. You just know a body is on the floor in the middle of a crime scene. You need to know how this happened. You need to know who did it — the source of the attack.

Step by Step, Network by Network

You need to be the detective of your own network, said Horowitz. Threat hunting requires intimate knowledge and diligent investigation of your logs. This will provide the clues as to why this victim — or, in this case, a sensitive cluster on your network — was targeted rather than the top boss with the corner office.

In the book, you’ll receive background on both the victim and the boss: who their friends were, where they liked to hang out, when you could expect to see them appear or disappear in the office, etc. That information hints at who the suspects might be. The guy in accounting has been seen hanging out at the victim’s favorite bar each night, but she rebuffs him. Of course he’s a suspect. But when he proves during questioning that he was out of town on the fateful night, the search continues.

In cyber sleuthing, you’re after similar details. Maybe a spear phishing email was sent to the company with malicious files that downloaded malware, shifted clusters and mimicked other applications on the network, spreading more malicious files. The logs provide the patterns you need to find the anomalies: Why did the attacks only happen in a four-hour time period, and why weren’t there any attacks at all during the month of February? Now you need to do a little more research, perhaps by studying the profiles of other attacks that took place around the time of your own case.

The more you dig, the more you may find traces that tie the attacks to specific threat actors or techniques. Once you have determined how they got into your network in the first place, you can develop your incident response plan accordingly.

Collect Clues Before Disaster Strikes

Fictional detectives are given intentionally bad clues or bumbling tactics to keep the story interesting for the reader. Cyber sleuths need to be more straightforward when they begin investigating cyberthreats. Not only do they need to know the network infrastructure intimately, but they also need a solid understanding of who accesses that infrastructure, as well as their behaviors and habits.

Regular audits can reveal weaknesses and strengths, but they can also open doors that make it easy for bad guys to enter. The key is recognizing patterns found in logs. It’s being aware. Detectives work on hunches — maybe something doesn’t feel right or seems out of character. Having a sense for when something is wrong in your network can help you discover a problem before your data is stolen.

With the cyberthreat landscape constantly shifting and more people working remotely, the ability to sniff out a potential cyberattack and find the bad guy is more necessary than ever. Who is your company’s Miss Marple? Every company needs a cyber detective if you want to thwart the bad guys.

More from Threat Hunting

Racing Round and Round: The Little Bug That Could

13 min read - The little bug that could: CVE-2024-30089 is a subtle kernel vulnerability I used to exploit a fully updated Windows 11 machine (with all Virtualization Based Security and hardware security mitigations enabled) and scored my first win at Pwn2Own this year. In this article, I outline my straightforward approach to bug hunting: picking a starting point and intuitively following a path until something catches my attention. This bug is interesting because it can be reliably triggered due to a logic error.…

3 recommendations for adopting generative AI for cyber defense

3 min read - In the past eighteen months, generative AI (gen AI) has gone from being the source of jaw-dropping demos to a top strategic priority in nearly every industry. A majority of CEOs report feeling under pressure to invest in gen AI. Product teams are now scrambling to build gen AI into their solutions and services. The EU and US are beginning to put new regulatory frameworks in place to manage AI risks.Amid all this commotion, hackers and other cybercriminals are hardly…

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today