March 18, 2020 By Sue Poremba 3 min read

How good are your sleuthing skills? Do you savor Agatha Christie novels and figure out who did it before the big reveal? If so, the skills you use to read a good detective novel may also help you discover the origins of cyberthreats. With serious threat hunting techniques (the kind taken directly from books and TV shows that solve a crime in 60 minutes or 300 pages), you can discover the origins of a cyberattack and mitigate it before too much damage is done.

That was the lesson that Maya Horowitz, director of threat intelligence and research at Check Point Software Technologies, shared at CPX360. “If there was a hack,” she told the audience, “then there was a hacker.”

Fortunately, analysts can position themselves to respond effectively to attackers by employing the same threat hunting tactics as fictional detectives like Hercule Poirot and Miss Marple.

Do You Know How Cyberthreats Begin?

Detective novels, crime shows and whodunits all inspire audiences to try to assemble the clues and identify the bad actor before reaching the end. Everyone may have a different theory — until that theory is blown up by another discovery.

That’s the thing about sleuthing: Everyone uses a different logic pattern to get to the end result, and it may take long discussions and compromise to agree on one conclusion. But in my observation, so much time is wasted worrying about how we got to the end that we miss what happens at the beginning. As any author can tell you, the first chapter or the first five minutes set up the story and introduce key clues to how it ends. Knowing where and how cyberthreats begin can go a long way in developing a solid incident response plan.

Of course, at the start of a book or the latest episode of Law and Order, you don’t know what you should be paying special attention to. You just know a body is on the floor in the middle of a crime scene. You need to know how this happened. You need to know who did it — the source of the attack.

Step by Step, Network by Network

You need to be the detective of your own network, said Horowitz. Threat hunting requires intimate knowledge and diligent investigation of your logs. This will provide the clues as to why this victim — or, in this case, a sensitive cluster on your network — was targeted rather than the top boss with the corner office.

In the book, you’ll receive background on both the victim and the boss: who their friends were, where they liked to hang out, when you could expect to see them appear or disappear in the office, etc. That information hints at who the suspects might be. The guy in accounting has been seen hanging out at the victim’s favorite bar each night, but she rebuffs him. Of course he’s a suspect. But when he proves during questioning that he was out of town on the fateful night, the search continues.

In cyber sleuthing, you’re after similar details. Maybe a spear phishing email was sent to the company with malicious files that downloaded malware, shifted clusters and mimicked other applications on the network, spreading more malicious files. The logs provide the patterns you need to find the anomalies: Why did the attacks only happen in a four-hour time period, and why weren’t there any attacks at all during the month of February? Now you need to do a little more research, perhaps by studying the profiles of other attacks that took place around the time of your own case.

The more you dig, the more you may find traces that tie the attacks to specific threat actors or techniques. Once you have determined how they got into your network in the first place, you can develop your incident response plan accordingly.

Collect Clues Before Disaster Strikes

Fictional detectives are given intentionally bad clues or bumbling tactics to keep the story interesting for the reader. Cyber sleuths need to be more straightforward when they begin investigating cyberthreats. Not only do they need to know the network infrastructure intimately, but they also need a solid understanding of who accesses that infrastructure, as well as their behaviors and habits.

Regular audits can reveal weaknesses and strengths, but they can also open doors that make it easy for bad guys to enter. The key is recognizing patterns found in logs. It’s being aware. Detectives work on hunches — maybe something doesn’t feel right or seems out of character. Having a sense for when something is wrong in your network can help you discover a problem before your data is stolen.

With the cyberthreat landscape constantly shifting and more people working remotely, the ability to sniff out a potential cyberattack and find the bad guy is more necessary than ever. Who is your company’s Miss Marple? Every company needs a cyber detective if you want to thwart the bad guys.

More from Threat Hunting

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today