How good are your sleuthing skills? Do you savor Agatha Christie novels and figure out who did it before the big reveal? If so, the skills you use to read a good detective novel may also help you discover the origins of cyberthreats. With serious threat hunting techniques (the kind taken directly from books and TV shows that solve a crime in 60 minutes or 300 pages), you can discover the origins of a cyberattack and mitigate it before too much damage is done.

That was the lesson that Maya Horowitz, director of threat intelligence and research at Check Point Software Technologies, shared at CPX360. “If there was a hack,” she told the audience, “then there was a hacker.”

Fortunately, analysts can position themselves to respond effectively to attackers by employing the same threat hunting tactics as fictional detectives like Hercule Poirot and Miss Marple.

Do You Know How Cyberthreats Begin?

Detective novels, crime shows and whodunits all inspire audiences to try to assemble the clues and identify the bad actor before reaching the end. Everyone may have a different theory — until that theory is blown up by another discovery.

That’s the thing about sleuthing: Everyone uses a different logic pattern to get to the end result, and it may take long discussions and compromise to agree on one conclusion. But in my observation, so much time is wasted worrying about how we got to the end that we miss what happens at the beginning. As any author can tell you, the first chapter or the first five minutes set up the story and introduce key clues to how it ends. Knowing where and how cyberthreats begin can go a long way in developing a solid incident response plan.

Of course, at the start of a book or the latest episode of Law and Order, you don’t know what you should be paying special attention to. You just know a body is on the floor in the middle of a crime scene. You need to know how this happened. You need to know who did it — the source of the attack.

Step by Step, Network by Network

You need to be the detective of your own network, said Horowitz. Threat hunting requires intimate knowledge and diligent investigation of your logs. This will provide the clues as to why this victim — or, in this case, a sensitive cluster on your network — was targeted rather than the top boss with the corner office.

In the book, you’ll receive background on both the victim and the boss: who their friends were, where they liked to hang out, when you could expect to see them appear or disappear in the office, etc. That information hints at who the suspects might be. The guy in accounting has been seen hanging out at the victim’s favorite bar each night, but she rebuffs him. Of course he’s a suspect. But when he proves during questioning that he was out of town on the fateful night, the search continues.

In cyber sleuthing, you’re after similar details. Maybe a spear phishing email was sent to the company with malicious files that downloaded malware, shifted clusters and mimicked other applications on the network, spreading more malicious files. The logs provide the patterns you need to find the anomalies: Why did the attacks only happen in a four-hour time period, and why weren’t there any attacks at all during the month of February? Now you need to do a little more research, perhaps by studying the profiles of other attacks that took place around the time of your own case.

The more you dig, the more you may find traces that tie the attacks to specific threat actors or techniques. Once you have determined how they got into your network in the first place, you can develop your incident response plan accordingly.

Collect Clues Before Disaster Strikes

Fictional detectives are given intentionally bad clues or bumbling tactics to keep the story interesting for the reader. Cyber sleuths need to be more straightforward when they begin investigating cyberthreats. Not only do they need to know the network infrastructure intimately, but they also need a solid understanding of who accesses that infrastructure, as well as their behaviors and habits.

Regular audits can reveal weaknesses and strengths, but they can also open doors that make it easy for bad guys to enter. The key is recognizing patterns found in logs. It’s being aware. Detectives work on hunches — maybe something doesn’t feel right or seems out of character. Having a sense for when something is wrong in your network can help you discover a problem before your data is stolen.

With the cyberthreat landscape constantly shifting and more people working remotely, the ability to sniff out a potential cyberattack and find the bad guy is more necessary than ever. Who is your company’s Miss Marple? Every company needs a cyber detective if you want to thwart the bad guys.

More from Threat Hunting

SIEM and SOAR in 2023: Key trends and new changes

4 min read - Security information and event management (SIEM) systems remain a key component of security operations centers (SOCs). Security orchestration, automation, and response (SOAR) frameworks, meanwhile, have emerged to fill the gap in these capabilities left by many SIEM systems. But as many companies have begun reaching the limits of SIEM and SOAR systems over the last few years, they have started turning to other solutions such as extended detection and response (XDR). But does this shift spell the end of SIEM…

Threat hunting 101: How to outthink attackers

6 min read - Threat hunting involves looking for threats and adversaries in an organization’s digital infrastructure that existing security tools don't detect. It is proactively looking for threats in the environment by assuming that the adversary is in the process of compromising the environment or has compromised the environment. Threat hunters can have different goals and mindsets while developing their hunt. For example, they can look for long-term threats in the environment that advanced threat actors can exploit. Or they can look for…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…