How good are your sleuthing skills? Do you savor Agatha Christie novels and figure out who did it before the big reveal? If so, the skills you use to read a good detective novel may also help you discover the origins of cyberthreats. With serious threat hunting techniques (the kind taken directly from books and TV shows that solve a crime in 60 minutes or 300 pages), you can discover the origins of a cyberattack and mitigate it before too much damage is done.
That was the lesson that Maya Horowitz, director of threat intelligence and research at Check Point Software Technologies, shared at CPX360. “If there was a hack,” she told the audience, “then there was a hacker.”
Fortunately, analysts can position themselves to respond effectively to attackers by employing the same threat hunting tactics as fictional detectives like Hercule Poirot and Miss Marple.
Do You Know How Cyberthreats Begin?
Detective novels, crime shows and whodunits all inspire audiences to try to assemble the clues and identify the bad actor before reaching the end. Everyone may have a different theory — until that theory is blown up by another discovery.
That’s the thing about sleuthing: Everyone uses a different logic pattern to get to the end result, and it may take long discussions and compromise to agree on one conclusion. But in my observation, so much time is wasted worrying about how we got to the end that we miss what happens at the beginning. As any author can tell you, the first chapter or the first five minutes set up the story and introduce key clues to how it ends. Knowing where and how cyberthreats begin can go a long way in developing a solid incident response plan.
Of course, at the start of a book or the latest episode of Law and Order, you don’t know what you should be paying special attention to. You just know a body is on the floor in the middle of a crime scene. You need to know how this happened. You need to know who did it — the source of the attack.
Step by Step, Network by Network
You need to be the detective of your own network, said Horowitz. Threat hunting requires intimate knowledge and diligent investigation of your logs. This will provide the clues as to why this victim — or, in this case, a sensitive cluster on your network — was targeted rather than the top boss with the corner office.
In the book, you’ll receive background on both the victim and the boss: who their friends were, where they liked to hang out, when you could expect to see them appear or disappear in the office, etc. That information hints at who the suspects might be. The guy in accounting has been seen hanging out at the victim’s favorite bar each night, but she rebuffs him. Of course he’s a suspect. But when he proves during questioning that he was out of town on the fateful night, the search continues.
In cyber sleuthing, you’re after similar details. Maybe a spear phishing email was sent to the company with malicious files that downloaded malware, shifted clusters and mimicked other applications on the network, spreading more malicious files. The logs provide the patterns you need to find the anomalies: Why did the attacks only happen in a four-hour time period, and why weren’t there any attacks at all during the month of February? Now you need to do a little more research, perhaps by studying the profiles of other attacks that took place around the time of your own case.
The more you dig, the more you may find traces that tie the attacks to specific threat actors or techniques. Once you have determined how they got into your network in the first place, you can develop your incident response plan accordingly.
Collect Clues Before Disaster Strikes
Fictional detectives are given intentionally bad clues or bumbling tactics to keep the story interesting for the reader. Cyber sleuths need to be more straightforward when they begin investigating cyberthreats. Not only do they need to know the network infrastructure intimately, but they also need a solid understanding of who accesses that infrastructure, as well as their behaviors and habits.
Regular audits can reveal weaknesses and strengths, but they can also open doors that make it easy for bad guys to enter. The key is recognizing patterns found in logs. It’s being aware. Detectives work on hunches — maybe something doesn’t feel right or seems out of character. Having a sense for when something is wrong in your network can help you discover a problem before your data is stolen.
With the cyberthreat landscape constantly shifting and more people working remotely, the ability to sniff out a potential cyberattack and find the bad guy is more necessary than ever. Who is your company’s Miss Marple? Every company needs a cyber detective if you want to thwart the bad guys.