Over the last several months, I’ve noticed something when discussing Incident Response (IR) with clients. There is often confusion between the expectation and reality concerning the end results of an IR investigation. My goal here is to clarify and set those expectations, and to show how Threat Hunting factors in.
When TrustedSec gets called to conduct an IR investigation, we have a few goals in mind. We want to determine what happened, how the organization can stop the breach, and how they can prevent it from happening again (containment, eradication, and remediation). This is typically in line with the client’s expectation. The disconnect I see, however, is when we receive questions like, “Are all attackers out of our network?” or, “Are we no longer breached?” This is a much more complicated question and one that cannot typically be answered in a single IR engagement.
Think of it like this – hackers are like bugs. They get into your network (i.e., your house) and cause damage. Hiring an IR team to assess a breach is like hiring an exterminator to get rid of the bugs. Their purpose is to figure out how the ants in your living room got in, get rid of them, and make sure they don’t get back in.
The problem is, the exterminator is going to be focused on the ants in your living room. They may come across some ants in your kitchen while they are doing their investigation, but they aren’t going to look for the termites that may be in your attic.
When you bring in an IR team for a Business Email Compromise (BEC), for example, the IR team is going to be focused on the BEC (i.e., the ants in your living room). During the investigation, they may stumble across another BEC that occurred (i.e., the ants in your kitchen), but they aren’t going to be looking for the TrickBot malware you have on your endpoints (i.e., the termites in your attic).
Why is this? Why can’t IR teams look for everything during their investigation? It really comes down to time. IR teams, especially IR consultants, are limited with regard to how long they can spend on an investigation. At TrustedSec, clients purchase IR hours up front and we’re limited to those hours. We need to make the most of those hours, and the best use of that time is focusing on the investigation we’ve been hired to do, and answering the questions surrounding that incident.
So, what do you do if you want to find out if there are attackers on your network? That’s where Threat Hunting comes in. Threat Hunts come in two flavors: 1) searching for indicators of a specific threat actor or attack technique, and 2) searching for general signs of an attack (we call this a General Threat Hunt).
Going back to the previous analogy, you can hire an exterminator to find signs of ants anywhere in your house – this is a Threat Hunt. They are looking for the specific indicators of ants to determine if you currently have ants or have had them in the past. If you want the exterminator to look around your house for signs of any insects (e.g., ants, termites, wasps, etc.), then they are performing a General Threat Hunt. They aren’t going to focus on the specific indicators of any particular bug, but instead are going to look for general signs that are common to insects.
Here is a breakdown of a couple questions to help determine your needs. Bear in mind, this is not an exhaustive list:
Do you currently have an incident and need it taken care of (i.e., ants in your living room)?
You need an Incident Response Investigation.
Do you want someone to look for a specific threat actor or their tactics, techniques, and procedures (i.e., ants in your house)?
That would be a great Threat Hunting Exercise.
Do you want someone to look for any attackers in your organization (i.e., ants and termites anywhere in your house)?
A General Threat Hunt is what you are looking for.
In the end, your goals and what questions you want to be answered are going to dictate the type of engagement you want. Ask yourself the questions above – that will help you determine if you want to take care of the ants, the termites, or both.How can we make our security blog better?