Threat hunting is an exercise in unpredictability. On any given day, you could be investigating ransomware attacks on schools, hospitals, or government agencies.
The offenders might be entry-level attackers or full-fledged nation-states. You might be trying to piece together an attacker’s identity after the fact or called in to thwart an attack in progress. And the tactics, techniques, and procedures (TTPs) deployed across all of these scenarios may be completely different from each other, requiring equally different responses.
That’s a day in the life of a threat hunter, where the only constant for security teams and managed service providers (MSPs) is to maintain constant vigilance over a client’s environment, knowing it’s just a matter of when, not if, the next attack will be coming – and trying to anticipate the “how” of the attack as best as possible. But as unpredictable as threat hunting is, there are certain guardrails and principles that MSPs can fall back on – essential pillars that make all the difference in identifying attackers and stopping them in their tracks.
1. Cleaning Out the Web of Intrusion In a Client’s Environment
No two attackers are the same, no two breaches or ransomware attacks are the same, and no two client environments are the same – each situation requires a uniquely tailored approach to thwarting an attacker, cleaning out the environment, and preventing another breach from occurring.
But tailoring the approach also means working off a baseline level of corrective actions – steps that must be taken each time to ensure threat hunters are both correctly assessing the breach and flushing out attempts at another one in the future. These include:
- Blocking attacker commands and C2 communications that may occur after the initial breach.
- Conducting login audits that entail disabling and removing access privileges for each compromised account on a network.
- Deploying tools like Sophos Intercept X to isolate hosts from the environment.
- Eliminating malicious processes and systems that have been left behind on compromised machines or networks, and may be used as backdoors for future attacks.
When MSPs are determining their next steps for investigating a client’s environment, ejecting all traces of attacker activity, and fortifying defenses for the inevitable next attempted breach, the above should all form the backbone of any adequate response.
2. Proactivity Over-reactivity
Incident response teams investigate environments that have been breached or compromised by attackers. Their work is largely reactive and retroactive. This is complementary to the threat hunter’s approach, which by design must be proactive: analyzing the day-to-day numbers to find data abnormalities that might indicate an attack, and from there determine TTPs and attacker profiles.
The job of a threat hunter is to practice 24/7 monitoring on a client’s environment, being constantly on the lookout for new processes or commands that don’t just look out of place in the environment, but may also be telltale signs of a breach-in-progress.
3. Separating Legitimate Tools From Illegitimate Uses
Attackers will often co-opt legitimate tools or files for nefarious purposes. These may include command and recon tools like ADFind or Nltest, or living-off-the-land applications. Threat hunters can’t just terminate these files or processes each time they pop up because they’re native to the operating system and are frequently used by system admins for legitimate and essential purposes. So the job becomes not just squashing every instance of ADFind or Nltest, but being able to tell the difference between when they’re fulfilling their genuine purpose and when they’re being used by attackers to essentially “case” a client’s network in the run up to a breach.
One notable example of this occurred just last year, when the Sophos Managed Threat Response (MTR) team was asked to intervene for an organization that had been afflicted by a ransomware attack launched by Maze, who were demanding a $15 million ransom from the company. Our investigation revealed that Maze was able to breach this organization’s environment by illegitimately utilizing a series of legitimate tools – namely, Advanced IP Scanner, Remote Desktop Protocol, WinRar, 7zp, and Total Commander. It isn’t reasonable to expect clients’ system admins to block these programs across the board because they’re necessary, and inherently harmless, tools for running a network. That Maze was able to co-opt these tools for their own ends is proof not that these programs must be eliminated, but that MSPs need to broaden their understanding of suspicious activity to include behavior from seemingly normal sources as well.
MSPs Can Inject Predictability Into Threat Hunting With Sophos MTR and Rapid Response
These first-in-the-industry offerings build on traditional endpoint detection and response, putting forward lightning-fast response efforts that marry the expertise of human-led threat hunting teams with the 24/7 monitoring needed to get ahead of would-be attackers and flush out cyber adversaries from a client’s network. The combined speed and effectiveness of Sophos MTR and Rapid Response ensure that both MSPs and their clients thwart attackers, minimize damage and costs, and accelerate recovery time to get back to normal as quickly as possible. That’s predictability that both threat hunters and their customers should be able to count on.