In today’s digital age, cyber threats are constantly evolving, and Federal agencies are particularly vulnerable to attacks by State-sponsored advanced persistent threats (APTs). The need for a quick and effective response against these attacks is critical to maintaining national security and protecting our critical infrastructure. 

Hunting for APTs is hard – period. Flush with resources, APTs employ arguably the most sophisticated and evasive tactics, techniques, and procedures (TTPs) to infiltrate and persist within a network. Leveraging highly customized and “low and slow” attack methods, along with advanced evasion techniques, APTs are adept at bypassing detection mechanisms and can persist in victim Agency networks for months or even years. Experts at employing “Living of the Land” TTPs, or abusing legitimate applications organic to the victim’s environment (i.e. PowerShell, WMI, RDP, LoLBins, etc.), APTs are able to blend in with normal-looking activity, making them especially difficult for security teams to discover. 

The right team understands these steep challenges and develops a thorough, proactive, and adaptable approach to discover and mitigate evolving cyber attacks from APTs. Using a combination of threat actor research, advanced hypotheses, and comprehensive data analysis, expert threat hunting teams can quickly uncover the threat and respond accordingly. 

Know your target. Critical to an effective threat hunt is understanding the nature and veracity of the target APTs attack methods. Once a triggering event has occurred, driving the operating assumption that a named APT could be in the victim network, threat hunters will immediately begin working to refine their knowledge of the tools and TTPs that could be in scope. This includes researching published open-source and classified threat intelligence, deep and dark web forums, and security whitepapers. Additionally, sophisticated threat hunters will review relevant incident response data and perform malware analysis and reverse engineering to reveal historical attack trends and patterns as well as expected indicators and artifacts that should be expected if the target APT has successfully compromised the victim environment. Combining this data, experienced hunters will reconstruct the APT’s kill chain using industry standards such as the Pyramid of Pain and the MITRE ATT&CK Framework, outlining an attack workflow that later guides the threat hunt hypotheses and operations. 

Tailor your hunt using hypotheses. Experienced threat hunters must assume that APTs are aware of the reported intelligence and detection methods used to find them and will only be discoverable by looking for evidence of APT TTPs based on well crafted hypotheses. A hunt hypothesis is a testable statement that outlines the indicators or artifacts that must be present if the target APT was successful in their attack. A strong hunt hypothesis will define the scope of the hunt, including the systems, network segments, or data sources to be analyzed. It should also consider the context of the environment, such as the Agency’s mission and operations, typical user behavior, and relevant security controls in place. Furthermore, the hypothesis should include criteria or conditions that must be met to confirm or refute the hypothesis. This could involve thresholds for anomaly detection, correlation with known IOCs, or validation through manual investigation. 

Ensure visibility with the right data. Collecting the right data is essential, and without it, threat hunters are blind. For timely threat discovery and response, hunters must rapidly identify and ensure the collection and processing of a variety of data required to test their threat hunt hypotheses. Network traffic logs reveal patterns suggestive of APT activity, including unusual data transfers and command and control communications, while endpoint logs and artifacts offer insights into compromised devices and persistence mechanisms. System and application logs complement this by highlighting abnormal user behavior and authentication events. User and Entity Behavior Analytics (UEBA) data aids in identifying insider threats and compromised accounts. Collectively, these data sources empower threat hunters to proactively test their hypotheses and prove or disprove the presence of the targeted APT. 

At Edgewater, our recent threat hunt activities to discover Midnight Blizzard, a top-tier Russian government-backed APT, demonstrates our capability and agility. Recognizing the need to perform a hypothesis-driven ad hoc threat hunt to find evidence of compromise that may have evaded existing detections, our threat hunt team jumped into action. We understand the importance of a quick response against cyber attacks, and our expert threat hunt team stands ready to defend our Federal agency customers. Contact us to learn more about our approach to threat hunting, and how we can help protect your Federal organization. 

Back to All News

Further Reading

Edgewater Taps Shaun Poulton as the Company’s next CTO

FREDERICK, Md. (April 8, 2024) — Edgewater Federal Solutions, Inc. (Edgewater) announces that Shaun Poulton will head the company’s technology […]

The Digital Battlefront – The Need for a Quick Response against State-Sponsored Cyber Attacks 

In today’s digital age, cyber threats are constantly evolving, and Federal agencies are particularly vulnerable to attacks by State-sponsored advanced […]

Edgewater Promotes Brian Carr to CFO 

FREDERICK, Md. (April 1, 2024) — Edgewater Federal Solutions, Inc. (Edgewater) is pleased to announce the promotion of Brian Carr […]

The Digital Battlefront – Is your Agency Prepared for a State-Sponsored Cyber Attack?

State-sponsored advanced persistent threats (APTs) are becoming more emboldened in their cyber attacks. With significant resources at their disposal, including […]

Edgewater Ranks No. 73 on Inc. Magazine’s List of the Mid-Atlantic Region’s Fastest-Growing Private Companies 

Frederick, Md. (February 27, 2024) – Inc. magazine today revealed that Edgewater Federal Solutions, Inc. is No. 73 on its […]

Edgewater Celebrates 2023 Founder’s Award Winners

During Edgewater’s Q1 Town Hall, we had the incredible pleasure of announcing our Founder’s Award honorees! Congratulations to Barry Cohen […]

Innovation, Growth, and Giving Back: Edgewater’s Unforgettable 2023

2023 marked another incredible year for Edgewater Federal Solutions. There are some things we’re fortunate to celebrate every year, like […]

Edgewater Federal Solutions Named to Inc.’s 2023 Best in Business List in IT Management Category 

4th annual list recognizes 215 private companies putting purpose ahead of profit.  Frederick, Md. (December 5, 2023) – Edgewater Federal […]

Edgewater Named 2024 Elev8 GovCon Honoree by OrangeSlices 

Frederick, Md. (October 24, 2023) — Edgewater Federal Solutions, Inc. (Edgewater) is recognized as being among OrangeSlices’ 2024 Elev8 GovCon […]

Your Role in Cybersecurity: Tips for Cybersecurity Awareness Month 

At Edgewater, cybersecurity is the cornerstone of our company. It’s how we protect our client’s critical information, our assets, and […]

Our People…Your Edge

We didn’t create our outstanding team by accident.

Our advantage comes from a consistent focus on attracting highly talented and dedicated people – and a commitment to honoring and empowering them so that they stay. With meaningful work and industry-leading training, compensation, and benefits, Edgewater careers are enviable so that our people are our edge.

Working for Edgewater Federal Solutions for the past 5 years has renewed my belief that great companies still exist.   They value and recognize the employee and invest in our futures.  To anyone considering a career with Edgewater, if you enjoy a positive working environment with a company that values and recognizes its employees contributions come join us.

- Al Tornabene