In today’s digital age, cyber threats are constantly evolving, and Federal agencies are particularly vulnerable to attacks by State-sponsored advanced persistent threats (APTs). The need for a quick and effective response against these attacks is critical to maintaining national security and protecting our critical infrastructure. 

Hunting for APTs is hard – period. Flush with resources, APTs employ arguably the most sophisticated and evasive tactics, techniques, and procedures (TTPs) to infiltrate and persist within a network. Leveraging highly customized and “low and slow” attack methods, along with advanced evasion techniques, APTs are adept at bypassing detection mechanisms and can persist in victim Agency networks for months or even years. Experts at employing “Living of the Land” TTPs, or abusing legitimate applications organic to the victim’s environment (i.e. PowerShell, WMI, RDP, LoLBins, etc.), APTs are able to blend in with normal-looking activity, making them especially difficult for security teams to discover. 

The right team understands these steep challenges and develops a thorough, proactive, and adaptable approach to discover and mitigate evolving cyber attacks from APTs. Using a combination of threat actor research, advanced hypotheses, and comprehensive data analysis, expert threat hunting teams can quickly uncover the threat and respond accordingly. 

Know your target. Critical to an effective threat hunt is understanding the nature and veracity of the target APTs attack methods. Once a triggering event has occurred, driving the operating assumption that a named APT could be in the victim network, threat hunters will immediately begin working to refine their knowledge of the tools and TTPs that could be in scope. This includes researching published open-source and classified threat intelligence, deep and dark web forums, and security whitepapers. Additionally, sophisticated threat hunters will review relevant incident response data and perform malware analysis and reverse engineering to reveal historical attack trends and patterns as well as expected indicators and artifacts that should be expected if the target APT has successfully compromised the victim environment. Combining this data, experienced hunters will reconstruct the APT’s kill chain using industry standards such as the Pyramid of Pain and the MITRE ATT&CK Framework, outlining an attack workflow that later guides the threat hunt hypotheses and operations. 

Tailor your hunt using hypotheses. Experienced threat hunters must assume that APTs are aware of the reported intelligence and detection methods used to find them and will only be discoverable by looking for evidence of APT TTPs based on well crafted hypotheses. A hunt hypothesis is a testable statement that outlines the indicators or artifacts that must be present if the target APT was successful in their attack. A strong hunt hypothesis will define the scope of the hunt, including the systems, network segments, or data sources to be analyzed. It should also consider the context of the environment, such as the Agency’s mission and operations, typical user behavior, and relevant security controls in place. Furthermore, the hypothesis should include criteria or conditions that must be met to confirm or refute the hypothesis. This could involve thresholds for anomaly detection, correlation with known IOCs, or validation through manual investigation. 

Ensure visibility with the right data. Collecting the right data is essential, and without it, threat hunters are blind. For timely threat discovery and response, hunters must rapidly identify and ensure the collection and processing of a variety of data required to test their threat hunt hypotheses. Network traffic logs reveal patterns suggestive of APT activity, including unusual data transfers and command and control communications, while endpoint logs and artifacts offer insights into compromised devices and persistence mechanisms. System and application logs complement this by highlighting abnormal user behavior and authentication events. User and Entity Behavior Analytics (UEBA) data aids in identifying insider threats and compromised accounts. Collectively, these data sources empower threat hunters to proactively test their hypotheses and prove or disprove the presence of the targeted APT. 

At Edgewater, our recent threat hunt activities to discover Midnight Blizzard, a top-tier Russian government-backed APT, demonstrates our capability and agility. Recognizing the need to perform a hypothesis-driven ad hoc threat hunt to find evidence of compromise that may have evaded existing detections, our threat hunt team jumped into action. We understand the importance of a quick response against cyber attacks, and our expert threat hunt team stands ready to defend our Federal agency customers. Contact us to learn more about our approach to threat hunting, and how we can help protect your Federal organization. 

Back to All News

Further Reading

Case Study: Hunting for Midnight Blizzard to Safeguard a Global Scientific Research Organization

Dangerous organizations are becoming more emboldened in their cyberattacks. Armed with an arsenal of powerful malware tools, expertise of their […]

Edgewater Promotes Chris Christianson to CISO 

Frederick, Md. (June 26, 2024) — Today, Edgewater Federal Solutions, Inc. (Edgewater) announces that Chris Christianson has been promoted to […]

For the 7th year, The Washington Post names Edgewater a 2024 Top Washington-area Workplace

Frederick, Md. (June 21, 2024) – Edgewater Federal Solutions, Inc. (Edgewater), a leading technology and cybersecurity federal contractor, has been […]

The Digital Battlefront – Utilizing Purple Teaming to Uncover Cybersecurity Gaps

In today’s rapidly evolving cyber threat landscape, the traditional approach of having separate offensive and defensive security teams is no […]

The Digital Battlefront – How Threat Hunting Reports Shape Cyber Defense 

Taking a proactive approach to cybersecurity is critical for Federal agencies in this robust and complex digital landscape. One way […]

Edgewater Elevates Rodger Jones to President

FREDERICK, Md. (May 1, 2024) — Today, Edgewater Federal Solutions, Inc. (Edgewater) announces that Rodger Jones has been promoted to […]

Edgewater Awarded EIA EOP V IDIQ

FREDERICK, Md. (April 18, 2024) — Edgewater Federal Solutions, Inc. (Edgewater), a leading IT services federal contractor, announces that it […]

Edgewater Promotes Hank Jackson to COO 

FREDERICK, Md. (April 16, 2024) — Edgewater Federal Solutions, Inc. (Edgewater) proudly promotes Hank Jackson to Chief Operating Officer (COO), […]

Edgewater Taps Shaun Poulton as the Company’s next CTO

FREDERICK, Md. (April 8, 2024) — Edgewater Federal Solutions, Inc. (Edgewater) announces that Shaun Poulton will head the company’s technology […]

The Digital Battlefront – The Need for a Quick Response against State-Sponsored Cyber Attacks 

In today’s digital age, cyber threats are constantly evolving, and Federal agencies are particularly vulnerable to attacks by State-sponsored advanced […]

Our People…Your Edge

We didn’t create our outstanding team by accident.

Our advantage comes from a consistent focus on attracting highly talented and dedicated people – and a commitment to honoring and empowering them so that they stay. With meaningful work and industry-leading training, compensation, and benefits, Edgewater careers are enviable so that our people are our edge.

I have been working at Edgewater as a Configuration Manager for over 5 years. The job has been challenging, rewarding and has provided an environment for professional growth. As an on-sight contractor, I have been working with a team of seasoned professionals who have provided both technical expertise and a warm friendly environment.

- Barry Cohen