In today’s digital age, cyber threats are constantly evolving, and Federal agencies are particularly vulnerable to attacks by State-sponsored advanced persistent threats (APTs). The need for a quick and effective response against these attacks is critical to maintaining national security and protecting our critical infrastructure.
Hunting for APTs is hard – period. Flush with resources, APTs employ arguably the most sophisticated and evasive tactics, techniques, and procedures (TTPs) to infiltrate and persist within a network. Leveraging highly customized and “low and slow” attack methods, along with advanced evasion techniques, APTs are adept at bypassing detection mechanisms and can persist in victim Agency networks for months or even years. Experts at employing “Living of the Land” TTPs, or abusing legitimate applications organic to the victim’s environment (i.e. PowerShell, WMI, RDP, LoLBins, etc.), APTs are able to blend in with normal-looking activity, making them especially difficult for security teams to discover.
The right team understands these steep challenges and develops a thorough, proactive, and adaptable approach to discover and mitigate evolving cyber attacks from APTs. Using a combination of threat actor research, advanced hypotheses, and comprehensive data analysis, expert threat hunting teams can quickly uncover the threat and respond accordingly.
Know your target. Critical to an effective threat hunt is understanding the nature and veracity of the target APTs attack methods. Once a triggering event has occurred, driving the operating assumption that a named APT could be in the victim network, threat hunters will immediately begin working to refine their knowledge of the tools and TTPs that could be in scope. This includes researching published open-source and classified threat intelligence, deep and dark web forums, and security whitepapers. Additionally, sophisticated threat hunters will review relevant incident response data and perform malware analysis and reverse engineering to reveal historical attack trends and patterns as well as expected indicators and artifacts that should be expected if the target APT has successfully compromised the victim environment. Combining this data, experienced hunters will reconstruct the APT’s kill chain using industry standards such as the Pyramid of Pain and the MITRE ATT&CK Framework, outlining an attack workflow that later guides the threat hunt hypotheses and operations.
Tailor your hunt using hypotheses. Experienced threat hunters must assume that APTs are aware of the reported intelligence and detection methods used to find them and will only be discoverable by looking for evidence of APT TTPs based on well crafted hypotheses. A hunt hypothesis is a testable statement that outlines the indicators or artifacts that must be present if the target APT was successful in their attack. A strong hunt hypothesis will define the scope of the hunt, including the systems, network segments, or data sources to be analyzed. It should also consider the context of the environment, such as the Agency’s mission and operations, typical user behavior, and relevant security controls in place. Furthermore, the hypothesis should include criteria or conditions that must be met to confirm or refute the hypothesis. This could involve thresholds for anomaly detection, correlation with known IOCs, or validation through manual investigation.
Ensure visibility with the right data. Collecting the right data is essential, and without it, threat hunters are blind. For timely threat discovery and response, hunters must rapidly identify and ensure the collection and processing of a variety of data required to test their threat hunt hypotheses. Network traffic logs reveal patterns suggestive of APT activity, including unusual data transfers and command and control communications, while endpoint logs and artifacts offer insights into compromised devices and persistence mechanisms. System and application logs complement this by highlighting abnormal user behavior and authentication events. User and Entity Behavior Analytics (UEBA) data aids in identifying insider threats and compromised accounts. Collectively, these data sources empower threat hunters to proactively test their hypotheses and prove or disprove the presence of the targeted APT.
At Edgewater, our recent threat hunt activities to discover Midnight Blizzard, a top-tier Russian government-backed APT, demonstrates our capability and agility. Recognizing the need to perform a hypothesis-driven ad hoc threat hunt to find evidence of compromise that may have evaded existing detections, our threat hunt team jumped into action. We understand the importance of a quick response against cyber attacks, and our expert threat hunt team stands ready to defend our Federal agency customers. Contact us to learn more about our approach to threat hunting, and how we can help protect your Federal organization.