Threat hunting is one of these cybersecurity undertakings that leave nobody un-opinionated. Some find it revolutionary thanks to its narrow and dedicated focus on generating and validating hypotheses to tackle yet undiscovered threats.
Skeptics call it a “cover-up” for cybersecurity investments that failed to deliver. Would we even need to talk about threat hunting if all the claimed benefits of working with service providers and information security specialists had been achieved?
Somewhere between these two extremes, others say they have already been exerting that activity for quite a while now as part of their daily operations without attaching a “threat hunting” label to it.
Whatever your take or stake in it, the percentage of organizations performing threat hunting operations is growing.
While it’s hard to guarantee that this trend will carry on, I have looked into some recent news cases where the applications of threat hunting could have led to a positive outcome.
Marriott International’s Acquisition and Hidden Flaws
Mergers and acquisitions require thorough due diligence, and not just from a legal or financial standpoint. Paying attention to the acquiree’s IT systems and policies matters as well to avoid bad surprises.
Take, for example, Marriott International and its acquisition of Starwood Hotels & Resorts Worldwide back in 2016. All went well until it was revealed two years later that the guest database of Marriott’s Starwood hotels had been breached on several occasions. The damage? About 500 million people who had booked at the property since 2014 may have had their personal information compromised.
This concern only came to light after an attempt to access the database was detected by Marriott’s internal security system in September 2018. The findings of the cybersecurity team investigating the incident showed that the unauthorized access on the Starwood network had been going on for years and that an unknown party tried copying and encrypting information while also taking steps to erase it.
Fileless But Not Harmless Malware Attack at Equifax
In contrast to other forms of attacks, fileless malware is capable of harming networks without leaving evidence. Once it has accomplished its objective, the program self-destructs without a trace. This is what happened to data analytics and technology company Equifax in 2017.
It all started when Equifax’s cybersecurity team noticed suspicious network activity on their web application framework Apache Struts. Despite blocking the potentially dangerous traffic right away and continuously monitor the network on the following day, the team kept observing the same patterns and took the application offline.
So what was wrong? It turned out a fileless attack utilized a vulnerability in Apache Struts software, which was outdated and in need of a patch — therefore allowing the malware to enter the network under the guise of a “safe” application.
As a result, the incident affected more than 2 million people who had their personally identifiable information collected by an unknown entity. Aside from that, the company’s image storage server containing image scans of customers’ documents was hacked as well.
How Threat Hunting Could Have Helped
Would have threat hunting been useful in these situations? Let’s take a look at the process applied in context:
Step 1: Hunt preparation
For companies involved in merger and acquisition transactions, threat hunting could start by performing a preliminary integrity check on the systems of the business being acquired. In the case of Marriott, conducting a security sweep may have allowed them to discover unauthorized access.
As for fileless malware and other new forms of attacks, threat hunters could regularly prepare for hunts in light of emerging dangers and techniques as well as new protective methods launched — e.g., focusing on vulnerability shielding or deploying a machine learning solution with behavioral detection capabilities.
Step 2: Hypotheses
As part of a deeper M&A examination, threat hunters can create hypotheses on how their prospective partner might be compromised, notably due to poor working practices regarding data privacy and management or the lack of them altogether.
With malware attacks, hypotheses can result from observing unusual network traffic, presuming that software might have exploitable vulnerabilities and should be thoroughly inspected.
Step 3: Pattern validation
With the suspicion that a third party’s systems can be at fault, companies can perform further observations to prove their hypothesis. In the case of Marriott, there wasn’t only once incident resulting in a data breach but a series of them that could have been identified and shown to cause harm.
In the second case, the abnormal traffic coming in and out of frameworks can be a giveaway — triggering specialists to check a given application for vulnerabilities as well as adjacent software and systems to ensure they do not experience the same problem.
Step 4: Immediate actions
Upon validation, some actions companies like Marriott could take include disconnecting the affected system from the main database to ensure that unauthorized access doesn’t spread to other networks.
As for businesses like Equifax, after learning of any software exploits, a potential follow up could be to immediately shut down everything that runs on the affected framework and patch the software.
Step 5: Knowledge sharing
Once the case is resolved, companies can work on disseminating the information to their affected clients or employees. It can also be recommended to inform the media of the problem and how it was handled. This allows partners to learn from mistakes and incorporate new cybersecurity practices.
---
Neither a silver bullet nor vain, threat hunting is becoming increasingly common in organizations’ cybersecurity agenda and operations with the potential to reduce the risk of breaches.
About the Author
Jonathan Zhang is the founder and CEO of Threat Intelligence Platform (TIP) — a data, tool, and API provider that specializes in automated threat detection, security analysis and threat intelligence solutions for Fortune 1000 and cyber-security companies. TIP is part of the Whois API Inc. family which is a trusted intelligence vendor by over 50,000 clients.
