Threat hunting designates all the activities conducted by a threat hunter or a cyberthreat analyst in order to find hidden persistent threats inside an organization’s infrastructure. Abnormal events such as a connection to an unknown server, access to a sensitive process memory or a DLL injection are some examples of what a threat for which a hunter is looking.
All threat hunting activities are conducted following a simple hypothesis that assumes that the organization has already been breached. Breaching an organization is just the first step of a cyberattack and all the steps from recon to exfiltration are called the killchain. The average execution of all steps of a kill chain is 200 days. So the threat hunter job is to break the killchain by identifying weak signals or artifacts emitted by a hidden threat.
An increasing number of organizations are making the switch from traditional anti-virus to endpoint detection and response products like Nucleon Smart Endpoint. This shift is the major reason why we need threat hunters today. After switching from a traditional antivirus to an EDR, an organization has to be sure that there is no dormant threat that exists in the infrastructure.
Having penetrating testing or red teaming experience will help the security expert for this job. The threat hunting activities require indeed a high level of technical expertise especially on the system and the network security level.
Large organizations can structure an in-house team of hunters. This team has to work closely with the internal or external SOC (Security Operation Center) and aggregate events from various on-premise and cloud sources in order to have a precise look on what is going inside the organization.
Most EDRs give threat hunters the tools needed to conduct their excavation. However, the most important feature an EDR could give to threat hunters is high granularity events. Nucleon Smart Endpoint collect all important event needed by a threat hunter from files editing to process memory access events.
After finding some interesting leads using the stored events, a threat hunter could need to retrieve the current state of file, a disk or even a process. This feature is quite easy on Nucleon Smart Endpoint and can be conducted on multiple endpoints simultaneously.
Following an intrusion, an attack goes through several phases which constitute the “kill chain” and the execution of the latter from end to end lasts an average of 6 months. By assuming that our client has suffered an intrusion while using their old antivirus or other protection mechanism, the proactive actions of the Nucleon Threat Hunting service make it possible to identify the blind spots generated by each phase of the “kill chain” by comparing them to known TTPs. This breaks the “kill chain” of the attack.
Monitoring actions against new threats
Using the flows of threats identified at our customers as well as private and public flows, the Nucleon Security engineer will systematically test all newly identified TTPs and IOCs. If an attack is possible in the context of the customer, the information is used to modify the zero-trust rules on agents installed at the customer’s premises. Particular attention is paid to TTPs and IOCs specifically targeting our client’s industry.
Internal software analysis actions
Historical or newly used software by the customer can be susceptible open doors to attacks. Thanks to the exhaustive list of software reported by our Nucleon Smart Endpoint agent, the engineer will perform manual and in-depth analyzes (network communications, system communications, data access, etc.) of the programs used in order to identify potential threats.
Written by: Sébastien Guisnet
Cybersécurité Antoine Botte
Ransomwares are still the most widespread cyberattacks targeting corporate data. That’s why in addition of the Multi-Layer Zero-Trust implementation in Nucleon Smart Endpoint EDR, we now release new post-exploitation features. ...