20 Jun 3 Use Cases in Network Security for Threat Hunting
The cybersecurity industry can credit a shift in thinking with bringing down the dwell time of threats, which in 2012 was upwards of 400 days.
As one commentator recently wrote, for “decades, cybersecurity has been focused on creating a hard shell around the soft chewy center of the enterprise.” However, the advent of wireless, mobile, cloud, BYOD, and many other trends broke down the notion of a perimeter.
Consequently, enterprise security shifted from a defensive posture to an offensive one. This included monitoring traffic moving east and west, or that which was already traversing the enterprise network. This was in addition to monitoring traffic moving north and south.
The trendline shows some success – dwell time has dropped to about 100 days.
While the margin of improvement is impressive, it’s not enough because the statistics continue to be staggering. Studies indicate breaches and vulnerabilities to date in 2017 are already on track to outpace 2016. And last year was significant in its own right, as some 1.4 billion records were exposed.
Bad actors have unlimited time, ample resources, and only have to be right about a hunch once. By contrast, the resources of most cybersecurity teams are finite, their work is constrained by business intolerance for downtime, and they have to be right every time.
As such, cybersecurity must focus its efforts on key priorities including:
- preventing known threats;
- detecting anomalies that do not belong, and
- hunt for those threats that are hiding.
In alignment with the needs of the market, the newest version of Bricata, which made available new advanced threat hunting and detection capabilities, and completed the integration with Cylance, mirrors these priorities.
The solution also provides increasingly important interoperability. In order to illustrate what this means, we’ve developed three use cases stemming from our current customers.
Use Case 1: Context for Known and Unknown Threats
Bricata has embedded artificial intelligence and machine learning into its sensors through a partnership with Cylance. This enables Bricata to carve files in transit across the network and submit them to the Cylance malware conviction engine for inspection. The solution provides a “conviction” on any file that is deemed malicious very quickly.
What the solution then provides on screen is not just the alert, but also the context associated with that file. This includes attributes such as the file name, hash values, and the transfer protocol. In addition, the console depicts the details provided by the Cylance engine such as threat scoring and the behaviors that triggered the file to be flagged as malicious.
The higher-level benefit for security operations is that the solution isn’t just informing the analyst about a threat, but also providing context for how it got there. This enables security professionals both to remediate the immediate problem and also strengthen network protection to prevent future incidents of this nature.
Use Case 2: Detecting Anomalies that Do Not Belong
The context that the Bricata solution provides enables security organizations to use the data to hunt for undetected threats. For example, security can look for anomalies in HTTP conversations.
In a typical hunt, security filters out normal user agent strings to detect browsers that are not running, or should not be running, in a given environment. This is the sort of anomaly that could be an indication of an attempted exploit, or malware initiating command and control (C2) signals.
Another example is ransomware that uses a domain generation algorithm in an effort to locate its master encryption key. From a forensic or triage point of view, this tells the security operator the damage hasn’t yet been done. More importantly, it affords the opportunity for security to act quickly, stop the attack, save the user data, and avoid a major headache.
Use Case 3: Data Integration to Hunt for What is Hiding
Typically, a front-line analyst will see a network alert and strive to understand the other devices with which that endpoint is communicating in order to confirm an attack. Unifying data allows security operations to correlate this information and paint a holistic picture.
For example, correlating network-based alerts with a log from an endpoint will show what process was responsible for creating that network connection. This enables the analyst to understand the user session and processes that were running when a malware alert was triggered – along with the source and destination involved.
In this way, the analyst can identify an endpoint communicating with countries or locations that are not routine. This might suggest the opening of a C2 node or a second stage payload that’s being downloaded, or prepared to download.
Where previously it could take an hour or longer to share network alerts, this integration supports the analyst with a point-click-shoot-easy way to share data very quickly. This enables organizations to provide a faster and more focused response.
These are just a few of the ways that our customers use the Bricata solution to hunt for unusual activity and potential threats on the network. It provides an ability to refine the focus on looking for indications that an organization has been breached and continue the pursuit of bringing that dwell time down.
Photo Credit: Pixabay (CC0 1.0)
If you enjoyed this post, you might also like: Threat Hunting: Summaries of 5 Recent Cybersecurity Studies