Compromise Assessment vs Threat Hunting
While table top exercises are always a hot commodity for our customers, proactive threat hunting and compromise assessments are becoming increasingly popular through our Cisco Incident Response Readiness & Retainer service. Whether your organization has recently gone through a merger or acquisition, or are in the later stages of your incident response evolution and maturity, finding out what you don’t know (and what your security platforms aren’t telling you) about your network can be a integral part of your organization’s incident response maturity and capability.
The Cisco Security Incident Response Services team takes a vendor-agnostic approach on how we deliver the customer-focused incident response service. However, when we engage with our clients, we bring the full “Cisco engine” with us during incident response and quickly reach out anywhere in the world. Our intelligence-driven incident response approach leverages the best threat intelligence in the business, Cisco Talos, along with a team of seasoned incident response professionals.
When clients hear about the depth of services included with the Cisco IR Retainer, we often get questions around compromise assessments and threat hunting. One of the most common questions:
What is the difference between a compromise assessment and a threat hunt?
Simply put, the difference between a compromise assessment and a threat hunt is scope and depth. In this blog post, I hope to provide you with some additional information that will help you distinguish between a compromise assessment and a threat hunt, so you are better informed.
Consider the following:
- Should you conduct a penetration test if you do not have a threat and vulnerability management program?
- Should you conduct a threat hunt if you have never had a compromise assessment?
Don’t panic if you don’t know the answers to these questions. When you are working with your personal Cisco Security incident response consultant, your consultant will inform you of the options available, and help you decide which option best fits your organization’s needs.
A compromise assessment is a high-level review of the organization that does not rely on a hypothesis or limited scope in order to answer a very fundamental question: am I compromised? In other words, based upon your organization’s data, logs, and existing telemetry, are there any indicators of compromise, or threat actors present in the environment?
As we begin working with you to perform a compromise assessment, our experts will first review any relevant telemetry your organization has available. We can identify gaps through scoping and recommend any tools that we should deploy to solve those visibility gaps, such as Cisco Umbrella, Cisco AMP for Endpoints, or Cisco StealthWatch. From there, we look for anomalies and known indicators of compromise.
Given the wide breadth of the assessment, a deep dive is generally not possible. As I mentioned in a previous blog post, the lack of sufficient logging inhibits an organization’s ability to conclusively determine root cause analysis during incident response. A compromise assessment can establish that baseline if insufficient logging and/or lack of instrumentation exists. In addition, a compromise assessment can help highlight the risk associated with a compromise not being effectively communicated to senior/executive leadership within your organization.
Threat hunting is a mature, hypothesis-driven process for organizations that relies on the manual interaction with the data. The end goal of threat hunting is reducing dwell time and preventing adversaries from completing their objectives (espionage, pivoting, data exfiltration, etc.). The hypothesis is derived from adversary tradecraft and/or threats targeting your organization. A threat hunting exercise is never a “one-size fits all” approach and involves an experienced, incident response (threat hunt) team. The team tailors the hunt around your organization’s current data collection, which allows the team to map threat hunt methodologies to the current vetted hypothesis that is guiding the active threat hunt. We are hunting for the unknowns.
Consider the following:
- What does your organization have from an instrumentation and logging standpoint to detect, contain, and eradicate an adversary within your network?
- What steps must your adversary (attacker) take to complete their action on objectives within your network?
- What cyber threat intelligence may need to be applied against your data collection to identify current, or prior threat actor activity?
There are several threat hunt use cases we may target:
- Critical Infrastructure: This is a common threat hunt we perform for customers. Often, critical infrastructure is the most regulated, or under the organizational microscope through regular assessments. Our experienced threat hunt team is often called into these types of engagements where we are hunting and mapping campaigns to red teams, or known/unknown threat actors. What are your “crown jewels?” What do you have from a logging and instrumentation perspective?
- Web Services Compromise: This is another common threat hunt we perform for customers. We’ll search for the presence of web shells and other common attacks against your web services environment. On a recent IR engagement, a customer was hit with ransomware throughout the enterprise. During root cause analysis it was determined that a web server located in the DMZ was used for the initial foothold as well as a launching point for possible future intrusions. What are your public-facing assets?
- Lateral Movement: This is a common technique threat actors use to discover additional systems (targets) on a network. We’ll search for indicators of an attacker moving from host-to-host, collecting credentials, or performing reconnaissanceon high-value targets. What are you doing to monitor “east-west” traffic internally on your network?
- Embedded Attacker: An embedded attacker will likely have established persistence, evaded defense controls, and performed, or is performing actions on objectives. In the attack lifecycle, the threat actors want to maintain persistence in the event of discovery, remain undetected, escalate privileges, and create backdoor channels for command and control. What are you doing to monitor running processes, file system changes, or services? Do you have an endpoint detection and response (EDR) solution in place?
- Privileged User Access: With this use case, we’ll focus on location based, count based, and time based anomalies, or your most critical identified users. What are you doing to monitor your administrators, or users with special privileges? What about geolocation of VPN users?
Our awesome team of seasoned incident response professionals are able and willing to assist your organization with a compromise assessment or threat hunt based upon your needs. Similar to when we are engaged in emergency response activities with customers, we leverage our Talos colleagues (the best in the business) when engaged in Threat Hunting activities with customers. Talos is baked into everything we do at Cisco Security, which benefits our IR customers during a crisis, or maneuvering treacherous waters.
The power and flexibility of the Cisco Incident Response Readiness & Retainer is the proactive service component that fits every organization. Through your Cisco Incident Response Readiness & Retainer on-boarding process, we’ll work with your organization to establish that baseline on your threat management capabilities, opportunities, and limitations to enable your organization to be better prepared for incident response activities.