Threat Hunting for the Holidays

How to stop the ‘Grinch’ from breaking your endpoint defenses

You’re gearing up for the holidays. But then your phone rings – it’s your manager. He just heard the news that another malware strain is on the loose. Just like the Grinch, it is a ‘mean one,’ posing a vicious threat to the security of corporate networks. Your boss cares about one thing –  he asks: “Are we safe from this threat?” And he wants to know now. The question then becomes, how fast can you respond to his query with absolute certainty?

Demystifying Threat Hunting: Why it matters

You may be confident that your endpoint security defenses can block 99 percent of malware. But what about that one percent of threats that are sophisticated enough to evade detection? You simply can’t rely on prevention alone.

In a case like this, proactively hunting for the stealthiest one percent of threats that can compromise your endpoints, exfiltrate your data, and disrupt your services becomes imperative.

Threat Hunting Challenges

Despite its clear benefits, threat hunting can be a challenge to many organizations. Here’s why:

• Skilled resource constraints. Threat hunting has largely been the domain of the most highly skilled security practitioners. Finding this scarce skill set can be difficult. As a result, many organizations are behind the curve or have very limited threat hunting capabilities when it comes to addressing emerging threats.
• Sophisticated threats. Advanced threats use sophisticated techniques including fileless malware and browser injections. Hunting for these types of threats can be tricky. As a result, advanced threats can go undetected for months.
• Environment complexity. The myriad systems and applications running in the corporate environment present both a workload issue and an expanded threat landscape. And with multiple security tools in the operations center, chances are good that disparate vendors and interfaces present another layer of headaches when it comes to integration.
• Data collection limitations. You can’t be effective at hunting without the necessary data needed for threat analysis. And when it comes to threat hunting, hunters prefer having more data to work with. Relying on collecting traditional antivirus logs alone is simply not enough. You need in-depth visibility into various parts of the environment, including the network, endpoints, and applications.
• Inefficient, costly operation. Finding skilled threat hunters is one thing, ‘repurposing’ existing security staff for threat hunting is another. With the latter comes the concern of having stretched staff with multiple responsibilities, who are therefore unable to effectively focus on hunting. And when you add in the use of ad hoc threat hunting practices and tools, you end up with longer threat hunting cycles than necessary.

The good news is that, if done right, threat hunting ROI can outweigh these challenges. Combining threat intelligence with device-level security context improves your ability to detect threats more accurately, and therefore reduce the risk of breaches or further damages from attacks. In addition, automating manual tasks associated with threat research and incident prioritization and remediation boosts your ability to investigate threats and resolve incidents faster. That way, you can overcome many of the challenges addressed above.

Threat Hunting in Action

Let’s go back to your manager’s question. How will you know for sure if a threat has evaded detection and is now inside your network? Yes, you can scour through every piece of research available about the threat. You can then comb through stacks of network logs across your environment to find anomalies and suspicious behavior. But won’t it take you days or weeks to find out how the threat got in, all the places it has been, and everything it did? And, will your boss have the patience to wait for your definitive response?

There’s a better way. Cisco helps boost your ability to conduct threat hunting and incident response activities with a set of integrated tools that allows you to proactively search for threats and understand the full scope of a compromise. And upon seeing a threat in one place, Cisco gives you the ability to automatically block it everywhere else.

As part of this integrated security architecture, Cisco Threat Response speeds threat hunting by gathering, combining, and correlating threat intelligence available from: 1) your recorded network and security data, 2) Cisco Talos, 3) other Cisco products, and 4) third-party solutions.

Equally important, AMP for Endpoints provides both preventative and investigative capabilities for rapid threat detection and response. This allows your security analysts to: 1) search endpoint telemetry, 2) block malicious files across Windows, iOS, and Linux platforms, 3) apply application safe lists and block lists, and 4) perform advanced custom detections. Further, with this tool, you can retrospectively quarantine offending files – while delivering the full history of the threat – automatically!

Let’s see this in action.

In this example, you can see how threat hunting for the Olympic Destroyer malware using security tools from Cisco can be accomplished in minutes – not days or weeks – with just a few simple steps listed below.

1. Use the research that Cisco Talos had already conducted about the Olympic Destroyer.
2. Start the investigation in Cisco Threat Response by simply copying and pasting the list of indicators of compromise (IOCs) from the Cisco Talos blog post.
3. View how Cisco Threat Response instantly shows files that are malicious with verdicts from sources such as AMP File Reputation, AMP Global Intelligence and Virus Total.
4. Determine if this was a targeted attack or part of a larger malware campaign.
5. Launch AMP for Endpoints Device Trajectory to a get full timeline of threat activity on the device. This quickly shows that the file was indeed quarantined on the endpoint, thus blocking the Olympic Destroyer threat. Note that while this Olympic Destroyer hunt seems very straightforward, AMP for Endpoints can help carry out more complex hunts involving various IOCs; more extensive searches for things like IPS/domains/URLs/file paths and others; and even threats are still unknown or have yet to be classified.

The ability to respond in a snap to your manager’s “Are we safe from this threat?” question, especially during the holidays, keeps the holiday spirit alive – and as far away from the Grinch as possible!

Start proactively threat hunting today with our free trial of Cisco AMP for Endpoints.