The Hunt, Detect and Incident Response Approach to Mounting Malware Threats

We all know that malware threats are on the rise. Living-off-the-Land attacks. Formjacking. Rootkits. Trojans. Ransomware and cryptojacking. The list goes on, and each year the number of the threats and the amount of damage they do is only rising.

In 2018, the global average cost of a data breach totaled $3.86 million, an increase of 6.4 percent over the previous year. The average cost for each lost or stolen record containing sensitive and confidential information increased by 4.8 percent to $148. Equally important, organizations now face a 27.9 percent likelihood of a material breach recurring over the next two years.

What is not always obvious is how to choose the best defense in addressing these threats and demonstrating compliance with government regulations.

I advise organizations to consider the following areas in strengthening their security posture in today’s rapidly evolving cyber threat landscape.

Take a Proactive Approach

Most organizations have one or more prevention and defense platforms in place, such as firewalls, antivirus (AV) software, and protection platforms for endpoints such as PCs, laptops or mobile devices. But defense alone is not enough. Defensive cybersecurity tactics are only capable of preventing about 99 percent of known cyberattacks. Proactive cybersecurity tactics ─ such as threat hunting and incident response ─ can actively expose and eliminate the critical 1 percent of cyber threats that defensive technologies are prone to miss.

A proactive approach with threat hunting and incident response assumes three things:

  1. You’ve been hacked and your environment is compromised.
  2. Malware and advanced persistent threats (APTs) will breach your existing defenses.
  3. Endpoints cannot be trusted until proven otherwise and zero trust in an endpoint is both finite and temporary.

With these assumptions in mind, organizations need a security solution that not only hunts malware that has breached your defenses, but also enables users to respond to threats and certify that endpoints are completely “clean.”

Traditional Approaches

To address malware attacks, many organizations rely on Endpoint Detection and Response (EDR) platforms, Next-gen antivirus (NGAV) software, or User/Entity Behavior Analytics (UEBA/UBA) tools. However, even these popular approaches leave too many gaps – especially in complex and dynamic cloud environments.

For example, some AV engines and EDR platforms with file-less and memory-based attack features typically only monitor the door to your memory (aka monitoring key API calls used in malicious injection) in order to prevent or detect the attack in “real-time.” They do not actually analyze memory, which is almost exclusively handled offline via a third-party memory forensics tool, after a full physical memory acquisition.

Some EDR platforms will monitor for changes to the most common persistence mechanisms, but they do not offer capabilities to collect and hunt within the hundreds of possible locations. EDR platforms may also be limited to the endpoint protection platform (EPP) suite footprint, leaving gaps in coverage and potentially driving avoidable costs to get coverage across the environment.

UBA/UEBA solutions assume that the data required for insight or intelligence is readily available for analysis. However, no data sets can be guaranteed to be complete. In addition, some data points simply are not available because the available tools aren’t specifically gathering that intelligence. This is because these solutions are incapable of collecting data from endpoints themselves. As a result, defenses based on a UBA/UEBA approach are the very ones that will allow some malware to breach undetected.

Multi-level Analysis

The most effective method for addressing malware attacks, threats, and vulnerabilities quickly and effectively is a hunting, detection and incident response (IR) solution with deep analysis and forensics-based capabilities.

Forensic State Analysis (FSA) is an automated approach to post-breach detection that assumes devices are already compromised and seeks to validate that every endpoint is clean.

A root-cause analysis (RCA) tool can help IR teams trace the source of suspicious activity or identified threats across their environment. It should quickly correlate and combine the historical activity (events) of identified threats and malicious leads in the form of an activity timeline.

Improving Incident Response (IR) readiness is the single most impactful way to reduce an organization’s cyber risk. A hunting/detection platform needs to include IR capabilities so the IR team can either investigate, contain and eliminate the threats and vulnerabilities it finds or be able to alert a support/security team to handle IR.

Compromise assessments (CAs) need to quickly verify whether a network has been breached and quickly identify the presence of known or zero-day malware and persistent threats – active or dormant – that have evaded existing cybersecurity defenses.

Other Features to Look For

A hunt, detect and IR solution should be easy to deploy, use and expand. It should be able to detect thousands of nodes per hour to expose hidden cyber threats and vulnerabilities that traditional, log-based tools can miss. In addition, in-house staff members should be able to use the solution easily, developing intelligence that can also simplify and accelerate the work of specialized experts.

An agentless platform can speed deployment by eliminating the need for pre-installed software or “agents.” Installing and maintaining these agents can be a considerable drain on IT resources. The solution should also have the capability of protecting an organization’s assets on the cloud just as it now protects its on-premise networks, servers and workstations.

Finally, the solution should be “future-proofed” with built-in scalability along with multi-tier programs to accommodate the future growth and evolution of the organization.

99 Percent Is Not Enough

Today’s threat landscape includes a growing range of sophisticated criminal organizations, nation states and individuals. Organizations need the highest level of protection possible, based on a hunt, detect and IR approach.

PERSPECTIVE: 8 Key Considerations for Leaders in Hardening Cyber Defenses

Chris is a retired Air Force cybersecurity officer and veteran who pioneered defensive cyber threat hunting operations for the U.S. Air Force — standing up their first interactive Defensive Counter Cyberspace (DCC) practice. Infocyte is the result of Chris’ experience hunting adversaries within some of the largest and most targeted defense networks in the world. His experience building the U.S. Military's first malware hunting team provides him with an unmatched level of operational expertise and equips him with a highly refined perspective on how to tackle today's security threats. From a decade of military service, Chris draws on both leadership and deep technical experience serving in various roles such as cryptographic systems maintainer, cyber warfare officer and Air Force pilot. Prior to co-founding Infocyte, Chris served as the U.S. Air Force Computer Emergency Response Team's (AFCERT) first Chief of DCC Operations. In this role, he led a team of 28 operators tasked with finding, tracking, and neutralizing state-sponsored threats on the Air Force's $2B, 800k node enterprise network. He personally conducted and/or oversaw 350+ adversarial hunt, rapid response and threat engagement missions on networks throughout the world. Chris holds a B.S. in Electrical & Computer Engineering from Oregon State University.

Leave a Reply

Latest from Cybersecurity

SIGN UP NOW for FREE News & Analysis on topics of your choice across homeland security!

BEYOND POLITICS.  IT'S ABOUT THE MISSION. 

Go to Top
Malcare WordPress Security