It intrigued me to read the section titled, “Threat Hunting” in the Cybersecurity and Infrastructure Security Agency (CISA) Alert, “Ransomware Awareness for Holiday and Weekends.”
Although I am not an I.T. or computer security person, as an IP investigations and protection blogger, I found it interesting to review the recommended actions all entities can take to hunt for cyber threats.
As noted in the CISA alert, “Threat hunting is a proactive strategy to search for signs of threat actor activity to prevent attacks before they occur or to minimize damage in the event of a successful attack.”
SO, WHAT KIND OF THREAT ACTIVITY DOES AN I.T. EXPERT LOOK FOR?
The “Threat Hunting” section is divided into four areas:
- Understand the IT environment’s routine activity and architecture by establishing a baseline.
- Review data logs.
- Employ intrusion prevention systems and automated security alerting systems
- Deploy honeytokens and alert on their usage to detect lateral movement.
(As per Wikipedia, “Honeytokens are fictitious words or records that are added to legitimate databases. They allow administrators to track data in situations they wouldn’t normally be able to track, such as cloud-based networks.
“If data is stolen, honey tokens allow administrators to identify who it was stolen from or how it was leaked. If there are three locations for medical records, different honey tokens in the form of fake medical records could be added to each location. Different honeytokens would be in each set of records.”)
That’s darn interesting!
Other indicators of suspicious activity that threat hunters should look for include:
- Unusual inbound and outbound network traffic,
- Compromise of administrator privileges or escalation of the permissions on an account,
- Theft of login and password credentials,
- Substantial increase in database read volume,
- Geographical irregularities in access and log in patterns,
- Attempted user activity during anomalous logon times,
- Attempts to access folders on a server that are not linked to the HTML within the pages of the web server, and
- Baseline deviations in the type of outbound encrypted traffic since advanced persistent threat actors frequently encrypt exfiltration.
FINAL THOUGHTS
In the current cyber hacking climate, regardless of our IP specialties, it is useful for us to have some understanding of what strategies an I.T. and computer forensics expert could employ to hunt for malicious activity.
As Jen Easterly, the U.S Director of CISA put it on December 1st at the Fortune Brainstorm TECH event in Silicon Valley, “…it’s very important for CEOs to know that cyber security is not just the I.T. guys or the security guys, it’s an existential business risk and quite frankly a risk to national security given the connectivity.”
Disclaimer: IPProbe.Global is a service to the professional IP community. While every effort has been made to check information in this blog, we provide no guarantees or warranties, express or implied, regarding the content provided in IPProbe.Global. We disclaim all liability and responsibility for the qualification or accuracy of representations made by the contributors or for any disputes that may arise. It is the responsibility of the readers to independently investigate and verify the credentials of such persons and the accuracy and validity of the information provided by them. This blog is for general information only and not intended to provide legal or other professional advice.
0 comments on “CISA – Cyber Threat Hunting Recommendations”