Blog

Security

The Need for IoCs and Threat Hunting

Sun Tzu’s The Art of War is one of my favourite books, I have read it multiple times, and given it as a gift many others. Its philosophy and lessons are incredibly valuable today, especially, in you ride over the fields of cybersecurity.

One edition began with the following story, to illustrate Sun Tzu’s thinking:

A Lord in ancient China once asked his physician, a member of a family of healers whose surname was synonymous with medical excellence in China, which of his brothers was the most skilled in the art.
The well-known healer replied:
“My elder brother sees the spirit of disease and removes it before it takes form, so his name does not leave home.”
“My middle brother cures the disease when it is still extremely small, so its name only spreads around his neighbourhood.”
“I prick veins, prescribe potions and scrape skin, so every now and then, my name gets out and is heard among Lords and Kings.”

In this post we will be talking about the art of how to detect infections/intrusions/incidents before they “take shape”, even if you become a practitioner of this discipline, your name will never leave your SOC. :)

So, what is an IoC?

An Indicator of Compromise (IoC) is a crucial clue that suggest a potential malicious intruder doing silent bad things, or an ongoing cyber-attack (in this case more commonly know as IoAs) on an organisation. Cybersecurity professionals use IoCs to identify, understand and respond to threats such as improper data access and potential system compromises, in an early way, before these threats materialise into an incident.

IoCs come in many shapes and forms, such as files with hidden malicious code, IP addresses and domains with low reputations, abnormal traffic patterns, users doing strange things, or registry keys launching processes that no one knows about. Proactively looking for these IoCs helps us detect and mitigate threats at an early stage, greatly reducing the impact of the incident or even preventing it from happening in the first place.

Why seek for IoCs?

Cybercriminals are no longer hacker geeks looking for notoriety and a bunch of cash. Today they are more like clandestine, well-structured, often government-funded, corporations known as Advanced Persistent Threats (APTs), which seek financial (or political) gain primarily by stealing and/or extorting money from large to, increasingly, small and medium-sized enterprises. Famous in this category are, for example, the Chinese Double Dragon a.k.a. APT41 or Wicked Panda, or the Russian Fancy Bear a.k.a. APT28 or Forest Blizzard.

These APTs take their time to do their evil work, and do it very well. Once they gain access to a system, their goal is to spend time gathering and exfiltrating information, so that when they act, the victim has little or no chance to respond and defend themselves. As any mafia capo would say to his subordinates, “the most important thing is not to be noticed”. If you watch the movie “Godfellas” you will understand the concept.

To achieve this, they usually fly low and are so quiet, that they become virtually undetectable by almost any tool, including the most advanced anti-malware platforms.

Threat Hunting

In 2014 Price Waterhouse & Cooper (PwC) released an internal report entitled “Assumming a State of Compromise”. In it, apart from advocating and reasoning the theory that most companies in the world were compromised but didn’t know it, it argued that, instead of assuming we are always clean and safe, we should assume we are dirty (compromised), and we should proactively demonstrate that we are not.

This is when the noble practice of Threat Hunting was born.

Threat hunting is a proactive practice that involves actively searching for and detecting potential threats and security breaches within a network and IT estate, before they cause an incident, and consequently an economic damage.

There are several approaches on how to do this proactive threat hunting but the most commonly used is through the search for IoCs and their subsequent investigations.

Humans vs. Humans

Threat hunting is a sport of human attackers versus human defenders. More specifically, attacking humans armed with AI tools, against defending humans who should be wielding tools of the same calibre to be able to detect and contain the attackers.

Let’s be clear here. Currently no tool (anti-malware/EDR/XDR) can effectively defend on its own, no matter how expensive, sophisticated, advanced or well configured it is.

The human factor is needed to make sure your systems are clean. AI-assisted of course, but humans still beat machines by far at analytic tasks if the data is summarized, and AI beat us summarizing large amounts of data and serarching for patterns, so we need to work together. Our advesaries do so..

GrayHats

At GrayHats we specialise in Threat Hunting and early detection of APTs, and we offer this through our cyber defence and protection services.

If you are commited to your company’s cyber security and you are keen in including this practice in your defence portfolio, please ask us at info (at) grayhats.com

Thanks for reading.

Author: Javier Jiménez (Linkedin)

خبراء السحابة والأمن السيبراني
More info