Fatskills
Practice. Master. Repeat.
Study Guide: CompTIA CySA+ Cybersecurity Analyst Certification: Security Operations and Monitoring - Proactive Threat Hunting
Source: https://www.fatskills.com/comptia-cysa-cybersecurity-analyst-certification/chapter/comptia-cysa-cybersecurity-analyst-certification-security-operations-and-monitoring-proactive-threat-hunting

CompTIA CySA+ Cybersecurity Analyst Certification: Security Operations and Monitoring - Proactive Threat Hunting

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~15 min read

Objective 3.3  Explain the importance of proactive threat hunting

Most security processes are reactive in nature; the core of security is the defense of our assets, protecting them from various threats and attempting to mitigate risks. However, there are some proactive processes; penetration testing, for example, is one of them. Another critical proactive process is threat hunting, which is the process of actively looking for threats in your environment and on your systems. It is much more than a simple vulnerability assessment or penetration test. Threat hunting is a proactive process that assumes your systems are already targeted and may even have possibly been breached, even if you don’t know about it yet. Threat hunting requires a great deal of analytical skill and experience; it relies on the knowledge and experience an analyst already has from a variety of other defensive security disciplines, such as vulnerability management, computer forensics, incident response, and other skills. Threat hunting involves using all these skills, plus the added benefit of threat intelligence, to enable you to actively seek out potential threats.
In this objective, we’re going to examine the process of threat hunting, including the theory behind it, the tactics used, how to analyze the data you get from threat hunting, and how to integrate threat intelligence with various analytics you must undertake to improve threat detection.

Establishing a Hypothesis
Because threat hunting is a defined process, it makes sense that you should use a proven methodology, such as the scientific method, as a foundation for your threat hunting processes. Therefore, the first step is forming a hypothesis. Remember that a hypothesis is an educated guess based on the observation of data. To establish a hypothesis in threat hunting, you must first gather enough data to make an educated guess about your threat.
The data you will use to form your hypothesis must be collected and analyzed in a defined, consistent, and defendable way. Often, the data you receive and the attention you give it will cause you to question what is going on in your network. This data will also serve as your initial driver for forming hypotheses and investigating potential threats.

The genesis of your hypothesis can come via several different sources:
- Situational: Hypothesis comes from understanding your organization’s unique situation in the threat landscape
- Analytical: Hypothesis stems from data received from analyzed data, such as machine learning (ML) analysis and User Entity Behavior Analytics (UEBA)
- Experience Hypothesis is informed from your experience with previous threats
- Intelligence: Hypothesis driven by observation of indicators of compromise and threat intelligence

Essentially, you use the same data that you receive through one of these avenues to determine what your security posture and situation are. Some of the data might show unusual or simply unacceptable patterns of behavior, which would cause you to start looking for potential causes.

While this may seem reactive rather than proactive, you are looking for threats based on data patterns, not because a threat has materialized. For example, increased bandwidth usage over time doesn’t necessarily mean there is a threat; however, absent any other explanation, you should start looking for threats for which this could be an indicator of compromise.

Here’s a scenario to help you understand the process of forming a hypothesis for threat hunting: Your company is working on a highly sensitive project for a new product that is to be released to the market in the next year. Based on data that may be available to you (for example, competitive intelligence), you learn that a competitor is working on a similar product. Also, the news media has been reporting about a recent flurry of alleged industrial espionage from your competitor. In this case, you may ask the question, could some of your competitors pose a threat of exfiltrating sensitive data from your infrastructure? Asking this question and observing any indicators that this may be the case could cause you to form a hypothesis that your company is being actively targeted by competitors to gain sensitive information about your products. From there, you would seek to prove or disprove this hypothesis by engaging in threat hunting.


Note: Remember that a hypothesis is not the same thing as a theory or fact; it is merely a question, based on the observation of data. It is a beginning point for you to discover what threats may be on your network.

Profiling Threat Actors and Activities
Profiling means that you are looking closely at a potential threat actor and gathering as much information as you can about them. You want to know their tactics, techniques, and procedures as well as their patterns of behavior. It means gathering information about their potential motivations for attacking you. You should ask yourself what valuable assets you have that they may specifically be interested in. You will want to know if they have attacked similar types of organizations like yours, and what techniques they used.

You will need to find out their characteristics. Are they a state-sponsored entity or merely a criminal actor in search of a profit? Could they be a competitor? Again, the idea is to gather as much information as you can about the potential threat actor and develop a set of characteristics about them. You should gather this information from a variety of sources, such as threat intelligence feeds, vendor security sites, government agencies, security organizations, and so on. Some of it may be generic in nature, but you may be able to get sensitive information regarding the threat actor that is very specific.

This collection of information is called a profile. You would then compare potential malicious activities in your organization to their profile to see if there is a match.

Threat Hunting Tactics
There are many different tactics available to you as a cybersecurity analyst for hunting threats. Most of these are quite complex and involve gathering large amounts of data, looking for patterns, and being able to extrapolate to discover potential links between behaviors you observe on the network through data and potential threats. There are many different techniques you can use for threat hunting, and all involve first having good-quality, complete, and organized data. Threat data can be aggregated and analyzed to provide actionable processes you can use to focus your efforts on those that affect critical assets as well as on threats that pose the biggest risk.

Executable Process Analysis
Executable process analysis is a method of determining if there are potential threats to your infrastructure by constantly monitoring the applications that are executing on hosts to observe any abnormal behavior that might indicate potential malicious actions. Antimalware is one effective means of doing this in real time, but it only covers so much of the possible threats that could be present on the network. In-depth analysis of unknown or potentially malicious executables is important for you to have confidence that there are no threats from this vector. Reverse engineering of potentially malicious executables is a critical part of this analysis, and the use of sandboxing is an effective means of performing this task.

Reducing the Attack Surface Area
Attack surface
is the term used to describe how much exposure your asset or your organization has to an attacker. At the system level, the attack surface may consist of open ports, protocols, and services, web or user interfaces, and connections with other applications or networks or systems. Ideally, you want to reduce the attack surface as much as possible. Reducing the attack surface can be accomplished through several means, depending on whether it is from a system, the network, the organization, or the operating environment.

System Level
At the system level, reducing the attack surface consists of ensuring there is a secure configuration on the system as well as ensuring the system is patched properly. “Locking down” or hardening the system is the goal here to reduce the system’s attack surface.

Hardening the system, at a minimum, should include the following actions:
- Reducing the number of open ports
- Ensuring there are no insecure protocols (such as FTP) running on the host
- Employing strong authentication mechanisms
- Using encryption for both data at rest and data in transit
- Implementing the principle of least privilege on the system
- Patching

These are general actions you should take to reduce the attack surface on any host, but there are many others, depending on the type of system, its function (for example, web server versus file server), operating system, and so forth.

Network Level
The network can provide a wide attack surface to a malicious entity bent on penetrating your infrastructure. There are two primary components of the network: the network media (wired or wireless) and network devices. Each has security controls that must be put in place to reduce the attack surface for the network:
- Reducing unnecessary ports, protocols, and services to only what is needed
- Physically securing network cabling and devices
- Ensuring strong authentication methods for network device access
- Employing strong encryption for data in transit
- Using only secure access protocols
- Limiting the number of personnel who have access to devices, both physically and logically
- Keeping network devices patched

As with the aforementioned caveat, these are only general methods used to reduce the attack surface; there are likely many more, depending on how your network is designed, the operating systems of the network devices on it, and their function.

Organization Level
Hardening the organization’s attack surface focuses less on technical controls and more on managerial controls. There are technical controls, to be sure, but most of the actions necessary to reduce an organization’s attack surface involve people. The more effective hardening techniques include the following:
- Strong policies for core security (for example, data sensitivity, acceptable use, encryption, data backups, and physical security)
- Frequent and comprehensive personnel security training based on user role and current threats
- Well-equipped and trained security personnel
- The commitment of resources to the security program
- Sound information security strategy and goals
- Defense-in-depth focus

Additionally, a strong risk management program will help an organization reduce both its attack surface and risk to an acceptable level. This requires sincere management commitment in terms of resources and organizational culture.

Operating Environment
The operating environment level of reducing the overall attack surface is the physical environment, but also the general business environment within which the organization operates. Although this may seem to be a strange level to focus on for reducing an attack surface, there are several key things the organization can do contribute to this effort at that level. For the physical environment, the organization should consider the following:
- Implementing strong exterior physical security controls such as fencing, guards, alarms, lighting, and so on
- Ensuring internal assets are segregated into security zones for limited access to the general user population
- Enforcing strict entry control to all facilities, both externally and internally
- Implementing secure locks, strong wall construction, and alarms for sensitive areas inside a facility
- Ensuring all equipment is physically tagged and secured to prevent theft

In terms of the business operations environment, the organization must control its interactions with external agencies, including customers, the media, regulatory or government agencies, business partners, and the public.

To that end, the following actions can reduce that portion of the organization’s overall attack surface as well:
- Controlling all outgoing information and data through single points (for example, media releases, websites, and social media)
- Requiring nondisclosure agreements with any party requiring legitimate access to sensitive data
- Implementing a data loss prevention (DLP) program and technologies
- Understanding and obeying regulatory compliance requirements
- Carefully evaluating any entity with whom the organization does business for risk and potential security issues (for example, business partners, contractors, and third-party service providers)
- Reviewing all service level agreements for potential issues that may impact the organization’s security, compliance, risk, or its ability to do business

Many of the interactions you experience with entities external to your organization will not be completely within your control, but engaging in smart risk and security management can help reduce the amount of information an attacker can gather to use against you in an attack, as well as reduce your legal liability and preserve sensitive data.

Exam tip: The attack surface area could be for the system, network, or even the organization. It is the total of all potential attack methods used by an adversary. It includes items such as open ports, protocols, services, weak encryption algorithms, weak authentication, complacent people, and poor security processes, among many other things.

Bundling Critical Assets
Just as you aggregate data from various threat intelligence feeds, network sensors, audit logs, and so on, you can also aggregate assets for monitoring and management. The concept of economy of use is important here in that you can categorize assets together for detection and remediation processes as well as management of threats, vulnerabilities and risk for these bundled assets. You can apply different mechanisms to these assets for cost savings and effective use, such as common controls that protect multiple systems, for instance.

Attack Vectors
As discussed earlier in the objective, the attack surface is the sum of all the potential exposure an asset or organization could have that an attacker could take advantage of.

An attack vector is a path or route an attacker takes to compromise the organization and its assets. Attack vectors are the methods of attack used against those attack surfaces. These are the various methods, processes, and tools the attacker could use; an attack vector also takes advantage of particular vulnerabilities. For example, if a system has a weak authentication mechanism and uses simple usernames and passwords with no password policies (password complexity, account lockout, and so on) enforced, an attack vector would be for an attacker to compromise the system via either a dictionary or brute force attack against user passwords.
Attack vectors are multilayer and involve varying levels of complexity, detectability, and preparation. There are a few general classes of attack vectors, including insider threat, phishing, lack of authentication, lack of encryption, insecure system configuration, malware, and a lack of patches. Note that these are only general categorizations; some cybersecurity analysts classify attack vectors in very specific detail, based on the specific vulnerability, threat, and attack method involved.
From a cybersecurity defense perspective, you should be looking at all vulnerabilities and determining what attack vectors could take advantage of those vulnerabilities. Mitigations are then determined for each potential attack vector. This includes reducing or eliminating vulnerabilities using various methods, including patching, secure configuration, and so on. While risk can never be completely eliminated, it can be reduced or mitigated by eliminating specific attack vectors as much as possible.

For example, if an attack vector takes advantage of weak password authentication, then eliminating that vulnerability by implementing multifactor authentication will also eliminate that particular attack vector. If an attack vector takes advantage of a vulnerability due to lack of patching a system, applying that patch would then eliminate that specific vulnerability, rendering that attack vector ineffective. Therefore, it is important to understand what your vulnerabilities are as well as the potential attack vectors that could exploit those vulnerabilities.

Exam tip: Whereas the attack surface is the sum of all potential exposures of the system or the organization, attack vectors target those particular exposures in the attack surface. Although there is never really a one-for-one match, you should understand that the more you reduce your attack surface, the fewer attack vectors will be available to a malicious entity.

Integrated Intelligence
Integrated intelligence is nothing more than the coherent management of all your aggregated threat information, including threat intelligence from government, industry, and open sources. It is not enough to simply have all these feeds; you must be able to aggregate them, analyze them, and produce actionable intelligence from these feeds.

Management software, including inputs from SIEM, machine learning, and intelligence-specific management utilities, can all help toward this goal. However, you must also have trained and experienced personnel with a background in cyber intelligence to make it all work.

Improving Detection Capabilities
As you perform your threat hunting mission, you are likely to uncover many aspects of your threat, vulnerability, and intrusion detection capabilities that need attention. Some of these will be minor in nature, such as the need to fine-tune your IDS/IPS or your threat management processes. However, you may also uncover flaws in your detection processes or mechanisms that need remediation or improvement. Threat hunting provides opportunities to discover shortfalls in your security infrastructure, whether it is in your protective, detection, or remediation controls.

REVIEW
Objective 3.3: Explain the importance of proactive threat hunting In this module, we discussed proactive threat hunting. Threat hunting is a process where you examine all the data on your network to look for patterns indicating unusual or malicious behavior that could be tied to a threat. We also discussed developing hypotheses about potential threats, which requires a great amount of data. Profiling threat actors is the process of determining all available information and characteristics about a threat actor and any threats they can initiate. Threat hunting tactics include data aggregation and analysis as well as execution process analysis. Data can come from threat intelligence feeds, vulnerability scans, and other sources.
We also discussed reducing the attack surface. This can occur on several levels: the system, the network, the organization, and the environment. On the system level, this involves reducing the number of ports, protocols, services, and interfaces. In the network, this can be done by hardening network devices and physically protecting network media. At the organization level, this means reducing risks associated with program elements, management, and people. In the operating environment, this means controlling information that may leave the organization and fall into the hands of external entities. We discussed the effectiveness of bundling your critical assets just as you would aggregate threat intelligence data, for the purposes of economy of use.
We then discussed the various attack vectors that a malicious entity can use to infiltrate your infrastructure. These include common attack vectors, such as lack of strong authentication and encryption mechanisms, as well as many others. Attack vectors can be eliminated by secure configurations, patching, and many of the other security controls.
Finally, we talked about some of the advantages of threat hunting. For example, it can force you to integrate all your intelligence activities and feeds, making them more efficient and effective in determining which threats are actually on your network. Another advantage of threat hunting is that, as a consequence, you will likely improve your detection capabilities since threat hunting will often identify areas for improvement.



ADVERTISEMENT