To thwart cyberattacks, threat hunters rely on baseline corrective actions, proactivity over reactivity, and separating legitimate tools from illegitimate uses.

Sophos Guest Blogger

January 21, 2021

4 Min Read
cyberattacks threat hunters
Getty Images

“A day in the life of a threat hunter” is a bit of a misnomer because it implies a pattern to our 9-to-5 routines. In reality, there isn’t much of a pattern. A threat hunter’s day-to-day is rife with unpredictability. One day it may be a hospital system breached by a ransomware gang. The next it might be a nation-state coordinating a cyber assault across government agencies. On another day we might be called in to investigate cyberattacks on universities, law firms, or entire cities and counties, perpetrated by all manner of entry-level and sophisticated attackers.

From day to day, the adversaries that threat hunters face, the environments we investigate, and the tactics, techniques and procedures (TTPs) we look for vary wildly. What doesn’t vary, though, are some key bedrock, guiding principles that threat hunters, security teams and managed service providers (MSPs) have to rely on to thwart cyberattacks and eject threat actors from clients’ networks. Here are three measures that allow threat hunters to inject some reliability, consistency and predictability into their otherwise unpredictable day.

  1. Clean out the web of intrusion in a client’s environment.

No two attackers are the same, no two breaches or ransomware attacks are the same, and no two client environments are the same. Each situation requires a uniquely tailored approach to thwarting an attacker, cleaning out the environment and preventing another breach from occurring.

But tailoring the approach also means working off a baseline level of corrective actions–steps that must be taken each time to ensure threat hunters are both correctly assessing the breach and flushing out attempts at another one in the future. These include:

  • Blocking attacker commands and C2 communications that may occur after the initial breach

  • Conducting login audits that entail disabling and removing access privileges for each compromised account on a network

  • Deploying tools like Sophos Intercept X to isolate hosts from the environment

  • Eliminating malicious processes and systems that have been left behind on compromised machines or networks, and may be used as backdoors for future attacks

When MSPs are determining their next steps for investigating a client’s environment, ejecting all traces of attacker activity and fortifying defenses for the inevitable next attempted breach, the above should form the backbone of any adequate response.

  1. Practice proactivity over reactivity.

Incident response teams investigate environments that have been breached or compromised by attackers. Their work is largely reactive and retroactive. This is complementary to the threat hunter’s approach, which by design must be proactive: analyzing the day-to-day numbers to find data abnormalities that might indicate an attack, and from there determining TTPs and attacker profiles.

The job of a threat hunter is to practice 24/7 monitoring on a client’s environment, being constantly on the lookout for new processes or commands that don’t just look out of place in the environment, but may also be telltale signs of a breach-in-progress.

  1. Separate legitimate tools from illegitimate uses.

Attackers will often co-opt legitimate tools or files for nefarious purposes. These may include command and recon tools like ADFind or Nltest, or living-off-the-land applications. Threat hunters can’t just terminate these files or processes each time they pop up because they’re native to the operating system and are frequently used by system admins for legitimate and essential purposes. So, the job becomes not just squashing every instance of ADFind or Nltest, but being able to tell the difference between when they’re fulfilling their genuine purpose and when they’re being used by attackers to essentially “case” a client’s network in the run up to a breach.

One notable example of this occurred just last year, when the Sophos Managed Threat Response (MTR) team was asked to intervene for an organization that had been afflicted by a ransomware attack launched by Maze, who were demanding a $15 million ransom from the company. Our investigation revealed that Maze was able to breach this organization’s environment by illegitimately utilizing a series of legitimate tools–namely, Advanced IP Scanner, Remote Desktop Protocol, WinRar, 7zp, and Total Commander. It isn’t reasonable to expect clients’ system admins to block these programs across the board because they’re necessary, and inherently harmless, tools for running a network. That Maze was able to co-opt these tools for their own ends is proof not that these programs must be eliminated, but also that MSPs need to broaden their understanding of suspicious activity to include behavior from seemingly normal sources.

MSPs can inject predictability into threat hunting with Sophos MTR and Rapid Response.

Sophos MTR and Sophos Rapid Response provide the measures that MSPs and threat hunters need to conquer unpredictability.

These first-in-the-industry offerings build on traditional endpoint detection and response, putting forward lightning-fast response efforts that marry the expertise of human-led threat hunting teams with the 24/7 monitoring needed to get ahead of would-be attackers and flush out cyber adversaries from a client’s network. The combined speed and effectiveness of Sophos MTR and Rapid Response ensure that both MSPs and their clients thwart attackers, minimize damage and costs, and accelerate recovery time to get back to normal as quickly as possible. That’s predictability that both threat hunters and their customers should be able to count on.

This guest blog is part of a Channel Futures sponsorship.

Read more about:

MSPs
Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like