It’s fall in the U.S. and with it comes the changing colors of the leaves, football season and to many the enjoyable activity of hunting. How appropriate then that we bring up the topic with the same name for this blog — Hunt Team.
What is a Hunt Team?
At a high level, using a Cyber Hunt Team is an on-going, proactive approach to looking for, finding and stopping a cyber-intrusion.
You’ve seen the statistics, it takes minutes for the hacker to get in your network but this is after they have been performing weeks, or even months of reconnaissance, privilege escalation and the myriad steps to ‘owning your data’ — undetected. Quite often, the hacker is discovered late in the game when law enforcement contacts a company to see if they are aware that they are being hacked, when a customer contacts a company because their information was found on the internet, or when a bank realizes that a recurring theme in fraudulent bank charges has led them to your company. None of which is a good plan for protecting your data.
Now let’s think about hunting. If the hunter wants to be successful at finding game, does the hunter sit on their back porch and just wait for someone to come by and tell them that there is a big deer around the corner or pheasant over in the next field? If they did, that would be one hungry and unsuccessful hunter. No, the hunter looks for the areas where the animals live – around sources of food and water or in protected areas. The hunter seeks out evidence of the animals – a skinned tree where a deer rubbed its antlers or animal prints in the ground. This same analogy also fits well with a cybersecurity Hunt Team.
The goal of a Cyber Hunt Team is to proactively seek out hackers where they may reside and look to stop them in their tracks. Typically the Hunt Team starts by modeling the company environment and look to determine some of the following:
- Where does the important data reside and where should it not be?
- How is that data stored?
- What activity is common with that data?
- What network activity is common for the corporate environment?
- What are the common events and activities reported by the company’s servers?
- What are the common applications and processes that should be running on the various computers in the environment?
With this information, the Cyber Hunt Team now has a ‘lay of the land’ and understands what is normal. Understanding what is normal is key to finding the abnormal in an endless sea of data. It is the abnormal activity that quite often leads to evidence that an intruder is inside a corporation’s IT environment. That abnormal activity may be the presence of an unusual user account or a user account with privileges and rights that it shouldn’t have.
Where does the Cyber Hunt Team get this information? Quite often it is the very same artifacts used in a forensic or incident response scenario. If you have worked with Vestige in the past, you may have heard one of our forensic analysts banter on about “Event logs”, “Shellbags” or “Services”. Maybe you’ve heard “Link files”, “Jump lists” and “Prefetch”. Those are just some of the artifacts that a Hunt Team will gather to identify normal and abnormal activity. The Cyber Hunt Team will also look for evidence in a computer’s memory in the form of running applications and network activity (connections to other computers and open ports). Again, the goal is to find abnormal activity among the layers of normal.
Forensic analysts, such as the Experts on staff at Vestige, are uniquely qualified for this type of work. It is what we do every day! When Vestige is engaged to determine whether a computer has been compromised by a hacker, used to steal data or is otherwise wreaking cyber-havoc, we are tasked with finding that abnormal activity. In those situations, while we may not have the luxury of knowing all that would be normal activity on the computer at hand, we do a good job of getting to the bottom of whether or not a computer or system has been attacked and how. When allowed to work as a Cyber Hunt Team for a client, the advantages are many.
Hunt Team Advantages
The first advantage is that as a Hunt Team has early access and can determine what is normal.
Forensic analysts examine the entire environment as a whole under the premise that most of the activity should be normal. Known benign computers are examined, documented and modeled. The forensic artifacts from those computers are used as a template against which other computers are compared. Common, expected network activity is documented.
The second advantage is time.
When a cyber-incident occurs, everyone from management to counsel to public relations wants answers and wants them yesterday. Reporting regulations and business interests requires a fast response. Those situations do not give rise to efficient and effective investigations. With a Cyber Hunt Team, that pressure is not there. Efficiencies in analysis can be implemented and time can be spent to insure that the investigation, or in this case, the hunting, is thorough.
The best advantage is that when employing a Hunt Team, you are finding the persistent attackers before a breach or significant damage occurs.
A Cyber Hunt Team can move that timeline of detecting an intruder from months to days. This can potentially save an organization millions of dollars in regards to legal fees, network downtime, staff time, customer trust and brand protection.
Many times hackers will compromise a system and then leave it sit there only to return later to perform real damage. A Hunt Team will find that intruder and ideally before the intruder does any real damage. Minimizing the damage in the form of lost client records, stolen intellectual property or lost money is something that company management should welcome. Also when you find the hacker early, you prevent the hacker from expanding their activity to other computers, other corporate locations or other partners. Recall that the Target debacle didn’t start with Target being hacked, it started with a vendor of theirs being hacked and the hacker using that vendor to infiltrate Target. Don’t you think that a Hunt Team at that vendor may have helped prevent Target from being hacked?
So as some of you may be putting on the boots and flannels and doing your best Elmer Fudd impersonation this fall, consider the long-term advantages of a cost-effective, proactive Hunt Team for your company’s digital environment to stop or greatly mitigate attacks BEFORE they can occur. An experienced Hunt Team composed of expert cyber forensic investigators continuously surveying the landscape and in search of the abnormal activity is much more cost-effective in the long-run than the very expensive, often unrecoverable act of waiting until a cyberattack occurs and scrambling to react. Because all too often in this scenario the attacker gets away with your valuable customer data, intellectual property, corporate information or money!
by Greg Kelley, EnCE, DFCP, Chief Technology Officer at Vestige Digital Investigations