Malwareless attacks have been gaining ground in the global cybersecurity landscape for months, and their continued advance is one of PandaLabs’ leading predictions for 2019.
In these kinds of operations, the attacker assumes the identity of the administrator, after gaining their network credentials one way or another, and, to all intents and purposes, seems to be the network administrator going about their job.
As no malware of any kind is used, security systems must be able to recognize this type of attack by spotting anomalous behavior of users on the corporate network. Technologies capable of doing these tasks are an integral part of the concept of Threat Hunting.
Fewer malware infections and an increase in live hacking.
In 2016, there were 40% fewer infections than in 2015, and in 2017, the reduction was even more significant, at 70%. In 2018, reported infections due to malware trend to zero. As such, the problem of malware is fading away, while the new problem is the professionalization of cybercriminals.
There are tens of thousands of hackers in the world, trained by governments, security companies, and criminal organizations. They carry out targeted attacks with proprietary malware, and even make use of legitimate applications and goodware in order to stay hidden. All of this requires an equivalent response to keep networks safe.
After explaining why Threat Hunting is necessary, and taking a look at what the process of proactively looking for threats is like, here we’re going to analyze what challenges are involved in carrying out this activity, and its inherent advantages for our companies.
The challenges of Threat Hunting
The main challenge that stops IT teams from carrying out Threat Hunting is time. Unfortunately, IT teams are very often limited in size, and one person is likely to be the IT administrator, technician, and CISO all rolled into one. All of which means that you probably do not have the time you need to carry out these tasks.
Time is needed to search for threats, to gather data, and to create valid hypotheses. What’s more, it’s also needed in order to investigate indicators of attack—IOAs and IOCs—and attack patterns. As such, time is key.
Threat Hunting platforms ought to be capable, among other things, of monitoring the behavior of computers, the applications running on them and, in particular, their users. Technically speaking, the Threat Hunting process is based on an immense pool of data regarding all the behavior of the monitored components and updated in real time as new events occur.
The platform used must be able to explore this vast store of information in order to develop new attack hypotheses. At that point, machine learning systems will prioritize potential incidents which, once triggered, need to be analyzed in detail using remote forensic analysis tools integrated in the platform.
And these requirements are yet another challenge, bearing in mind the fact that the human factor is key to complementing the automatization process: hiring qualified experts can be another difficult and costly process, and building or operating the necessary tools yet another considerable expense, one that many IT departments cannot afford.
If you don’t have the time, the resources or the knowhow, how can you benefit from Threat Hunting?
The answer is to have a managed service, such as Panda Threat Hunting & Investigation Service. Our team of expert analysts identifies attacks that are using completely new methods and mechanisms to execute their attacks. The aim of this service is to detect attacks for which there are no known IOCs (indicators of compromise) or IOAs (indicators of attack), which means that it is not a simple task of correlation on a SIEM; it revolves around discovering and creating new indicators of attack.
In fact, we are looking for hackers in real time who are impersonating systems administrators, without using malware, without personalized tools (which would be extremely easy for us to identify), but rather using administrative tools, scripts, PowerShells, etc. We’re also looking for malicious employees or careless users who are trying to harm the company, to steal information, or cause some kind of damage.
Because of all of this, we’re exploiting identity profiles, and our plan is to also include the user’s identity and data control in training. Because there should be no excuses when to comes to protecting what is most valuable — the endpoint– with a managed Threat Hunting service.