Not only have cyberthreats increased in numbers, but also in complexity. Hacking campaigns that a few years ago were intended to exploit certain fairly well known code have become structured and chameleon-like processes, capable of studying a network and its vulnerabilities before exploiting them. Therefore, solutions based on the behavior analysis of malicious codes already known in the ENDPOINT (call servers, PCs, Tablets, Mobiles among others) had to evolve.
A new suite of tools designed to defend the ENDPOINT against those threats, which are becoming more specialized every day, are essential for the new cyberdefense strategies of any company, these solutions are known as EDR (Endpoint Detect and Response) and have become one of the most important defense trends in the cybersecurity market, changing the reactive perspective towards security incidents for a proactive approach that focuses on the secure operation of companies. This concept linked to proactivity is known as THREAT HUNTING and is a trend that is growing in the industry, and can be seen or applied in many layers, ENDPOINT, NETWORK, APPLICATION, among others.
In recent years, threats have evolved at a considerable speed, almost in exponential terms, and it is to this same extent that organizations have amplified their levels of exposure. The needs of digital transformation, e-commerce, connectivity trends, among others, have led to an equation whose result is none other than an increasingly broad and complex technological spectrum to protect.
Strategies oriented towards the use of technologies that were once considered functional have led to a false perception of security. For example, when the traditional protection tools of ENDPOINT generate a large number of reports indicating that a significant number of malicious codes have been identified and cleaned up, it suggests that the user is completely protected and undermines the relevance of improving the cybersecurity posture.
Unfortunately, if there is no malicious code or “viruses”, which when exploited generate a visible impact on the organization, it would be almost impossible to understand the need to improve and/or evolve existing security controls.
By no means does it diminish the need for tools such as firewalls, anti-virus (anti-malware), WAF, IPS among others. These are tools that are part of the protection layers in a in-depth defense model that every company should have today; however, what happens with those threats that are capable through one or another technique (obfuscation, fileless, logical bomb, wrapping among others) to avoid the basic controls, they also require special attention, even worse if they are silently on the network, perhaps taking control of one or more computers, perhaps servers, modifying files, extracting information, perhaps cryptomining or in the worst case intercepting communications.
One of the new trends in cybersecurity posture improvement that is quite successful in addressing those threats that have and continue to evolve is Threat Hunting.
But what is threat hunting?
Threat hunting can be defined as the continuous iteration within the network to search for advanced threats, their likely detection and isolation, whose outcome should be seen as a proactive analysis given the nature of the process already described.
This proactive approach covers the great gap with other types of tools that are usually more reactive, which are usually used once the attack or incident has happened.
It can be easily explained from a security incident, if you think from a reactive perspective, this incident can happen starting from the assumption of an event that generated an impact on the organization and which the different security tools would allow us to understand what happened, then fine-tune the levels of detection and control, either by creating new rules, activating some new type of feature or simply downloading an extra updated signature package; now if we think from the proactive perspective or Threat Hunting, the incident starts from the gathering and continuous analysis of the normal activity of the network and its possible deviations, understanding that perhaps possible access to system files, opening of ports, execution of powershell, reading of folders, modification of registry keys or simple connectivity with certain sites, can be new indicators of compromise and thus must be treated after an intense process of security telemetry that must profile in the most accurate way the devices, users, networks and/or the traffic of the company.
Graphic description of the difference between Threat Detection and Theat Hunting
However, it is precisely on the hypothesis and the analysis of the “Data” shown in Illustration 1 and obtained from the ENDPOINT that the EDR tools are succeeding.
EDR strategies are based on the use of tools of this nature, where they monitor the ENDPOINT and its associated network traffic, taking this input to a database that is very different from that of traditional anti-virus tools. In this database, the processes associated with security telemetry are carried out, which are supported by the organization’s real data analysis tools; not signatures or generic patterns.
The analysis provided by this type of tools allows not only a real approach to the security situation of the ENDPOINT but also an improvement in the security posture by diverting or containing attacks based on the early identification of internal and external threats.
Technically speaking, a workstation that launches an anomalous process, generates a change over some kind of registry key that had not been presented before, opens high ports for connections or considerably increases the size of a system process where there is some kind of wrapping, will be associated by the advanced analysis of the EDR as a target for research and quick response; a task that traditional endpoint protection does not cover due to its signature validation and/or heuristic base nature. It is not intended to detract from the value of antivirus tools but to complement the protection and response efforts of the ENDPOINT, that is the meaning of an EDR.
It is important to understand that not only an EDR strategy is based on what the tool can deliver, it is also important to consider the research sources that support those tools and at the same time generate the new indicators of compromise. Therefore, it is recommended during the hunting strategy immersion processes, to follow up the acquisition of technologies with research groups that have the skills to read, research and feed the indicators of compromise specific to each organization.
References
What is Endpoint Detection and response – https://digitalguardian.com/dskb/endpoint-detection-response
FireEye Endpoint security – https://www.fireeye.com/content/dam/fireeye-www/products/pdfs/pf/ep/ds-endpoint-security.pdf
¿Qué es Thraat hunting y porque es necesario? – https://www.pandasecurity.com/spain/mediacenter/adaptive-defense/threat-hunting-por-que-necesario/
Endpoint Detection and response Architecture and Operations practices. – https://www.gartner.com/doc/3895048/endpoint-detection-response-architecture-operations