One of the most critical skills information security groups have is the ability to proactively find threats in their environment – a process known as hunting. Great hunting is the combination of deep knowledge about your environment with the ability to understand the details of changes that take place in real-time. Knowledge is the greatest advantage information security professionals have when determining the best defense against an adversary.
Attackers must have extensive knowledge about your infrastructure to find weak spots to exploit. You have an advantage by knowing what are normal patterns of behavior from your users and systems.
Look at the activity patterns in your typical office. People come into work about the same time every day and access the same resources. Deviations from these patterns do not always indicate malicious intent, but they are worth investigating. For instance, if a contractor in Legal is opening a lot of sensitive documents on her laptop and and she typically only opens a few per day, someone should investigate further. This is the crux of hunting. Combining knowledge about your environment with observations of current activity to help determine when something is wrong.
Hunting is the process of sifting through these behaviors and identifying which ones are suspicious and which ones are malicious. Let’s take the previous example and look into it further. The contractor’s manager may have asked her to review a lot of sensitive documents for analysis because the company is involved in an acquisition. A quick phone call to the Legal department may reveal this and you can conclude this activity is legitimate. If no one is aware of this activity, you may have uncovered malicious activity.
Printing is another great example that many companies overlook. Depending on the department, users may print a certain number of documents everyday. If someone in Finance, for example, starts printing 5 times his normal volume, this is an anomaly worth investigating. Again it may be legitimate, but it may be that someone is stealing a lot sensitive information.
A lot of things happen on your networks and you need to focus on what is important. Users access a lot of sensitive data everyday to do their jobs. This may include intellectual property, personally identifiable information (PII) and sensitive financial data. Encrypting it and controlling access to this information is one way to protect it, but you also need to understand how they use it. Since users need legitimate access to sensitive information, you must understand their normal usage patterns. If you see anomalies, like access attempts from strange locations, maybe someone clicked on a link in a phishing email and some malicious person is exfiltrating a lot of sensitive information. Once you identify suspicious behavior, you need to determine if it’s malicious or not.
Protect your most sensitive data and understand normal usage patterns so you can determine anomalies. Once detected, you can take action to help stop an insider attack before it causes damage.
Photo credit Vince