“Cyber threat hunting”的意思、由来-开放百科全书

Threat hunting has traditionally been a manual process, in which a security analyst sifts through various data information using their own knowledge and familiarity with the network to create hypotheses about potential threats, such as, but not limited to, Lateral Movement by Threat Actors.^[3] To be even more effective and efficient, however, threat hunting can be partially automated, or machine-assisted, as well. In this case, the analyst uses software that leverages machine learning and user and entity behavior analytics (UEBA) to inform the analyst of potential risks. The analyst then investigates these potential risks, tracking suspicious behavior in the network. Thus hunting is an iterative process, meaning that it must be continuously carried out in a loop, beginning with a hypothesis. The hypothesis can focus efforts on known exploits, potential bad actors or assets and data of value. Using security data, industry reports and other intelligence, the hypothesis is formed, and the hunt team sets out to prove or disprove its validity. Cyber threat hunts often employ both automated and manual tools and techniques to identify a compromise before it is detected.^[4] There are three types of hypotheses:

The analyst researches their hypothesis by going through vast amounts of data about the network. The results are then stored so that they can be used to improve the automated portion of the detection system and to serve as a foundation for future hypotheses.

The Detection Maturity Level (DML) model ^[6] expresses threat indicators can be detected at different semantic levels. High semantic indicators such as goal and strategy, or tactics, techniques and procedure (TTP) are more valuable to identify than low semantic indicators such as network artifacts and atomic indicators such as IP addresses. SIEM tools typically only provide indicators at relatively low semantic levels. There is therefore a need to develop SIEM tools that can provide threat indicators at higher semantic levels.^[7]

Cyber threat hunting providers

The SANS Institute has conducted research and surveys on the effectiveness of threat hunting to track and disrupt cyber adversaries as early in their process as possible. According to a survey released in 2017, "60% of those who hunt for threats reported measurable improvements in their InfoSec programs based on their hunting efforts, and 91% report improvements in speed and accuracy of response."^[8]

Indicators

1) Indicator of Compromise - An indicator of compromise (IOC) tells you that an action has happened and you are in a reactive mode. This type of IOC is could by looking inward at your own data from transaction logs and or SIEM data. Examples of IOC include unusual network traffic, unusual privileged user account activity, login anomalies, increases in database read volumes, suspicious registry or system file changes, unusual DNS requests and Web traffic showing non-human behavior. These types of unusual activities allow security administration teams to spot malicious actors earlier in the cyberattack process.

2) Indicator of Concern - Using Open-Source intelligence (OSINT), data can be collected from publicly available sources to be used for cyberattack detection and threat hunting.

Tactics, Techniques and Procedures (TTPs)

Dwell Time

Cyberattackers operate undetected for an average of 99 days, but obtain administrator credentials in less than three days, according to the Mandiant M-Trends Report.^[10] The study also showed that 53% of attacks are discovered only after notification from an external party.

Mean Time to Detection

The average company takes 170 days to detect an advanced threat, 39 days to mitigate, and 43 days to recover, according to the Ponemon Institute.^[11]

See also

References

1. ^{{Cite web|url=http://www.techrepublic.com/article/cyber-threat-hunting-why-this-active-strategy-gives-analysts-an-edge/|title=Cyber threat hunting: How this vulnerability detection strategy gives analysts an edge - TechRepublic|website=TechRepublic|access-date=2016-06-07}}
2. ^{{Cite web|url=https://www.techworm.net/2018/06/threat-intelligence-platform-on-war-against-cybercriminals.html |title=Threat Intelligence Platform on War Against Cybercriminals |access-date=2019-02-17}}
3. ^{{Cite news|url=https://expel.io/blog/what-is-cyber-threat-hunting-and-where-do-you-start/|title=What is (cyber) threat hunting and where do you start? - Expel|date=2018-04-09|work=Expel|access-date=2018-05-26|language=en-US}}
4. ^{{Cite news|url=https://talatek.com/risk-management-services/cyber-threat-hunting/|title=TalaTek Cyber Threat Hunting Services|last=Alsinawi|first=Baan|work=TalaTek, LLC|access-date=2018-11-12|language=en-US}}
5. ^¹²{{Cite web|url=https://sqrrl.com/solutions/cyber-threat-hunting/|title=Cyber Threat Hunting - Sqrrl|website=Sqrrl|language=en-US|access-date=2016-06-07}}
6. ^{{Cite web|url=http://ryanstillions.blogspot.no/2014/04/the-dml-model_21.html|title=The DML Model|last=Stillions|first=Ryan|date=2014|website=Ryan Stillions security blog|publisher=Ryan Stillions|access-date=}}
7. ^{{Cite web|url=http://folk.uio.no/josang/papers/BJE2016-STIDS.pdf|title=Semantic Cyberthreat Modelling|last=Bromander|first=Siri|date=2016|website=|publisher=Semantic Technology for Intelligence, Defense and Security (STIDS 2016)|access-date=}}
8. ^{{Cite web|url=https://www.sans.org/reading-room/whitepapers/analyst/hunter-strikes-back-2017-threat-hunting-survey-37760|title=The Hunter Strikes Back: The SANS 2017 Threat Hunting Survey|date=2017-04-01|website=SANS Institute|access-date=2018-05-28}}
9. ^{{cite web|last1=Lee|first1=Robert|title=The Who, What, Where, When and How of Effective Threat Hunting|url=https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785|website=SANS Institute|publisher=SANS Institute|accessdate=29 May 2018}}
10. ^{{cite web|url=https://www.fireeye.com/current-threats/annual-threat-report/mtrends/rpt-m-trends-2017.html|website=Mandiant|title=M-Trends Report|accessdate=2018-05-28}}
11. ^{{cite web|title=State of Malware Detection and Prevention|url=https://www.ponemon.org/blog/new-ponemon-study-on-malware-detection-prevention-released|website=Ponemon Institute|publisher=Ponemon Institute|accessdate=29 May 2018}}

词条	Cyber threat hunting
释义	Methodologies Cyber threat hunting providers Indicators Tactics, Techniques and Procedures (TTPs) Dwell Time Mean Time to Detection See also References Cyber threat hunting is an active cyber defence activity. It is "the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions."^[1] This is in contrast to traditional threat management measures, such as firewalls, intrusion detection systems (IDS), malware sandbox (computer security) and SIEM systems, which typically involve an investigation of evidence-based data after there has been a warning of a potential threat.^[2] Methodologies Threat hunting has traditionally been a manual process, in which a security analyst sifts through various data information using their own knowledge and familiarity with the network to create hypotheses about potential threats, such as, but not limited to, Lateral Movement by Threat Actors.^[3] To be even more effective and efficient, however, threat hunting can be partially automated, or machine-assisted, as well. In this case, the analyst uses software that leverages machine learning and user and entity behavior analytics (UEBA) to inform the analyst of potential risks. The analyst then investigates these potential risks, tracking suspicious behavior in the network. Thus hunting is an iterative process, meaning that it must be continuously carried out in a loop, beginning with a hypothesis. The hypothesis can focus efforts on known exploits, potential bad actors or assets and data of value. Using security data, industry reports and other intelligence, the hypothesis is formed, and the hunt team sets out to prove or disprove its validity. Cyber threat hunts often employ both automated and manual tools and techniques to identify a compromise before it is detected.^[4] There are three types of hypotheses: Analytics-Driven: "Machine-learning and UEBA, used to develop aggregated risk scores that can also serve as hunting hypotheses"^[5] Situational-Awareness Driven: "Crown Jewel analysis, enterprise risk assessments, company- or employee-level trends"^[5] Intelligence-Driven: "Threat intelligence reports, threat intelligence feeds, malware analysis, vulnerability scans"^[5] The analyst researches their hypothesis by going through vast amounts of data about the network. The results are then stored so that they can be used to improve the automated portion of the detection system and to serve as a foundation for future hypotheses. The Detection Maturity Level (DML) model ^[6] expresses threat indicators can be detected at different semantic levels. High semantic indicators such as goal and strategy, or tactics, techniques and procedure (TTP) are more valuable to identify than low semantic indicators such as network artifacts and atomic indicators such as IP addresses. SIEM tools typically only provide indicators at relatively low semantic levels. There is therefore a need to develop SIEM tools that can provide threat indicators at higher semantic levels.^[7] Cyber threat hunting providers Representative notable vendors of threat hunting software and services include: Threatspike Labs Trustwave SpiderLabs [https://www.trustwave.com/en-us/resources/trustwave-stories/the-threat-hunters/] [https://cis.verint.com/cyber Verint] DFLabs [https://www.dflabs.com/platform/incman-soar/] [https://www.ibm.com/security/cyber-threat-hunting IBM] Elastic [https://www.elastic.co/solutions/security-analytics] R9B 1E [https://www.pandasecurity.com/usa/business/adaptive-defense/ Panda Adaptive Defense] [https://www.alertlogic.com/ Alert Logic] [https://www.alpinesecurity.com/ Alpine Security] Carbon Black [https://www.sisainfosec.com/products/synergistic-soc/ SISA EOT] [https://www.cisco.com/c/dam/en/us/services/collateral/se/IR-ProactiveThreatHunting-AAG.pdf/ Cisco Threat Hunting] Corelight [https://www.countercept.com/ Countercept (by MWR InfoSecurity)] [https://www.countercraft.eu/ CounterCraft] CrowdStrike [https://www.cyberbit.com/ Cyberbit] Cybereason Cynet Darktrace Endgame, Inc. [https://expel.io/managed-security/ Expel] ExtraHop Networks [https://www.fireeye.com/ FireEye] [https://www.haystax.com/ Haystacks Technology] [https://www.infocyte.com/ Infocyte HUNT (by Infocyte)] [https://mantix4.com/ Mantix4] [https://www.microsoft.com/en-us/windowsforbusiness/windows-atp Microsoft] ONE eSecurity [https://www.paladion.net Paladion Networks] [https://www.ranksoftwareinc.com RANK Software Inc] [https://www.rocketcyber.com RocketCyber] [https://www.rsa.com/en-us/products/threat-detection-response/ RSA NetWitness® Platform] S21Sec Secdo [https://www.secureworks.com/capabilities/incident-response/incident-management/targeted-threat-hunting Secureworks Targeted Threat Hunting] Sqrrl [https://talatek.com/risk-management-services/cyber-threat-hunting/ TalaTek Cyber Threat Hunting] [https://threatintelligenceplatform.com TIP (Threat Intelligence Platform)] Vectra Networks Inc. Bulletproof [https://www.bulletproof.co.uk/managed-siem] The SANS Institute has conducted research and surveys on the effectiveness of threat hunting to track and disrupt cyber adversaries as early in their process as possible. According to a survey released in 2017, "60% of those who hunt for threats reported measurable improvements in their InfoSec programs based on their hunting efforts, and 91% report improvements in speed and accuracy of response."^[8] Indicators There are two types of indicators: 1) Indicator of Compromise - An indicator of compromise (IOC) tells you that an action has happened and you are in a reactive mode. This type of IOC is could by looking inward at your own data from transaction logs and or SIEM data. Examples of IOC include unusual network traffic, unusual privileged user account activity, login anomalies, increases in database read volumes, suspicious registry or system file changes, unusual DNS requests and Web traffic showing non-human behavior. These types of unusual activities allow security administration teams to spot malicious actors earlier in the cyberattack process. 2) Indicator of Concern - Using Open-Source intelligence (OSINT), data can be collected from publicly available sources to be used for cyberattack detection and threat hunting. Tactics, Techniques and Procedures (TTPs) The SANS Institute identifies a threat hunting maturity model as follows:^[9] Initial - At Level 0 maturity, an organization relies primarily on automated reporting and does little or no routine data collection. Minimal - At Level 1 maturity, an organization incorporates threat intelligence indicator searches. It has a moderate or high level of routine data collection. Procedural - At Level 2 maturity, an organization follows analysis procedures created by others. It has a high or very high level of routine data collection. Innovative - At Level 3 maturity, an organization creates new data analysis procedures. It has a high or very high level of routine data collection. Leading - At Level 4 maturity, automates the majority of successful data analysis procedures. It has a high or very high level of routine data collection. Dwell Time Cyberattackers operate undetected for an average of 99 days, but obtain administrator credentials in less than three days, according to the Mandiant M-Trends Report.^[10] The study also showed that 53% of attacks are discovered only after notification from an external party. Mean Time to Detection The average company takes 170 days to detect an advanced threat, 39 days to mitigate, and 43 days to recover, according to the Ponemon Institute.^[11] See also Proactive cyber defense Cyber campaign References 1. ^{{Cite web\|url=http://www.techrepublic.com/article/cyber-threat-hunting-why-this-active-strategy-gives-analysts-an-edge/\|title=Cyber threat hunting: How this vulnerability detection strategy gives analysts an edge - TechRepublic\|website=TechRepublic\|access-date=2016-06-07}} 2. ^{{Cite web\|url=https://www.techworm.net/2018/06/threat-intelligence-platform-on-war-against-cybercriminals.html \|title=Threat Intelligence Platform on War Against Cybercriminals \|access-date=2019-02-17}} 3. ^{{Cite news\|url=https://expel.io/blog/what-is-cyber-threat-hunting-and-where-do-you-start/\|title=What is (cyber) threat hunting and where do you start? - Expel\|date=2018-04-09\|work=Expel\|access-date=2018-05-26\|language=en-US}} 4. ^{{Cite news\|url=https://talatek.com/risk-management-services/cyber-threat-hunting/\|title=TalaTek Cyber Threat Hunting Services\|last=Alsinawi\|first=Baan\|work=TalaTek, LLC\|access-date=2018-11-12\|language=en-US}} 5. ^¹²{{Cite web\|url=https://sqrrl.com/solutions/cyber-threat-hunting/\|title=Cyber Threat Hunting - Sqrrl\|website=Sqrrl\|language=en-US\|access-date=2016-06-07}} 6. ^{{Cite web\|url=http://ryanstillions.blogspot.no/2014/04/the-dml-model_21.html\|title=The DML Model\|last=Stillions\|first=Ryan\|date=2014\|website=Ryan Stillions security blog\|publisher=Ryan Stillions\|access-date=}} 7. ^{{Cite web\|url=http://folk.uio.no/josang/papers/BJE2016-STIDS.pdf\|title=Semantic Cyberthreat Modelling\|last=Bromander\|first=Siri\|date=2016\|website=\|publisher=Semantic Technology for Intelligence, Defense and Security (STIDS 2016)\|access-date=}} 8. ^{{Cite web\|url=https://www.sans.org/reading-room/whitepapers/analyst/hunter-strikes-back-2017-threat-hunting-survey-37760\|title=The Hunter Strikes Back: The SANS 2017 Threat Hunting Survey\|date=2017-04-01\|website=SANS Institute\|access-date=2018-05-28}} 9. ^{{cite web\|last1=Lee\|first1=Robert\|title=The Who, What, Where, When and How of Effective Threat Hunting\|url=https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785\|website=SANS Institute\|publisher=SANS Institute\|accessdate=29 May 2018}} 10. ^{{cite web\|url=https://www.fireeye.com/current-threats/annual-threat-report/mtrends/rpt-m-trends-2017.html\|website=Mandiant\|title=M-Trends Report\|accessdate=2018-05-28}} 11. ^{{cite web\|title=State of Malware Detection and Prevention\|url=https://www.ponemon.org/blog/new-ponemon-study-on-malware-detection-prevention-released\|website=Ponemon Institute\|publisher=Ponemon Institute\|accessdate=29 May 2018}} 1 : Computer security procedures
随便看	Evolutionary neurobiologist Evolutionary neurobiology Evolutionary operations Evolutionary opportunism Evolutionary origin of morality Evolutionary origin of religion Evolutionary phonology Evolutionary Phonology Evolutionary principle Evolutionary process Evolutionary psychiatry Evolutionary psychologists Evolutionary psychology controversy Evolutionary psychology of language Evolutionary Psychology of Language Evolutionary psychology of leadership Evolutionary psychology of parenting Evolutionary saltation Evolutionary stable equilibrium Evolutionary Synthesis Evolutionary Systems Evolutionary systems Evolutionary theism Evolutionary theories of biological aging Evolutionary track