When it comes to securing your environment, it’s important to understand your digital landscape and know where attacks can occur. Here are the two major types of cyber attacks to be aware of when hunting for threats.
Commodity Malware Attacks.
Commodity malware attacks come from clicking on the wrong link or installing the wrong program. In these situations, remedying the problem is typically as simple as removing the malware, rebuilding the device, and/or resetting user.
Typical malware attack strategy:
- Leverage highly automated attack techniques.
- Be focused on infecting large numbers of endpoints.
- Be delivered using techniques that would appeal to many potential targets.
Human-operated attacks occur when attackers infiltrate a system and escalate their scale of attack to varying degrees based on what they find in your network. In these situations, complete eviction of the attacker and every element they’re connected to – or control – is paramount.
Typical Human-operated attack strategy:
- Focus on specific targets.
- Evade specific organisational protections.
- Use customised tools designed specifically for the target.
- Abuse legitimate administrative tools to avoid detection.
Know The ABC’s Of Threat Hunting.
Surviving a human-operated attack relies on your ability to identify signs of the attacker and their activity. Here’s a breakdown of what to look out for and how to stay protected.
Authentication represents the identity aspect of an incident. Understanding the authentication aspect of an attack enables you to quickly identify suspicious activity and respond before the adversary has a chance to strike.
- User accounts
- E-mail addresses
- Cloud identities
- Shared credentials (i.e., SSH keys)
- SAS (Shared Access Signature) tokens
Backdoors are intended or malicious ways that an attacker controls a system or service. Researching the backdoor aspect of an attack can provide evidence of attacker techniques that may highlight other potentially compromised applications and systems.
- Malware that provides remote access
- Web shells
- Remote administration tools
- Accidental or intentional misconfigurations to provide remote access
- Built-in management capabilities
The communication aspect of the attack identifies how the attacker interacted with the backdoor. Elements of this communication can be used to help identify other systems the attacks may have interacted with.
Examples of communication elements:
- IP (Internet Protocol) addresses
- Network routes
- DNS (Domain Name System) names
- User agent strings
- Network relays
Develop Your Own Threat Hunting Program.
Building your own threat hunting team requires bringing together the right people and giving them enough time and the right technology and training to succeed. Here’s how to get started.
Use Your Human Talent Wisely.
Automate repetitive tasks and focus your human talent on tasks requiring expertise, judgement, and creative thinking.
Choose Team Players.
“Lone wolves” aren’t ideal in high-pressure work environments where collaboration is needed. Instead, aim for enthusiastic collaborators.
Adopt A “Shift Left” Mindset.
Learn to fine-tune your approach in real-time to remain adaptive in the fact of unpredictable attacks.
Read The ABC’s of Threat Hunting Whitepaper.
Discover how to prepare for unexpected threats.
Original Source- Microsoft Security, Microsoft Security Experts The ABC’s of Threat Hunting