Threat Hunting: Applying offensive tactics to improve your defensive security
Alex Chard, SOC Operations Lead
Increased connectivity arising from the ever-closer integration of technologies has come to prominence during a global health crisis. We now know from first hand experience the true potential and practicality of remote working and our insatiable appetite for mobile communications, streaming and social media platforms has helped to fill much of the void created by social distancing and a lack of physical interaction. However, as is always the way, such progress has also created new challenges. For those of us in the cyber security world, these challenges are very real.
Ever greater connectivity of increasingly dispersed systems and the blurring of Information and Operational Technologies have certainly proved transformational, offering significant improvement in operational agility as well as the benefits of real-time responses, enhanced customer experiences and improved service competitiveness. Today, practically everything we do as individuals and every function within an organisation is connected directly or indirectly to digital systems that also deliver the internet, email and social media. From Government departments to train operators, energy providers, retailers, all manner of service providers and every corner of society we are more interconnected in our new digital world than we ever have been. There is no doubting the benefits, but this level of connectivity has created a much larger and diverse digital attack surface for sophisticated threat actors, which in turn drives a continuingly evolving threat landscape.
Well resourced adversaries
Just as potential adversaries now have more opportunities to exploit so too do they have financial muscle, sophisticated tools and resources at their disposal. We are no longer talking about a small number of rogue hackers with a point to prove. Far from it! Today, cyber criminals have huge financial backing from organised crime with dedicated computer systems and hundreds of people in some hacking groups spending all of their time looking to identify and exploit weaknesses in large digital networks. But, that’s not all. There has also been a huge increase in state-sponsored attacks where the focus is often in the form of cyber terrorism designed to disrupt, disable or distort social harmony and wellbeing.
Whether its phishing campaigns, tunnelling malware or ‘denial of service’ attacks, system hijacks and account takeovers, the impact of a concerted and well-planned cyber attack can be considerable. Maersk Shipping, for example, is said to have lost in excess of $300million from a “catastrophic” cyber attack a few years ago, and whilst it wasn’t the only victim from the global Wannacry ransomware attack, the NHS not only suffered a £92million loss but staff, patients and entire hospitals also faced huge operational disruption. These are just two of a growing number of high profile attacks. Naturally, large corporations and major public service organisations are the primary targets but, as many companies and smaller service providers will testify from bitter experience, no organisation is immune from such threats.
The need for more proactive protection
Providing cyber security and support for a number of large corporations and government departments, in many different areas of the UK’s critical national infrastructure over many years has given us the insight and experience to know just how deceptive and determined today’s cyber criminals can be. Most attacks are not spontaneous or opportunistic. On the contrary. They are more often than not well orchestrated and the result of exhaustive planning over many months - and, in some cases, several years - involving painstaking surveillance and detailed assessment of potential weaknesses.
The alarming reality is that the average ‘dwell time’ an attacker will sit covertly on an organisation’s digital network to assess and test options before they take any decisive and potentially damaging action is now in many cases over 3 months. Moreover, the new types of attacks now taking place won’t trip conventional alarm systems that are focussed on specific actions occurring on a network in a set order over a short period of time. Not surprisingly, therefore, the effectiveness and limitations of traditional forms of alert monitoring based on the principles of compliance and reactive response have been brought into question. The proverbial horse will often have bolted the stable long before such an approach takes effect, by which time the real commercial and operational damage has already been incurred.
A different mindset
Recognising such trends as far back as the 1990s, we helped to develop the concept of ethical hacking and introduced the principles of constant system testing for vulnerabilities. Today, our teams are certified with industry and government standards such as CREST and CHECK, and our cyber consultancy teams are certified under the NCSC Certified Professional Scheme. We are also looking to the future and actively support the NCSC’s Cyberfirst scheme to help close the country’s cyber skills gap by encouraging the next generation to develop the skill set for a successful career in the industry.
Building on this heritage and in light of the threats faced, we recognise today that a more dynamic and progressive approach to defensive cyber security is now essential. And that requires a different mindset and different analytical skills. We have to put ourselves into the position of an adversary. We have to think like them and behave like them to identify potential attack vectors, attack techniques and system weaknesses.
In effect, it is now a case of proactively hunting for potential threats by using cyber intelligence, hypothetical analyses, attack simulation and the specialist expertise of our ethical hackers to keep the horse tethered in the stable and ensure the stable door remains bolted to minimise the potential for attackers to achieve their objectives. It’s not a straightforward task, however. The multitude of variables, constantly evolving threat profiles and the need to evaluate an enormous volume of security data poses quite a challenge – every hour and every day of the week and every week of the year.
Cyber attacks vary enormously and could emanate from something as a seemingly innocuous but slightly odd IP address. That said, many of the most serious attacks, are the result of criminal hackers compromising and emulating system administrator’s account, as a result of sustained reconnaissance of a digital systems. This provides an attacker with the ability to move around undetected within a network, gleaning information and details to help fine-tune their attack for maximum impact. It is vitally important, therefore, for a cyber security team to be attentive at all times and to look out for any potentially anomalous behaviour on the network.
An administrator might, for example, be authorised to perform a back-up of data storage areas but it would be very suspicious if such activities are being undertaken from a computer in another country and in the early hours of the morning. By identifying such activities promptly and then ascertaining earlier activities performed by the administrator account, the security team can then take decisive actions to contain the issue and limit the organisation’s exposure to risk.
Our tiered SOC team comprises first line analysts providing round the clock support as well as intelligence advisers and threat hunting specialists and second and third line teams as required! The team not only monitors client networks and systems, but is also actively looking for any data anomaly, unusual behaviour or unexpected activity and is constantly developing and testing hypothetical attack exercises.
Using the latest cyber intelligence, our threat hunters will explore new ways to hack or penetrate the digital networks of customers so they can identify the likely actions of an adversary and then pinpoint the telltale signs of preparations for such an attack. This enables the SOC team to ensure appropriate measures are taken to limit the exposure to risk. In many respects, it’s like an unseen and highly complex game of cat and mouse - a ‘game’ that is quietly taking place in a constantly changing behind the scenes environment, away from the orchestra’s symphonic melodies on the main stage. It is certainly a challenging task. But, by applying their respective skills, it’s a challenge that every member of the SOC team relishes …. and it’s this level of determination that delivers such a high level of cyber protection for clients.
In some cases and once any serious risk has been contained, an adversary can be monitored while they are on a customer’s network. This enables the team to gain invaluable intelligence and establish a more complete understanding of a threat profile and an adversary’s real motives – information that can then be shared with other operators through collaborative networks in the cyber security community and the regular NCSC news updates.
The move towards more proactive cyber security measures has seen the adoption of offensive tactics deployed alongside more established defensive practices. Security modelling and testing now plays a central role, with authorised and simulated attacks used to identify any weaknesses that need to be addressed. Many years ago, we introduced the UK’s first formalised Penetration Testing team. Although this discipline has adapted and evolved in tandem with ever-changing threat landscape, this continues to be an important part of our cyber security armoury for finding vulnerabilities and confirming known issues within a self-contained network or asset. It is also a useful way of ensuring system monitoring and security controls are performing as they should.
Real world simulation
In recent years, steps have been taken to develop a more holistic and sophisticated approach that simulates the different ways adversaries will attack an organisation. Called a Red Team exercise this will cover all aspects of an organisations technology, processes and people and entails a simulation of an end-to-end attack – from preparatory surveillance and gaining an initial foothold on a network through to command and control and delivering the attackers objectives. It is not a time-limited exercise and in most cases the cyber security team will not be given any prior knowledge of the ‘attack’.
As mentioned before, real world attacks are often slow to come to fruition, so our Red Team exercises are the same. The team will cover everything from internet facing systems, email filtering and personnel as well as any physical security measures designed to restrict access to a site or office complex. They will also employ stealth at every stage and use every trick in the book (and beyond!) to evade detection.
This multi-layered approach provides a real world test of the digital resilience and security of an organisation’s systems and networks and demonstrates if and where there are vulnerabilities in processes and procedures and if adjustments need to be made to any area of the cyber security defences. Importantly, it provides both offensive and defensive insight as it also enables us to test and validate our ideas and hypotheses for detecting particular attack methods and techniques.
We all learn from each other during such testing exercises. Our ethical hackers and our cyber defence teams are able to use the test experience and outcomes to hone their skills and deliver the best possible cyber security for clients. It is truly a team effort as so many skill sets need to work in tandem at all times. It’s also a very dynamic environment where two days are never the same and where we always have to stay on our toes. After all it’s only by keeping pace with ever-changing threat intelligence and operational priorities that we can ensure a rapid and effective response for any potential and unfolding threat or unforeseen security issue.