Chapter 8 - 01 - Discuss Threat Hunting - 02_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Threat Hunting Maturity IModel (HMIM) The threat hunting maturity model (HMM) describes the quantity and quality of information collected from a network for investigation % Level 0: =3 < 4 g Level 1: B Q » O [VY Level 2: Level 3 Level 4: - ovative = Primarily depends on * systems and alerts = automated monitoring = Follows the latest threat = reports Moderate- to igh- level hngh- High- to very- hi gh-level G Tounine collection (Creates custom data = igh- to very H.lgh = analysis procedures others = collection collection = procedures created by routine data ; Low data Adopts data analysis high-level : E routine data ce collection Automates existing data analysis procedures High- - to very - high-level ] routine data collection Threat Hunting Maturity Model (HIVIM) The threat hunting maturity model (HMM) is defined by the quality and quantity of information collected from the organization’s network. Providing more information to analysts will help in the investigation launched to find existing threats. The HMM is described in different levels as follows based on the quantity of information collected from level 0 to level 4. Level 0: = Primarily depends on automated monitoring systems and alerts « Lowdata collection Level 1: = Level 2: Follows the latest threat = reports procedures created by others Moderate- to high.. level routine data collection Adoptsdata analysis = High- to veryh igh-level oy foaene e collection Level 3: = Creates custom data Level 4: = analysis analysis procedures H-igh = to very. high-level i routine data collection Automates existing data procedures = High-to very high-level. routine data collection Figure 8.2: Threat hunting maturity model = Level 0: Initial This is the initial level in the HMM. In this level, analysts rely on automated monitoring and alerting tools such as SIEM, intrusion detection systems (IDSes), and antimalware solutions to detect malicious activities across the organization’s network. They may integrate threat intelligence indicators and signature update feeds and could even build their own indicators or signatures; all these are directly loaded into monitoring and Module 08 Page 1019 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 alerting systems to detect threats. In this level, enterprises do not gather much data from IT resources; therefore, the efficiency of identifying threats in advance is limited. = Level 1: Minimal In the minimal level of HMM, organizations use threat intelligence to search for anomalies in the network, follow the latest threat reports gathered from open and closed sources, and use open-source tools for analysis. They rely on routine IT data collection and threat intelligence data. = level 2: Procedural In the procedural level of HMM, organizations adopt data analysis procedures created by other entities and use them in analysis with minimal changes. In this level, organizations may not be able to create their own procedures every time, although they could collect a large amount of information from their network and start a threat hunting program. = Level 3: Innovative In the innovative level of HMM, the organization recruits a group of security analysts with knowledge discovering of existing malicious data activities. analysis Rather programs. than depending others, organizations create and apply their own collection is higher than in the previous levels. = The analysts on are procedures tasked with created by procedures in this level, and the data Level 4: Leading The leading level of HMM is the same as the innovative level, but a key difference is that the leading level allows automation. At this level, organizations automate the data collection, detection, and analysis procedures. This helps analysts save time as the automation permits them to focus on enhancing existing procedures and creating new procedures, instead of spending time on routine processes. Module 08 Page 1020 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Threat Hunting Considerations Intelligence fusion is an approach to integrate security with threat intelligence and other cyber intelligence sources Threat feeds are real-time feeds collected from real-time attacks. These feeds include 10Cs, l0As, potential threats, vulnerabilities, and existing risks Security advisories and bulletins are informative blogs or websites that provide information about the latest security threats and attacks Maneuver is a technique used in cyber warfare that is based on knowledge of some recent attacks and the nature of those attacks Threat Hunting Considerations To perform threat hunting, the analyst requires a large amount of data from multiple sources that contain historical information, security logs and feeds, etc. Threat hunters should consider the following measures to gather information and hunt threats effectively. Intelligence fusion: Manual threat hunting can be performed by investigating log and network data from different sources, which can be tedious task. Intelligence fusion is an approach to integrate security with threat intelligence and other cyber intelligence sources to increase the capability of detecting, managing, and mitigating evolving threats. It is a prescient approach to deal with potential cyber threats by identifying their impact in advance. Threat feeds: Threat feeds or threat intelligence feeds are real-time feeds collected from real-time attacks. These feeds include indicators of compromise (loCs), indicators of attack (loAs), potential threats, vulnerabilities, and existing risks. The information that can be acquired from a threat includes IP addresses, malicious URLs, phishing URLs, malware signatures, bot information, and ransomware indicators. Advisories and bulletins: Security advisories and bulletins are informative blogs or news from vendors or security specialists that provide information about the latest security threats and attacks. Security bulletins publish the latest attacks and cyber threats for all customers by documenting the threats and attack vectors with their effects and mitigation techniques. Whereas advisories are part of the same team, they do not post about the attacks; rather, they address and provide advice on the security changes required for the software being used by the customers. Module 08 Page 1021 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools = Maneuver: detection An attacker can methods by Exam 212-82 expect threat implementing hunting programs countermeasures against and attempt to evade the threat hunter. A maneuver is a technique used in cyber warfare that is based on knowledge of some recent attacks and the nature of those attacks. The maneuver is among the techniques and procedures used to retaliate and protect IT resources, as it is initiated to give one actor a competitive advantage over another actor. Module 08 Page 1022 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Threat Hunting Tools MVISION EDR MVISION EDR is an Al-based threat investigation tool that helps security analysts in quickly prioritizing threats and minimizing potential disruption Cognito rfi 0606 https://www.vectro.ci Infocyte https://www.infocyte.com Exabeam https.//www.exabeam.com ValueMentor https://valuementor.com FlowTraq https.//www.flowtreg.com https//www.mcofee.com Threat Hunting Tools Threat hunting tools proactively monitor a network or system for imminent threats and provide alerts of abnormal behaviors and solutions to tackle threats in advance. The tools are integrated with all the necessary resources to hunt threats effectively. = MVISION EDR Source: https://www.mcafee.com MVISION EDR is an Al-based threat investigation tool that helps security analysts in quickly prioritizing threats and minimizing potential disruption. The tool reduces the time to detect and respond to threats. It facilitates high-quality and actionable threat detection across the workspace without noise. Module 08 Page 1023 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools v Exam 212-82 Process Attributes v Process Activity Sevgmertod Viewe Figure 8.3: Screenshot of MVISION EDR Some additional threat hunting tools are listed below: = Cognito Recall (https.//www.vectra.ai) = Infocyte (https://www.infocyte.com) = Exabeam (https://www.exabeam.com) = ValueMentor (https://valuementor.com) * FlowTraq (https.//www.flowtrag.com) Module 08 Page 1024 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.