Hunting in the Depths - The Need for a Strategic Threat Detection Model

Описание: Description:
NOTE: The first 30 minutes I present a rather detailed overview of the current industry practices and theory related to threat hunting.
*If you would like to skip the threat hunting overview portion of this presentation and go directly to my research and findings, these start at 27:00.
*The application of my research to threat hunting (including the improved Kill Chain Model and discussion of "Detection in Breadth") begin at 36:00.



ABSTRACT:
This research paper presents and justifies a revolutionary Threat Hunting strategy that aligns Hunting operations to a hybrid Kill Chain model that incorporates the recursive nature of Lateral Movement into the Lockheed Martin Kill Chain. Existing security models are analyzed in relation to threat detection; these include the Lockheed Martin’s Kill Chain, Mandiant’s Attack Lifecycle model, David Bianco’s Pyramid of Pain, as well as Defense in Depth. “Hunting with Arbitrary Indicators of Compromise (Ad-hoc Searching)” (aka, the “Shotgun” approach) and “Focused Threat Operations (Depth-First Searching)” (aka, the "Detection Chokepoints” approach) are reviewed as Threat Hunting strategies. Data provided by survey participants was analyzed as well. This included: demographics, controls, organizational maturity, and Threat Hunting tactics. It was noted that visibility was significantly lacking in Weaponization and Reconnaissance compared to the other phases of the Kill Chain and that indicators gained from each progressive phase of the Kill Chain were perceived to have increasingly more value than those from the prior phases. An innovative Strategic Threat Hunting Model aligned to the SANS Institute’s five recommendations for improving the Maturity of Threat Hunting is also presented (Cole, 2017). In this model, it is recommended that detection be distributed within each phase of the attack lifecycle as the “Depth of Detection” can be audited at each stage of the Kill Chain to discern any variances / gaps. This comprehensive Breadth-First Threat Hunting Strategy is superior to both Ad-Hoc and Depth-First searching techniques in that it forces attackers to escalate their Level of Effort for evasion and obfuscation by as much as a factor of seven as they are required to actively evade the Hunt Team at every stage of the attack lifecycle. Ultimately, by strategically aligning Threat Hunting tactics across all seven phases of the Kill Chain the probability for detecting an attacker is increased by as much as 700%.