How Thinking Like an Attacker Makes You a Better Threat Hunter

By on Sep 25, 2017

In the race against cybercrime, like in a chess game, threat hunters are constantly trying to get one step ahead of the opponent, trying to predict what the next movement will be. Evidence suggests, however, that most organizations struggle to catch up with the pace, with their defenders (also commonly referred as blue teams) falling back into a mostly reactive position. A recent report by Aberdeen, based on Verizon 2014-2016 DBIR data, showed that the median dwell time to detect an attack is 38 days. That’s 5-6 weeks of lead time that the attacker has against defenders. While this number is better than what we’ve seen in previous years, it’s far from ideal. Time to detection is truly the leverage point that you must grasp to spot the presence of the adversary and reduce the impact of an attack. And to do that, you need to understand the mind of your adversary.

What can we do to get into the mind of a cybercriminal? There’s a few things you need to know, but most of them can be summarized in what I call the “Three Big Knows”: know the enemy, know your network and know your tools.

Know the Enemy

As a blue teamer, you are not fighting binaries. You’re fighting attackers with a strong motivation, whether financial, political, or military. So, get in their head and think – what is the driving force behind their attack? You can’t just base your defense solely on indicators of compromise, and the fact that someone has already seen them does not mean that you are going to see them. Remember, attackers can change their IPs, domains, hashes, etc. very quickly, sometimes even hundreds of times per minute, with little effort. Therefore, effective hunters must focus on the high-level tactics and techniques that allow them to profile attackers and understand how their motivations affect their behavior, all while searching across the network for evidence of those behavioral patterns, augmenting your knowledge of the enemy.

Know Your Network 

Attackers sometimes know their victims’ networks better than the organizations do. With many companies still putting the focus on keeping bad guys outside their network perimeter and off their endpoints, they do not spend enough time on continuous monitoring, detection and on fast response. So, think like an attacker and make a conscientious effort to know the ins and outs of your network better than anyone else. That means knowing what normal looks like on the network, in order to spot abnormal patterns. You cannot know what abnormal looks like unless you know what normal looks like, and that is different in each environment.

This also relates back to knowing the enemy. Defenders must profile which threat actors are most likely to pose a serious threat to their networks (based on industry, geolocation, public profile, etc.), so to understand which particular data they would go after and therefore which segments of their network and systems need attention. Focusing on targets and motivations allows security teams to narrow the kind of tactics and techniques attackers are most likely to use and to prioritize the hunt for those.

Know Your Tools

Effective attackers use a variety of tools, which means blue teams must do the same for success. This entails learning when your tools are at their best and when they tend to fail, without relying too much on any one of them. Also, be sure to not focus too much on the tools, but rather on which data is necessary to build more visibility across the attack chain and to spot specific attack techniques and artifacts identified in previous phases. When there is no effective tool to parse and analyze that data, effective threat hunters often write their own tools (i.e. scripts) or adapt those at hand through the use of automation, integration, and orchestration.

So, by thinking like an attacker and understanding their motivations as well as tactics, techniques and procedures (TTPs), your network and your tools, you’re not only putting your strategy one step ahead of theirs, but also strengthening your overall security posture, moving from a reactive to a proactive security stance. Happy Hunting!

To learn more about how you can think like a hacker and can become a successful threat hunter, read the newest Quarterly Threats Report. Also be sure to follow us at @McAfee and @McAfee_Business. You can follow me at @aboutsecurity.

About the Author

Ismael Valenzuela

As Sr. Principal Engineer, Ismael Valenzuela (@aboutsecurity) is part of McAfee's senior technical leadership team, leading research on Security Operations and Threat Hunting using machine-learning and expert-system driven investigations. Author and contributor of numerous technical articles and open source tools, Ismael is also a regular speaker at International conferences and is one of the few ...

Read more posts from Ismael Valenzuela

Subscribe to McAfee Securing Tomorrow Blogs