Proactive Threat Hunting: 2 Tips to Push the Hunt to the Perimeter

Written by: Francesco Trama | Published on: March 21st, 2017

About The Author

Francesco Trama
As Chief Executive Officer and Founder, Francesco is responsible for the overall operating performance, leading the strategic direction of the company’s products and solutions internally while building technical and business credibility externally as a market-facing thought leader.

Today’s threats demand more easy, proactive ways to identify, detect and respond to sophisticated attacks. Traditional security measures such as firewalls, IDS, endpoint protection, & SIEMs are each important, but each is only a piece of the network security puzzle.

Threat hunting is a popular cybersecurity defense strategy. It is frequently associated with hunting for threats that have penetrated the network and are poised to do further damage. The base assumption is that the threat has evaded the network perimeter defense. While it is true that sometimes things get through the perimeter, the network is always better off if threats don’t get through. Also like many security practices, threat hunting is frequently reactive. What we are going to talk about today are some proactive ways to easily and effectively push threat hunting to the perimeter.

All too often, that starts the hunt is some gut feeling, hunch, alert or news article. Or maybe a peer mentioned “Watch-out for this, there may be a problem”. As more information is gathered on the threat the tendency to typically focus on what further damage the threat could do, data it might collect and how it might proliferate. These are critical tasks and important for sound defense. But with many IT and cybersecurity teams understaffed, most organizations don’t get to explore the question of how the threat entered the network in the first place and how it called out.

Penetrating the network and planting the malware seed is a significant victory for the cyber-attacker. Having tools that can shut the door on the threat on the way in, and lock them in once they are in, would provide an immediately impactful tactic that can provide a stop-gap and even highlight elusive activity.

Many high volume botnets with high infection rates would have re-infected a recently cleaned system if you did not prevent the infected sources entering, This was the same case with the deadly Malware Mirai.

Tip 1: Ensure perimeter defense tactics allow easy filtering on all elements of the IP and the ability to trap threats, gather edge intelligence & easily put that to use.

Threat hunting is an iterative process that can be bogged down depending on the complexity of the network, cooperation, and logging. Too much inconsequential logging can cause blindness, forcing investigations to work from the inside out because there’s usually less there. But while the investigation is still ongoing the gap may still exist.

Tip 2: Reduce noise in logging and alerting systems to ensure threats are easier to identify and act on.

Advanced Perimeter Defense solutions like PacketViper incorporate perimeter defense strategies to slow down, trap, alert, identify, and execute against threats. This helps network managers very easily lean forward into the problem, be proactive and better understand when threats are on the edge of your network. Pushing threat hunting to the edge in the way provides faster response time, identification, and remediation by quickly deploying defenses and providing valuable time to clean the infection properly.

PacketViper Advanced Perimeter Defense tools that help with these tips include but are not limited to the following;

  1. Virtual Minefields TM to build in real-time unique network intelligence with “active blocking”
  2. Probe Sensors which can easily be configured in a ‘point & click’ manner to geographically target country, companies, and networks
  3. Flooding protection that can stop or stem the flow in any direction to services on-premise or high-risk destinations.
  4. Decoy services to trip up probing sources to identify elusive active.
  5. Redirection to confuse and deceive
  6. Forward-looking scans to better adversaries
  7. Business and Threat intelligence
  8. Forensic Tools like Advanced Analytics, Web and Mail Analyzers
  9. Complete IP context of country, company, network, and IP

Proactive threat hunting takes patience, focus, determination, and a good understanding of how traffic flows and things work. Tools like PacketViper can augment your capabilities by providing present real-time edge intelligence, and intuitive perimeter defense and threat hunting tools.