differences between hunt teams and other cyber teams€¦ · differences between hunt teams and...

Differences Between Hunt Teams and Other Cyber Teams

Table of Contents

Hunting Teams for Cyber Threats... ................................................................................................ 2

Differences from Incident Management ........................................................................................ 3

Differences from Penetration Testing Teams ................................................................................. 6

Effective Hunting Requires Partnerships ........................................................................................ 9

Adoption of Hunting Teams .......................................................................................................... 11

Notices .......................................................................................................................................... 14

of 14

Hunting Teams for Cyber Threats...

13[Distribution Statement A] This material has been approved for public release and unlimited distribution.

Hunting Teams for Cyber Threats...

...are slightly different from other types of cyber teams.

**013 So a little bit here about how Hunting teams are slightly different. We're going to talk about a couple of other types of cyber teams, which like you might be familiar with. A little bit more popular terminology, because the term for our hunting team is a fairly new and emerging one. But these hunting teams are slightly different than some of the more traditional teams that you've heard about in cyber.

of 14

Differences from Incident Management


Differences from Incident Management

Hunting teams are• Intended to be specialized toward more proactive, although

some activities may overlap • Intended to find incidents that are pervasive or against the most

high profile targets• Likely to work with the Incident Management team to exchange

data, pass critical warnings, understand a problem, or borrow skills

• Usually starts as an offshoot of Incident Management team or focuses on a single individual solely on proactive activities

• Sometimes a special task force for a certain time period (e.g., upcoming acquisition)

**014 So differences from the incident management team. This is very organization-to-organization dependent. Some organizations, the hunting team, either they don't have one or it already is just the same people that do the incident management. But generally for the teams that are separated from incident management, they're generally, the hunting teams are generally intended to be a little bit more specialized towards the proactive controls or for hunting for incidents that they don't already know about, so they're not necessarily waiting for somebody to report an incident to them. If an

of 14

incident is reported, it's typically going to go to the incident management team for initial investigation. So the sort of hunting teams, typically the mission is focused on sort of threat activity that's a little bit more pervasive or also that might be against a little bit more of the higher profile IT asset targets, or executives, things like that. So, you know, typically you don't necessarily see incident management teams doing a lot of this, because they just, their time is usually more focused on responding to incidents or performing active investigations into ongoing incidents. So there's quite a lot of overlap here, but I think the focus is slightly different typically for a hunting team. They're very likely to work with the incident management team very closely to exchange things like data on an ongoing investigation or to pass them warnings or critical problems or typically a lot of the skills, right, and needs that a hunting team might have, are already found partially on the incident management team. Or on other teams. So usually I would say from what I've seen, these types of hunting teams typically start as some kind of offshoot of an incident management team. So somebody who's sitting on an incident management team might say, you know, "I kind of have a suspicion that this is going to receive a lot of incidents in the future. I'm going to start building something that can help me to confirm that suspicion," right. And you might end

of 14

up with sort of somebody who splinters off a little bit, part of their activity at first, but then it kind of gets more and more and more as they realize, right, like, "This is not just the only area where this could be happening. We need more people to devote to this problem," et cetera, et cetera, and then you end up with kind of a hunting team. Sometimes you might have a hunting team that's sort of a special task force, right, for a certain period of time. So say we have an upcoming acquisition, right. So we're going to sort of form a specialized hunting team that has a sort of specific goal to analyze the network activity on the upcoming acquisition or work with other people like third parties to help analyze that as part of due diligence. But once we actually bring them on, right, and we've already sort of designed how that's going to work, the hunting team can get involved in those activities, and then when the actual kind of acquisition happens, the hunting team might hang around for a period of a couple of months and then as they realize, "Okay. You know, we're starting to incorporate more of the kind of one-off stuff into our more formal IT operations," they may end up dissolving the hunting team after that or sending them back to sort of the incident management or other IT teams that they were on originally. So lots of different models is what we're saying for how you might have a hunting team, but a little slightly

of 14

different from sort of a traditional incident management team.

Differences from Penetration Testing Teams


Differences from Penetration Testing Teams

Hunting teams• are intended to be specialized toward the current and near-term

capabilities of a threat, and usually not to search for vulnerabilities- Although if no penetration testing data exists to analyze, the team

may need to create it.• may focus on possible mitigations for the eventual vulnerabilities

in almost any software.• are likely to work with the Penetration Testing Team to

- exchange data- design tests and ensure that highest risk areas are being tested- consult with experts, borrow skills, etc.

**015 So another team you may have heard of is a penetration testing team. Some of the differences that a hunting team would have from a penetration testing team, although again quite, you know, can be quite a bit of overlap and skills, but hunting teams are really intended to sort of be specialized towards current or near-term capabilities of a threat, right? So an external threat or sometimes an internal threat. But they're not usually out there to just search for vulnerabilities, right. So

of 14

sometimes in a penetration testing team you might have the mission of, "Test this new system both for things that an attacker could do to it and also just any available, right, vulnerability on it." That's typically a very noisy sort of test or scan, although for a short amount of time. So you'd say, "We're going to hit this system. We're going to look for every single vulnerability that we can find, and if we find one we're going to see if we can exploit it," right. That's sort of noisy. It shows up. If you want to get it done quickly, you know, you're not really replicating the kind of capability that an attacker would use against you necessarily, right, but you're sort of looking for all of the available leaks or holes that you have in your environment and then trying to plug as many of them as possible. So if there's no, like, formal penetration testing team or no data to get from them, then a hunting team might have to do that in order to get the data that they need, but if there's already a team in place, the hunting team might just ask them, "Hey, can you give us some of the information on some of the open vulnerabilities? We'll set up something like maybe a trap, right, which sort of indicates whether or not somebody is going to try to use that vulnerability against us," right. I'm sort of, the hunting team, is sort of searching and focusing on how do I detect when that threat actor tries to use a vulnerability against me, the penetration testing team is trying to

of 14

figure out are we vulnerable to this specific vulnerability in this point in time? So they may focus, like, the hunting team may focus on a possible mitigation for an eventual vulnerability. They don't necessarily have to have the existence of that vulnerability in order to do that kind of planning. And they're also very likely to work with, if there is a penetration testing team, exchanging data with each other designing tests, helping them to design a test. So if there's a high-risk area they may sort of work together to design the right penetration test that also accomplishes some of the goals that a hunting team might have, and certainly, you know, they're going to be consulting with each other to borrow skills, et cetera. Again, a lot of overlap but slightly different from a sort of traditional penetration testing team, which might be a little bit more transactional. Go to this business unit, do a two-week test, go to that business unit, do a two-week test, go to that business unit, do a two-week test. The hunting team is a little bit more kind of continuous in their engagement with those types of business units, okay?

of 14

Effective Hunting Requires Partnerships


Advanced threat analysis• performed by the hunting team

Experts in internal systems• IT, applications, networks

Investigations• security, IT security, internal audit,

fraud/waste, etc.

Specialized teams• forensics

Business• corporate, divisions, site managers,• align with the strategy and assets

Effective Hunting Requires Partnerships

**017 So just to cover it formally, the effective hunting team requires partnerships, and those partnerships need to be with a lot of other groups within the organization. So you sort of have these different kinds of tasks going on and you want to have representatives from each of the different areas in your business, but here are some of the typical partnerships that you might find. A lot of hunting teams are going to want to set up initially. So you've got sort of advanced threat analysis. That's typically the thing that's being performed by the hunting team, but you really need to have experts in your internal environment. So who

of 14

knows about the systems that you have best? And that's people from IT. That might be people that helped developed the applications. You may have an application development team. You've got network infrastructure, so you have network operators. And you really need to understand how those people do what they do and what some of the design decisions that they've made or that they are planning to make in the future. Another significant partnership would be people from the investigations team. So you don't want to be stepping on somebody else's toes and there might be an existing investigation team. In some cases, depending upon the organization that you work for, this might even have law enforcement authority. So you really need to be working with them to determine when to hand off information that you have to them or when they could contact you kind of to bring you into something and help them with some kind of expertise. Also, you're also typically, a hunting team is going to want to have relationships with some of the more specialized teams in IT. That's something like forensic investigators. So there might be a case where you need to bring in a forensic investigator, because there's no other sort of obvious signs of activity but you really have a strong suspicion that something's going on for other reasons. And then sort of not last but, you know, yet another group, of the groups, and very important,

of 14

would be people from the business side. So making sure that you understand the decisions that sort of corporate is planning to make, what some of the site managers in some cases might be doing, and figuring out how to align the activities that you have with the things that the business is saying is most important to them and the assets that support those things, which the business might not necessarily know are so critical, right? So something we see a lot.

Adoption of Hunting Teams


Adoption of Hunting Teams

Hunting teams are• typically for organizations with highly evolved security teams

such as - malware analysis- vulnerability discovery- forensics

• not usually something that organizations take on first- Recommend skillsets include security engineering, data science,

application development, visualization, programming, strategic thinking, Dev/Ops or reliability engineers, and subject matter expertise.

New companies, products, and services are emerging to service these needs.

**018 When we are working with organizations, we're typically

of 14

seeing these coming out of organizations that already have some of the other teams in place. And so these teams are sort of emerging from places that already have sort of highly evolved security teams. So typically we're seeing them in places that already have some amount of malware analysis, some amount of vulnerability, a discovery capability, right, some amount of forensics specialization already. These would be, you know, if you don't have them existing in-house it's very hard to build them from the hunting team, right. So it's not usually something that organizations will take on before they take on sort of having an in-house malware analyst, right. Or an in-house sort of vulnerability discovery analyst, right, who might be helping a team that's developing an application to discover if there's any vulnerability in that application. Right. If you don't have that yet, usually you're going to start there before you get into something like a hunting team. Although not always. So it's not usually something that they take on before those other things. And some of the reasons for that is that, you know, the sort of, to do this well or to do it effectively, the skillsets include things like security engineering, data science, application development, visualization programming. There's certainly an element of strategic thinking. You may have a situation where you need somebody who is able to sort of both watch sort of the IT infrastructure with something like a dev ops style or some other places call these, like,

of 14

reliability engineers. So, you know, they're an engineer that sort of helps to keep the things up and running but they're also making sure that they are sort of scaling and automating the problems that you might encounter away. And then also you're going to need significant security subject matter expertise to make sure that sort of what you're designing and implementing is making things more secure and not opening up holes. So I, Based on what we've seen and sort of the need for these things, both tools and resources, we have seen a few new companies pop up, startups, new products, new services, that are really sort of emerging to help companies sort of service these kinds of hunting needs.

of 14

Notices


Notices

Copyright 2016 Carnegie Mellon University

[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution.

This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center sponsored by the United States Department of Defense.

NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study. Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at [email protected].

The U.S. Government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.

Although the rights granted by contract do not require course attendance to use this material for U.S. Government purposes, the SEI recommends attendance to ensure proper understanding.

Carnegie Mellon®, CERT® and CERT Coordination Center® are registered marks of Carnegie Mellon University.

DM-0003588

of 14

differences between hunt teams and other cyber teams€¦ · differences between hunt teams and...

Documents