Site Search

CrowdStrike

CrowdStrike

What is threat hunting

The premise of threat hunting

It is assumed that there are threats that cannot be automatically detected by the system. This assumes that the threat is already present in the organization's network, undetectable by sensors such as network perimeters and endpoints.
In addition, in advanced attacks such as targeted attacks, it is said that operators (hackers) remotely control infected terminals to achieve their goals, rather than operating malware alone. In other words, even if the organization was temporarily protected by the countermeasures on the defending side, they will consider and implement means to circumvent it. In addition, attackers who have infiltrated the internal network make good use of tools that already exist in the computer and tools that can be used legally to gain control of the internal network, move around, and steal information. They are said to be difficult to find.

threat hunting approach

Threat hunting is an approach that assumes both the defender and attacker situations described above. As mentioned earlier, a fully automated system alone cannot defend against advanced threats in light of the fact that they cannot be discovered automatically. In addition, the attacker is a "person", and the defender considers a bypass method. It is considered
However, manually finding and verifying all possible intrusions is difficult in terms of operational costs. In many cases, machine learning is used to automatically discover patterns that are different from the general public and patterns that have never occurred in the past from data within the organization, and "humans" verify that it is an attack. done in the form

In the endpoint market, there is also the understanding that EDR = threat hunting. However, as mentioned above, it generally refers to the process of discovering threats with the intervention of "people", so please be aware that there are cases where it is used with a different meaning than the original intent. .

What is an IOA (Indicator Of Attack)?

It refers to the behavior necessary for an attacker to carry out an attack and the pattern for capturing the movement of malware/tools.
For example, ransomware encrypts files on the device when executed and demands money from the victim along with providing the decryption key. As such, cybercriminals using ransomware also employ attack techniques that are not easily reversible. One of them is the ability to delete the backup area called Volume Shadow Copy on Windows devices.
In such actions performed by attackers, IOA focuses on the step of deleting Volume Shadow Copy. You can interrupt the encryption act.
A similar term is IOC (Indicator Of Compromise). This IOC is a concept that focuses on detection by focusing on traces of infection, that is, malware/tool hashes and registry keys that remain as a result of being compromised by an attack.
These “traces” can be changed relatively easily by an attacker, and in many cases can quickly become a mere mere existence.
As mentioned above, IOA focuses on the behavior patterns taken by attackers, so it is difficult for attackers to change easily, and it tends to be less formal than IOC.