Threat Hunting: IoC, IoT and ML

Before our brief detour last week to walk through the Colonial Pipeline breach and the craziness that stemmed from the shutdown of their IT, OT, and IC systems, we were talking about threat intelligence, and more specifically, Attack Vectors. Remember that malicious actors use attack vectors to exploit your people, processes, and technology.

We also discussed how we can begin to use the knowledge of these attack vectors to put together what we call a haystack and look for the proverbial needle. The haystack represents an idea or hypothesis of how a breach might occur while the needle represents an actual threat event.

In the haystack analogy, Indicators of Compromise (IoC) is the actual haystack at-a-glance. At this point, our Threat Hunters are not looking at the individual pieces of hay, but rather, trying to look for initial clues to form a hypothesis. Some IoCs may include (but not limited to:)

  • Unusual traffic patterns in the network
  • A higher than normal volume of traffic
  • Unusual activity with admin or privileged user accounts
  • Traffic to open or unused ports
  • System changes that have not been previously communicated
  • Large volumes of data transfer or compressed files where they shouldn’t be
  • Known vulnerabilities that have been exploited in the wild

When we collect all of the data from all of the sources, we are able to review everything at a 30,000 foot level and identify potential haystacks using our IoCs. We call this process “Scouting.” When we spot an IoC, that’s our clue to begin digging in and searching through all of the IoAs.

An Indicator of Attack (IoA) is a step further in the Threat Hunting process and includes triggers like entry points, lateral movement, exfiltrated data, file movement, and password collection. Once we can visualize the haystack, we can begin picking it apart, looking for specific Indicators of Attack. We begin combing through near real-time events and at this point, our SOC Analysts have transitioned from Scouting to an active Hunt.

Hunting can result in 2 possible outcomes. Our Threat Hunters begin by assuming that a breach has occurred and actively review the data to see if there are any additional clues as to where the needle might be hiding. Using the triggers mentioned above and numerous others, we’re looking for tracks that might have been covered up, tactics and techniques of attackers, and items of significance that would validate our hypothesis. We then provide your team with all of the findings, impacts, and recommendations or, if you so choose, we can respond to the incident.

The other outcome is that no additional data is found to validate the hunt, in which case, we start the cycle over again and look for a different haystack.

ML Models
We’ve created a lot of different tools in order to get results to you quicker. Some of those are Machine Learning models that are specifically designed to take the leg work out of the more common types of attacks, tipping our SOC Analysts off to anything that matches the criteria. We continually update these models which means more time for our Threat Hunters to scout and hunt other aspects of your network.

Next week, barring any other news-worthy attacks that you need to be aware of, we’ll talk about our most valuable resource on the Milton Security team – our humans.

I hope this Q&A series has been helpful for you to understand a little more about what we do and how we provide value to you and your organization. As always, if you have any questions, I’m an open book. Ask away in the form and I’ll personally send you a response.

Until next week, stay safe!