Hunting in the Depths: The Need for a Strategic Threat Detection Model

Executive Boardroom - 10:45 am - 11:10 am

This research presents and justifies a revolutionary Threat Hunting strategy that aligns Hunting operations to a hybrid Kill Chain model that incorporates the recursive nature of Lateral Movement into the Lockheed Martin Kill Chain. Existing security models are analyzed in relation to threat detection; these include the Lockheed Martin's Kill Chain, Mandiant's Attack Lifecycle model, David Bianco's Pyramid of Pain, as well as Defense in Depth. "Hunting with Arbitrary Indicators of Compromise (Ad-hoc Searching)" (aka, the "Shotgun" approach) and "Focused Threat Operations (Depth-First Searching)" (aka, the "Detection Chokepoints" approach) are reviewed as Threat Hunting strategies. Data provided by survey participants was analyzed as well. This included: demographics, controls, organizational maturity, and Threat Hunting tactics. It was noted that visibility was significantly lacking in Weaponization and Reconnaissance compared to the other phases of the Kill Chain and that indicators gained from each progressive phase of the Kill Chain were perceived to have increasingly more value than those from the prior phases. An innovative Strategic Threat Hunting Model aligned to the SANS Institute's five recommendations for improving the Maturity of Threat Hunting is also presented (Cole, 2017). In this model, it is recommended that detection be distributed within each phase of the attack lifecycle as the "Depth of Detection" can be audited at each stage of the Kill Chain to discern any variances / gaps. This comprehensive Breadth-First Threat Hunting Strategy is superior to both Ad-Hoc and Depth-First searching techniques in that it forces attackers to escalate their Level of Effort for evasion and obfuscation by as much as a factor of seven as they are required to actively evade the Hunt Team at every stage of the attack lifecycle. Ultimately, by strategically aligning Threat Hunting tactics across all seven phases of the Kill Chain the probability for detecting an attacker is increased by as much as 700%.

Sponsored by:

Carbon Black View details


, , View details