Hunting for Hackers: Internal Audit’s Growing Role in Breach Detection

Adam Brand, Director IT Security and Privacy

Information technology assets — and the ways criminals exploit them — keep evolving. Ransomware, for example, has changed the threat landscape by targeting operational rather than sensitive data. Criminals aren’t standing still and organizations can’t afford to either.

Monitoring alone isn’t enough. This is apparent by the fact that cyber attacks and breaches have continued to rise, with breach detections coming from external sources almost half the time and three months’ time on average until a breach is discovered. As I wrote back in May, organizations need to stop behaving like prey and start hunting for hackers. The internal audit function can play a significant role in this process.

For example, internal audit might look into management’s ability (the first and second lines of defense) to effectively detect breaches. Auditors might review management’s hunting program to the extent that they have one. Understanding what hunting is, of course, is important to determine whether management is doing the right things. Auditors can also hunt.

What exactly is hunting? The concept of hunting for hackers has been around for many years but is not yet widely known. In my observation, maybe 15 to 20 percent of internal auditors have heard of it. Awareness is growing, however. I recently had the opportunity to share my personal experience as a hacker hunter at the ISACA GRC Conference in Dallas. My presentation was geared specifically for IT auditors, but here are some takeaways that should be of interest to all internal auditors and audit committees.

First, let’s agree on two key truths.

  1. Organizations need to do a better job of detecting breaches sooner.
  2. Looking for “known bads” is not enough. In a dynamic threat environment, the established practice of monitoring only for previously documented attacker signatures (e.g., bad IP addresses, previously documented malware) and easy-to-detect, known attacker behaviors (e.g., network scanning) is about as effective as preventing airplane hijackings by only looking for box cutters.

With respect to the second point, if crime scene investigators only collected the fingerprints of known bad guys who had been arrested before and only looked for ways criminals had stolen before, they would miss new suspects and ignore important evidence.

Monitoring for known hacker signatures and behaviors is an important part of any cybersecurity program, but it often fails to detect breaches, because attacker breach techniques are constantly evolving. Successful breaches are often the result of targeted attacks — an attack where a hacker identifies and exploits a specific data or system vulnerability at a specific organization, while going to great lengths to remain undetected.

Hunters pursue such hackers by starting with the assumption that attackers have already breached the organization, and looking for signs of their presence — stripping away normal systems, network and user activity to reveal hidden anomalies.

Hunting often includes some or all of the following:

  • Systems review — Broad review of processes running on systems for anomalies and detailed examination of key systems, often involving forensic investigation such as examining memory and disk captures.
  • Network review — High-level statistical review of internet and other key network destinations and activity over time, along with a “deep dive” into network traffic captures for a shorter duration.
  • User activity review — High-level statistical review of user activity to identify anomalies, with particular focus on privileged administrator and application service accounts and remote access.
  • Historic alerts review — Looking at historic alerts from anti-virus and other detection mechanisms to look for cases where alerts were more serious than first thought, or look more serious given current information.

Effective hunting cannot be achieved through technology alone. The key to turning the tables on skilled, intelligent hackers is to use skilled, intelligent, creative analysts, as opposed to using detection technologies that hackers are probably already familiar with.

From an internal audit perspective, the questions we are trying to answer by hunting are: “Are we breached?” and “Would we know if we were?”

Potential control objectives might include:

  • Previous potential indicators of breach have been appropriately investigated.
  • An appropriate level of monitoring is in place to identify and investigate targeted attacks.
  • An appropriate and effective set of hunting activities are regularly being conducted.
  • System, network, user, and other security logs relevant to breach investigations are appropriately collected and alerts are generated from these logs.

Potential audit activities might include:

  • Introduction of detection tools not currently present in the environment (e.g., those from FireEye and Carbon Black)
  • Review of existing collected data (e.g., domain names, file hashes) against additional intelligence sources (such as Farsight and VirusTotal)
  • Examining a sample of internet or key segment network traffic
  • Examining a sample of user login activity for unusual behavior
  • Memory and disk capture of a sample of key systems for deeper review (domain controller, email server, finance workstations)
  • Obtaining historic anti-virus/IDS records and reviewing them for overlooked incidents
  • Review of monitoring and hunting processes

Many internal auditors may need additional training to conduct this type of audit, even in larger organizations. Internal auditors that are skilled in cybersecurity audits should be able to, with some training, perform a review of management’s processes. Internal audit organizations that want to do hunting, however, will most likely need to bring on additional resources with specialized skill sets.

Organizations at higher risk of attack should be doing hunting on a regular basis, typically with dedicated hunt teams. For lower risk environments, organizations may want to conduct hunting activities monthly or quarterly. At a minimum, some type of hunting activity should be conducted annually.

However your organization chooses to get started with threat hunting, you will quickly see the value in preemptively looking for attackers. The purely reactive, defensive mode is no longer enough; it’s time to emphasize a proactive approach.

1 comment