Endpoint Detection & Response - the benefits of a proactive threat hunting approach

Author
Michelle Gehri
Published
27. February 2019

In a previous part of our Endpoint Detection & Response (EDR) series, you have learned how to reduce the time it takes to detect a cyber attack. Now it's time to get down to business: In this article, we'll explain why organisations can't just be reactive when scanning, hunting, and analysing security incidents.

Forensic approaches to both investigation and analysis are critical to an effective endpoint security strategy and are as important as detection, remediation and prevention. In fact, don't wait for an incident to happen before you start searching - search proactively! A proactive search begins with the assumption that an intrusion is underway which hasn’t been detected yet.

However, many organizations still take a reactive approach, wasting valuable time. This means they act from an alert-centric perspective and investigate incidents when they are detected by detection systems. In terms of Endpoint Detection & Response, this typically means that alerts are only triggered when known IOCs (Indicators of Compromise) or suspicious behaviour is detected.

EDR means finding and extinguishing the glowing match in the (data) forest

Not all investigations start from alerts, however. For example, if you suspect that an employee has carried out fraudulent actions and you, therefore, need to search a particular timeframe. Or you may need to search for specific artefacts, such as when malware passes by your email scanning devices or when a confidential document is suddenly passed around in a freely accessible manner. Or you want to proactively search for anomalies.

No matter the starting point in the investigative workflow, you need a way to drill down into results and systems of interest and explore a timeline of events. This is the only way to get a comprehensive picture of what exactly happened - and at best to deduce what could happen next. Security analysts also have to deal with a huge amount of data that is continuously generated by systems during normal operation. Enriching additional information can help to distinguish between "good" and "bad" events and further refine your understanding of the incident.

Once your analysts have found the initial event, they need to close the gaps in the event chain with the available information and at the same time secure evidence for later in-depth analysis. However, a cyber attack usually does not end with the first malware infection and the intrusion into the network. The attacker will try to penetrate further into the network and steal access or other sensitive data in order to gain access to the network as a supposed user.

What does that mean for you? From here on, the cross-system investigation becomes a hunt. Your team of analysts must team up with the threat hunting team to thoroughly analyze the incident and ensure that the full extent is detected and no additional damage can be done. You must also be able to block the malicious activities. And that's where an effective EDR solution comes in. It must be able to perform actions and adapt and enforce security policies!

How does Tanium help with investigation and forensic analysis?

Tanium's EDR solution provides a detailed overview of a cyber attack in a matter of seconds, from any device, regardless of the size of the corporate network. This makes it possible to determine faster than with other solutions available on the market where an attack took place, how the malware spread or the attacker moved through the network, which end devices are affected and how to react. Tanium continuously records forensic telemetry data to help you analyze incidents. But the EDR platform goes far beyond capturing log data at the endpoint. It combines access to historical data with the ability to query the current system status and stored data - regardless of the size of the corporate network and at an enormous speed. This also includes real-time access to comprehensive sources of evidence such as indexes of all files on the hard disk, native operating system artefacts and the complete contents of the volatile memory. Finally, Tanium provides the ability to repeat a search to experiment with different solutions and compare data in real time without the need for post-processing. This can be the case, for example, if you collect and group persistence mechanisms from all systems on your network. This allows your analysts to detect outliers or malicious activities more quickly.

EDR-as-a-Service? Only available from InfoGuard!

We offer you Tanium's leading EDR solution exclusively as a service from our ISO 27001 certified Cyber Defence Center - and that starting at 300 endpoints instead of the current 5,000! Interested? We will be happy to show you how you can use EDR-as-a-Service in your company and revolutionize your endpoint detection & response.

Offer EDR-as-a-Service

Incident response complete: What is next?

While the steps we’ve outlined above are crucial to helping you put an incident to bed, your work is really just beginning. Sure, you and your team can take pride that you’ve successfully reacted to initial alerting, scoped the event at scale, and gathered a wide range of data for your executive decision makers. You’ve generated IOCs to continually search out other impacted hosts, and conducted a hunt to validate the initial incident scoping. These are all essential parts of your response, and it’s satisfying to check off all those boxes. Next, you need to understand the root cause of the incident. And speed matters here, too.

The shorter the window from intrusion to detection to completion of your investigation, the more likely you are to discover the root cause. For example, the incident may have been facilitated by poor system configuration or missing patches. In this case, it’s important to answer the following questions:

  • Do your security teams have visibility into the progress of patching or configuration changes?
  • Who will clean the infected systems, and how will that be tracked?
  • In an emergency, such as WannaCry, can your security organization give the IT operations teams a helping hand to apply a one-off patch or disable a vulnerable service?

As already described: Most investigations are based on anomalies and alarms. However, you should not wait for an incident to happen, but act proactively! Cyber attacks are unavoidable - long periods of time before detection and reaction are. A proactive search starts with the assumption that an attack has already taken place and has penetrated your network - you just don't know it yet...

Here's the question: Makes your EDR platform capable of being purely reactive, or can you use your EDR platform to proactively, efficiently, and enterprise-wide search for anomalies and investigate on demand? In the third part of our EDR Series, you'll learn what an effective security incident response should look like and the role Endpoint Detection & Response plays in it.

Don't miss this third and final article of our EDR series and subscribe to the blog updates now. So you will receive the latest articles weekly directly into your mailbox!

Subscribe to blog updates now!

*In cooperation with Tanium

Share article