Threat hunting: the art and science of tracking down hidden cyber threats lurking within your organization's network. These malicious footprints are left behind by hackers as they carry out illegal activities, whether it's on a compromised machine or via remote-controlled platforms. In some cases, it can be hard to detect them, and stealthy attackers are able to hide within networks for weeks, if not months. An astonishing 83% of organizations had more than one data breach in 2022 and approximately 47% of all cybersecurity incidents involved Personally Identifiable Information (PII) stolen by cybercriminals.
Once the initial reconnaissance phase is over, hackers will start to move laterally across the network in search of other vulnerable systems and devices to exploit. This often results in the mentioned data exfiltration, where sensitive information is moved outside the internal LAN. Other times, attackers encrypt critical documents as part of a ransomware attack, exploit weaknesses to gain privileged access, or use compromised devices as steppingstones for other cybercrimes.
When it comes to network protection speed is of the essence. That's why certain security tools are designed to automatically save metadata and network packets (PCAPS) associated with potential threats. By doing so, security analysts and incident responders can quickly identify the root cause of a cyber incident and thwart ongoing attacks. This valuable forensic feature also has a significant impact in the court of law, documenting the exact movements and activities of the hacker at a specific point in time.
To help cybersecurity staff prioritize their response efforts, notifications are categorized into severity levels such as High, Medium, and Low. High severity notifications are reserved for suspicious patterns discovered in the network traffic over a full session. For example, an internal offender could attempt to enumerate internal hosts by scanning devices with an open SSH service listening on port 22/TCP, and then try to brute-force entry to these SSH services. This behavior pattern must be analyzed immediately to determine whether it's malicious or not. High severity notifications are top priority since they pose an immediate and severe threat to any other device in the internal network.
Medium and Low severity notifications can be dealt with in the next service window, as they don't pose as high of a threat. However, a medium severity notification can be elevated to a high if a company's risk analysis and risk profile indicate that it warrants immediate attention.
There is a trend of hackers becoming increasingly stealthy in their attacks. Traditional host address scans, which were once a common tactic for identifying responding devices on a network, are now declining in popularity due to their noisy and detectable nature. Instead, hackers are transitioning towards ARP-scans, which allow them to act like a network device updating its ARP tables, without directly contacting the target devices. By issuing widespread ARP requests, they can quickly obtain information on all active devices with MAC addresses and corresponding IP addresses.
But that's not all. Hackers are also deploying more advanced methods for identifying interesting services behind TCP and UDP ports. Instead of firing on devices using port ranges in the possible 64k space, they are now limiting their port scans to certain ports that are known to be an easy way to break into systems. For example, vulnerable applications offering services behind the port. By analyzing an attacker's behavior during a full session, security teams can observe these tactics and take appropriate measures to mitigate the threat.
There is a notable shift towards less detectable forms of reconnaissance, such as ARP scans and precise targeting, and away from more easily detectable notifications like address and port scans.
Another trend to note is the increasing use of remote execution using RPC, which is often employed by hackers to establish persistence in a compromised system. The goal of this tactic is to start services or tasks on the target machine that will automatically launch when the system is rebooted, allowing the hacker to maintain a foothold in the system for an extended period of time.
Once a malicious service is in place, it will typically engage in a variety of operations, tailored to the specific goals of the attack. One common task of these services is to detect normal behavior and then carry out malicious activities without deviating too far from that baseline behavior, in order to avoid detection for as long as possible.
After gaining access to a target network, hackers typically establish communication with a command and control (C2) server located outside the network to receive remote instructions. In a recent analysis of dyadic anomaly notifications, the top five triggers were 'Unexpected Interaction', 'Unexpected Port', 'Unexpected Service', 'Data Transfer', and 'Out of Hours'. Some of our data suggests a trend towards 'Unexpected' notifications, indicating that attackers are using a diverse range of new ports and services in their network communications. Such tactics indicate that future attacks will be increasingly sophisticated, and the use of AI-based attack tools will become more prevalent.
For many IT departments, maintaining confidentiality, integrity, and availability are crucial security objectives in accordance with the CIA Security Model. Keeping sensitive data from leaking out is a top priority to uphold confidentiality and integrity. To achieve this goal, IT security professionals need a tool that integrates multiple threat models to detect and block exfiltration attempts. Muninn AI's threat models for detecting and proactively blocking data leakages are based on the MITRE framework and fall under the tactics of 'Data Exfiltration' and 'Command & Control.'
Our AI-powered cybersecurity solution is equipped with advanced breach detection capabilities. Using two distinct approaches, Muninn AI Detect can quickly identify anomalies that may indicate a network breach and potential data exfiltration.
The first approach, known as Dyadic Anomaly, focuses on unusual data behavior between two devices. By constantly monitoring all communications between internal and external hosts, our AI builds up a knowledge of the common network behavior. When deviations are detected, the machine learning model triggers notifications based on the user-defined sensitivity level.
The second approach, known as Point Anomaly, focuses on the host itself to identify unusual combinations of sent bytes, received bytes, and session duration. This notification is useful in determining if the total transferring activity is outside of the normal range.
Both anomaly notifications are key factors in determining if real-time data exfiltration is occurring or if it is attempted. It is worth noting that AI-based notifications are increasingly becoming more prevalent, indicating that AI is playing a much bigger role in detecting malicious behavior within a network.
Subscribe to our newsletter to receive new posts straight to your inbox