A Holiday Hunting We Will Go

Written by Sean Mason, Vice President of Global Customer Success, Resolution1 Security

Cyber criminals fully realise that companies tend to be minimally staffed during the holidays. Rather than let the calendar year end on a sour note, I suggest your organisation be proactive this year and spend time hunting for adversaries rather than sitting back and hoping your threat feed, MSSP or other mechanisms will lead to you catching something.

If you think your company isn’t a target this holiday season, think again! I’ve seen the oddest cross section of industries being attacked by Advanced Persistent Threats (APTs) including food and beverage, waste management, aluminium manufacturing, and non-profits to name a few, outside of the normal defence, energy, critical infrastructure, and other well-known targeted verticals. Clearly nation state attackers are not discriminating in their targets. As for cyber criminals, the traditional thinking that small and medium-sized businesses are targets still holds true – but as the industry has seen this past year, large corporations are under continual attack.

I’m unsure if there is an official definition of “hunting for adversaries,” but to me it is defined as looking for adversaries on your network outside of your normal day-to-day processes. I’ll explain more about how to go on the “hunt”, but first, here are three key factors to help you get started.

Rule 1. Executive Buy-in is required.
Rule 2. Failure is an Option.
Rule 3. Keep it Fun.

Logistically, the hunting should be a simple exercise, as you want to limit administrative tasks and maximise hunting. I recommend setting aside one entire week for the hunt and to secure executive buy-in that all meetings will be cancelled or moved so the team can focus 100% on the hunt. As for team make-up, it should be a good mix of junior, mid-level and senior IR/Intel folks, as well as individuals from outside the organisation (e.g. Red Team, Networking, etc.).

2 weeks prior to the Hunt: Pull the team together for a one hour brainstorming session to develop hunt criteria and encourage new approaches and ideas – the crazier the better. This will allow time for individuals to think through the ideas in more detail and generate some buzz ahead of the next step.

1 week prior to the Hunt: Bring the team back together and rack and stack the ideas. Once complete, begin assigning folks to ensure there is coverage. You may not have all ideas assigned and that’s fine – the focus is on quality, not quantity, so you can table the others for your next hunt.

Every evening during Hunt: A 15 minute “stand-up” to bring the team together and focus on anything of concern from an adversary perspective, as well as any logistical/political concerns that need to be raised to the Executive champion.

The first day of the week following the Hunt: A quick call to discuss what worked well and what didn’t work. Conduct a review of the findings and assign follow up action items. This is the time to lay the foundation for your next hunt, as well as to identify items that the team may want to operationalize on an ongoing, day-to-day basis.

Communications: The Executive can kick-off and close-out the event by communicating the high level details, results and key learnings to stakeholders across the organization to bring visibility and excitement to the effort. It is also worth discussing the results, potential negative impact and added value of the Hunt with C-suite executives.

While there are a variety of avenues to take, here are a few ideas to get your Hunt started:
• Pull forensic evidence (registry, memory, event logs, etc…) of previously compromised machines.
• Pull forensic evidence of previously compromised machines in the same family. For example, if you have webserver01, pull webserver02 and webserver03
(ProTip: You should be doing this during your incident investigations as well.)
• Have you looked at the activity of previously compromised administrator accounts recently?

Finally, the Hunt demonstrates the importance of proactive hunting across your networks, endpoints and mobile devices. While the Penetration Testing business is doing extremely well, it’s only a part of a robust security framework and most companies should be focusing their efforts and budgets on if they have been breached and not if they can be penetrated. If your organisation lacks the knowledge, resources or simply needs additional expertise or an outside perspective, don’t hesitate to hire an outside services company to perform the hunting for you.

About the Author
Sean Mason is Vice President of Global Customer Success at Resolution1 Security. He brings more than six years of front line incident response expertise and customer engagement from leading Fortune 500 companies. Sean is a veteran of the security industry, leading security teams at GE, Harris, and CSC. While at GE, Sean was director of incident response where he regularly met and advised C-level executives and board members. Prior to that, Sean spent seven years running global incident response projects at Monsanto after fulfilling his tour with the U.S. Air Force. Throughout his career, Sean has led enterprise focused solutions across IT (information security, software development and auditing) and industry verticals (Defense, Aviation, Finance, Energy, and Biotechnology) leveraging his diverse technical knowledge and unique business perspectives. Sean also serves as a Subject Matter Expert for ISC2, helping to design industry certifications as well as sitting on the ISC2 Application Security Advisory Council (ASAC).

Georgina Turner image

Georgina Turner

Sales Manager

Read the Latest Issue

Follow us on X

Follow us on X

Click Here

Follow us on LinkedIn

Follow us on LinkedIn

Click Here

Advertise here

Reach decision makers and amplify your marketing

Advertise here

Click Here

Related News

Graphic displaying a lockdown solution

Netgenium debuts next gen display and touchscreen technologies

Power-over-Ethernet (PoE) solutions specialist Netgenium will be showcasing its new range of IP…

ICT® Launches New TSL Access Reader Series

Integrated Control Technology (ICT®), a leading manufacturer of intelligent access control and…
Image Provided by Paxton

Paxton Partners with Skills for Security

The security technology manufacturer Paxton is proud to announce a partnership with Skills for Security…
Image Provided by ICT

ICT and Ingram Micro sign distribution agreement MEA

Integrated Control Technology (ICT), award-winning global manufacturer of intelligent electronic access control and security solutions..
Image Provided by Toshiba

Toshiba launches new HDD Innovation Lab

Toshiba Electronics Europe GmbH (Toshiba) has inaugurated a new HDD Innovation Laboratory (HDD Innovation Lab) at its site in Düsseldorf..
Image Provided by Verkada

Verkada Doubles Down on the Channel with Strategic New Hire

Verkada, a leader in cloud-based physical security, today announced the appointment of Micah Deriso as Head of Global Channel…
Image Provided by IPSA

IPSA Appoint Frontline Hero as Ambassador

Abdullah, the courageous security officer praised for foiling a horrific knife attack at Leicester Square, has been appointed as…
Image Provided by Codelocks

New Surface Latch from Codelocks

Codelocks is expanding its Gate Solutions by Codelocks range with the introduction of the new Codelocks’ Surface Latch…
Image provided by Genetec

Nicholas Smith to Lead Genetec UK and Ireland Operations

Genetec, provider of enterprise physical security software, announced the appointment of Nicholas Smith as its new Regional Sales Director…

News Desk

View all the latest, product, project and people news

News Desk

Click Here

Technology News

Keep up-to-date with the latest product innovation

Technology News

Click Here

Industry Sectors

Discover technology in action in all applications

Industry Sectors

Click Here

Enter The Awards

Showcase personal or organisation excellence

Advertise With Us

Reach decision makers and amplify your marketing

Advertise With Us

Click Here
Scroll to Top