“You won’t know you have a problem unless you go and look.”
Neil Wyler, who is known as ‘Grifter’ in the hacker community, made that statement as a precursor to an unforgettable story. An organization hired Grifter to perform active threat hunting. In a nutshell, active threat hunting entails looking for an attacker inside an organization’s environment.
Engagement is a critical first step to any security program. After all, if you set up detection and prevention tools while attackers are already lurking inside, they will blend into the behavioral baseline. The tools will be configured with the attackers’ footprint already embedded into the environment, which makes it more difficult to detect them.
Threat Hunting Engagement
On the first day of the threat hunting engagement, the client showed Grifter detailed documentation. It listed every server, database and other asset connected to the network, in addition to protocols being used, how traffic flowed in and out, the egress and ingress points, how the network was segmented and recent changes to the environment. The level of detail was a rarity for most organizations. It also saved Grifter a day’s work.
He began hunting.
Within minutes he spotted something unusual. Data was leaving the environment, and it looked like personally identifiable information (PII). It included names, addresses, social security numbers, tax identification codes and other highly sensitive information. All of it was unencrypted. Grifter looked at the source of exfiltration, or, in other words, how the PII was leaving the environment.
“Should data ever go out that way?” he asked.
“No, it shouldn’t. That data shouldn’t go anywhere,” the client replied nervously.
Grifter discovered the data was being exfiltrated from a web server that was not in ..
Support the originator by clicking the read the rest link below.
