H unting Hunting missions attempt to discover latent (but active) attackers on the network, or previou sly u nknow n evidence of past attacks. B y actively ex amining seemingly b enign activity or artif acts in the contex t of know n tactics and techniq u es of particu lar threat actors or in the context of specific threat scenarios, Active Defense practitioners take the initiative against attackers and redu ce the time that attackers can ex pect to operate inside the network before being identified and eradicated. Hunting missions fall generally 4 7 % into tw o categories. of respondents reported that A nom al y anal ysis their organization does not These missions examine artifacts located on particular hosts along with patterns of currently have an SOC* network traffic to identify malicious activity that automated security monitoring tools miss. Although the organization may have a sophisticated and comprehensive deployment of sensors to condu ct secu rity monitoring f or netw ork segments and endpoints, there are many f orms of maliciou s activity that thw art au tomated detection b u t are plainly ob viou s to hu man analy sts. A s w e discu ssed previou sly , the ab ility to identif y anomalou s activity is one of the key enab lers of A ctive D ef ense and is critical to hu nting missions. A nomalou s activity is any activity that is strange, abnormal or doesn’t belong in the context in which it is seen. This contex t cou ld inclu de the u ser w ho is engaging in the activity , the time w hen the activity is 2 6 % ob served, the f req u ency w ith w hich the activity occu rs and other circu mstances. In addition to hu nting f or anomalou s activity in new event streams, def enders shou ld ensu re that of respondents that do they search historical data as well. The time when defenders become aware of a particular have an S O C , 2 6 % ou tsou rce maliciou s b ehavior is alw ay s af ter the time w hen attackers b egan u sing it: thu s, historical real-time security monitoring* logs must be searched to ensure that a compromise hasn’t already occurred. • Identify cyber staging areas A nomaly analy sis can b e u sed to identif y cy b er staging areas, and to deter or def eat sensitive data exfiltration. Attackers often form a beachhead within a compromised network. This is a host from which they launch sorties against other hosts on the netw ork and on w hich they may store stolen data. O f ten this data is compressed, obfuscated, or even encrypted, to make it look like something it isn’t. For instance, def enders may discover a large data cache rolled into several encry pted and compressed RAR files that have had their file extensions altered to make them look like video clips. This beachhead concept is important because hackers must prepare a staging ground w ithin one or tw o “ hops” f rom a location on the netw ork f rom w hich data w ill b e stolen. N ot only is this req u ired in order to limit the amou nt of activity on a target host to prevent detection, b u t rou ting connections and data throu gh additional sy stems is technically complicated and su b j ect to discovery as w ell. To identify staging areas, defenders search likely beachhead locations near sensitive sy stems f or stolen data and stored tools. In enterprises that enf orce data storage locations for users, such as those that require all personal files to be saved to a network- shared f older, this search can b e straightf orw ard. S earching may also b e aided b y enterprise file naming schemes. These often aren’t apparent to outsiders, so attackers may inadvertently create filenames that immediately appear anomalous. 12 | E nhancing y ou r secu rity operations w ith A ctive Def ense