High Efficiency Threat Hunting

Previously considered only appropriate for the most sophisticated organizations, Threat Hunting is now going mainstream. Threat Hunting activities are mandatory to reduce risk and to meet the requirements of recommendations such as the NIST CyberSecurity Framework. The challenge is to execute these activities with limited staff and budget. Advanced Deception solutions are very well suited to meeting this challenge: You simply configure and deploy deception assets such that attackers who satisfy your hunting hypothesis will be attracted to them.

As an example, consider this common situation: A firm discovers than an attacker has established a malware foothold on a device within their network. The malware is observed using specific techniques for reconnaissance and lateral movement. How can they efficiently determine whether the attacker has a presence on any other devices? They could take the brute force approach and explore all network endpoints, but this will be very time consuming, expensive, and won’t cover endpoints that come and go.

A much better approach is the Threat Hunter’s paradigm:

• Define a hypothesis – In this case that the attacker has other endpoints compromised and will try to move laterally using the same methodology
• Test the hypothesis – deploy Deception assets specifically configured to lure the attack towards them. If he takes the bait and tries to compromise the Deception decoys, the (compromised) source devices will be immediately pinpointed.

Note that this “Active Defense” approach to Threat Hunting is much better than using passive techniques such as log or behavioral analysis to test the hypothesis. Among the advantages:

Faster – Less dwell time
Easier – Fewer high-skill resources
More Effective – Lower business risk

Other examples of using ShadowPlex for Threat Hunting include:

• Threat Intel Analysis: Test the hypothesis that adversaries known to be attacking other enterprises in the same vertical or region with a particular methodology are targeting your organization
• Low Priority Alert Validation: Most organizations are forced to ignore vast numbers of alerts that are not prioritized high enough to be actively responded to. ShadowPlex makes it easy to test whether such alerts are actually indicators of high risk compromise that need to be addressed.

Threat Hunting with Advanced Deception is low-risk, as you typically don’t touch production assets or communications flows. The hunting takes place within the domain of the deception assets, which are non-production. Lastly, Advanced Deception solutions offer much better engagement with threat actors, including isolating them in areas where they can do no damage but their TTPs can be further analyzed. For these reasons, Deception is well-suited to Threat Hunting requirements, even in organizations that are just starting to operationalize this important use case.