Threat hunting. That was a phrase used repeatedly by Eric Russo, senior security operations center manager, defensive security at Barracuda MSP about battling cybersecurity attacks during his presentation at the Midsize Enterprise Summit IT Security 2024, hosted by MES Computing parent The Channel Company.
Just like the toothy, predatory fish after which the cybersecurity company is named, Barracuda takes an aggressive approach to detect and "hunt" threat actors in its customers' environments, Russo said.
Threat hunting is an "ongoing exercise," said Russo, who leads intensive security operations within Barracuda's SOC team.
As most anyone in IT knows, there are more threats than ever before. "I think we're seeing between two and sometimes even five or ten critical vulnerabilities being published in a given week," he said.
"We have this process running regularly," he said. "It starts with each week we assign engineers and analysts from our SOC team to conduct threat research … What are the new vulnerabilities that are being published? What are new malware variants? … What new tactics and techniques are threat groups executing?"
Russo then broke down the steps that the SOC team takes to pinpoint and respond to threats – useful advice for any IT security professional:
How To Hunt Cyber Threats
Gather Intelligence
Russo said that the SOC team looks for specific threat indicators in suspicious files. "Indicators could be simple things … 'I couldn't address [the] domain's hash values.' [We] gather as much intelligence as possible around the threat and then validate that intelligence. That's a pretty significant step that sometimes gets missed in the threat intelligence process. But something we really emphasize is: if your indicators are illegitimate, you're going to create a lot of false positives, a lot of noise for your customers. We don't want to do that. A really important part of our process is validating the IOCs [indicator of compromise]."
Create A Hypothesis
When analyzing a potential threat, "an engineer or analyst will create a hypothesis," Russo said.
"What do I think the threat actor is doing? What have I learned based on my recreation of the attack? What is the general idea behind this threat? Then [we] use that to conduct an investigation with the tools and techniques that we have on our XBR [extended detection and response] platform.
Study IOCs
Next, SOC analysts may investigate IOCs, Russo said.
"Maybe we'll see, ‘hey, this IP address we know it's associated with this threat' and then we see it doing these additional actions. We can gain more information and uncover new patterns and new techniques.
Analyze All Information
Russo said the SOC team then takes all of that collected information and runs it against their threat intelligence tools.
"[We] correlate [it] against additional data sources … trying to gather as much information as possible t paint a full picture so that when we go to a customer as a SOC we can say, ‘here's everything that we see happening in your environment," he explained.
Learn From Threat Hunting
"We take what we learn from threat hunting," Russo said. "[We] do some detection engineering in order to be able to monitor for these types of threats, these types of exploits in real-time going forward. [We] automate response actions – these could be things as simple as if we see a bad IP address [and] blocking it on the firewall," he added.
He said the team also takes more advanced actions like looking at certain file extensions they know are associated with ransomware cybercriminal group LockBit.
"Let's not only make sure we mitigate that file or that malicious threat, but let's take the step further. Let's network quarantine that device, make sure we're getting contact with the organization. We're working with them in order to fully contain the potential incident," he said.
Share Information With The Cybersecurity Community
"Publishing advisories" and "sharing the intelligence we've gathered," are also important parts of winning the war against these emerging threats, Russo said.
