This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
Your company's senior executives are discussing cyber security and the possibility of suffering a data breach. The CEO read that if a company has valuable data, then a breach is statistically inevitable. Thankfully your company hasn't discovered a breach, but that means very little. FireEye says that a breach can go undetected for as long as 200 days. The worried CEO picks up the phone, calls you and asks, "Has our enterprise network been hacked?" He wants a definitive yes or no answer, right then and there. What do you tell him?
I would venture to say that most network security professionals would qualify their response by telling the CEO the company is well protected by a defense-in-depth strategy designed to protect the network from experiencing a successful attack. But in the event that malware is able to slip past those defenses, the company has monitoring and detection capabilities that are intended to notify someone that suspicious activity is taking place—hopefully in enough time to stop it before damage is done.
Under these circumstances, perhaps the most honest response to the CEO's question is a less-than-definitive "We have not seen any indications of being hacked." What this really means is, "Our monitoring and detection tools haven't found any telltale signs of compromise yet, but the malware could be well hidden. We'll keep looking, though!"
Rather than waiting for alerts to investigate, more and more enterprises are adding the ability to hunt for signs of a compromise. Hunting involves an iterative and proactive approach to search for threats hiding within a network.
Threat hunting has been primarily the domain of managed security service providers that offer specialty services with highly skilled examiners. But emerging tools are purpose-built specifically for threat hunting. One such offering is from Infocyte HUNT, which was developed by a group of former US Air Force cybersecurity officers who have made it their mission to deny attackers the ability to persist undetected inside your network.
Infocyte HUNT is a network scanner designed to scan workstations and servers to try to validate them on what they are running, what's triggered to run on them, and any signs of manipulation of those systems. Unlike a monitoring tool that simply watches the network for events, Infocyte performs on-demand and scheduled scans of the network to determine if it is hacked or not. The company says HUNT has been proven to find malware, breaches and backdoors that have gone undetected by anti-virus and event monitoring tools on the market today.
From their years with NSA Texas and the US Air Force Cyber Command, the company founders have a deep background in volatile memory forensics. They've used this expertise to develop the core technology of HUNT, which involves looking at the volatile memory of a computer. The solution gets into everything that is running on the operating system in question and going under the operating system to ask additional questions. It then pairs the two views to see if there is any kind of manipulation of the system, or if anything is trying to hide. It generally looks at everything running and everything triggered to run through some kind of persistence mechanism.
Infocyte calls its approach agentless, but there is a small piece of code that is temporarily dropped into memory of every workstation and server being scanned. This code runs for about a minute, collecting information from the operating system and from volatile memory. The information is packaged up and sent to a central server, and the code gets deleted off the scanned host.
The scanned data is evaluated and analyzed through a combination of Infocyte's proprietary memory analysis plus third-party malware analysis. A customer's threat intelligence feeds also can be incorporated into the data analysis.
Traditional security tools do binary analysis in transit or on disk and determine if a file is good or bad. Infocyte doesn't adhere to that formula. Instead the HUNT solution looks for signs of malicious code running in memory somewhere, or trying to hide from the operating system. Infocyte asks, is the system providing remote access? Is there malware installed, perhaps with a persistence mechanism that will allow it to execute sometime in the future? These are different questions and different analysis that is done when looking at volatile active memory versus what is sitting on a disk or being transferred to disk.
As malware becomes more sophisticated, its developers use persistence mechanisms to increase the software's chances of success. A mechanism could be a registry key that is pointing at or referencing the malware. It could be a scheduled task. It could be that the boot process has been redirected so the next time the device boots the malware is going to start. In addition to finding active threats in volatile memory, the company says its technology can detect malware that is embedded and triggered to run at some later point.
The architecture of the Infocyte HUNT solution is hybrid cloud. The cloud component hosts different malware analysis services, third-party threat intelligence, multiple detection engines, as well as a sandbox. The Infocyte HUNT server, which does the actual scanning and collects the data, is installed on-premise for each customer. This server then queries the Infocyte cloud for various information, like "Have you ever seen this application?," or, "I need this thing analyzed because it looks suspicious."
In addition to using this tool to hunt for threats, it also can provide an assessment that is an independent validation of a network. This kind of compromise assessment is used in cases of mergers and acquisitions, and for cyber insurances purposes. Say one company is buying another and the acquiring company wants to know if the acquired company has a clean network before merging networks. Or a business is applying for cyber insurance, and the company issuing the policy wants to know if there are any pre-existing conditions that might indicate a breach is imminent. Infocyte's solution can help provide answers.
Infocyte says its product is primarily used by security professionals, incident responders, vulnerability assessment people, and others who have similar knowledge and skills. Highly specialized skills are not required.
As of this writing, Infocyte HUNT supports devices running all versions of Windows from XP and above, and up to Server 2016. It also supports at least nine different distributions of Linux, backward-compatible to older kernel versions. Support for mobile devices is on the roadmap for 2017. Ultimately the vendor wants to be able to evaluate any device on the network to determine if it is hacked or not, to be at able to give a validated answer to say, "Yes, you have a clean network," or "You have a compromise and you need to fix it."