While table top exercises are always a hot commodity for our customers, proactive threat hunting and compromise assessments are becoming increasingly popular through our Cisco Incident Response Readiness & Retainer service. Whether your organization has recently gone through a merger or acquisition, or are in the later stages of your incident response evolution and maturity, finding out what you don't know (and what your security platforms aren't telling you) about your network can be a integral part of your organization's incident response maturity and capability.
The Cisco Security Incident Response Services team takes a vendor-agnostic approach on how we deliver the customer-focused incident response service. However, when we engage with our clients, we bring the full "Cisco engine" with us during incident response and quickly reach out anywhere in the world. Our intelligence-driven incident response approach leverages the best threat intelligence in the business, Cisco Talos, along with a team of seasoned incident response professionals.
When clients hear about the depth of services included with the Cisco IR Retainer, we often get questions around compromise assessments and threat hunting. One of the most common questions:
What is the difference between a compromise assessment and a threat hunt?
Simply put, the difference between a compromise assessment and a threat hunt is scope and depth. In this blog post, I hope to provide you with some additional information that will help you distinguish between a compromise assessment and a threat hunt, so you are better informed.
Consider the following:
Don't panic if you don't know the answers to these questions. When you are working with your personal Cisco Security incident response consultant, your consultant will inform you of the options available, and help you decide which option best fits your organization's needs.
A compromise assessment is a high-level review of the organization that does not rely on a hypothesis or limited scope in order to answer a very fundamental question: am I compromised? In other words, based upon your organization's data, logs, and existing telemetry, are there any indicators of compromise, or threat actors present in the environment?
As we begin working with you to perform a compromise assessment, our experts will first review any relevant telemetry your organization has available. We can identify gaps through scoping and recommend any tools that we should deploy to solve those visibility gaps, such as Cisco Umbrella, Cisco AMP for Endpoints, or Cisco StealthWatch. From there, we look for anomalies and known indicators of compromise.
Given the wide breadth of the assessment, a deep dive is generally not possible. As I mentioned in a previous blog post, the lack of sufficient logging inhibits an organization's ability to conclusively determine root cause analysis during incident response. A compromise assessment can establish that baseline if insufficient logging and/or lack of instrumentation exists. In addition, a compromise assessment can help highlight the risk associated with a compromise not being effectively communicated to senior/executive leadership within your organization.
Threat hunting is a mature, hypothesis-driven process for organizations that relies on the manual interaction with the data. The end goal of threat hunting is reducing dwell time and preventing adversaries from completing their objectives (espionage, pivoting, data exfiltration, etc.). The hypothesis is derived from adversary tradecraft and/or threats targeting your organization. A threat hunting exercise is never a "one-size fits all" approach and involves an experienced, incident response (threat hunt) team. The team tailors the hunt around your organization's current data collection, which allows the team to map threat hunt methodologies to the current vetted hypothesis that is guiding the active threat hunt. We are hunting for the unknowns.
Consider the following:
There are several threat hunt use cases we may target:
Our awesome team of seasoned incident response professionals are able and willing to assist your organization with a compromise assessment or threat hunt based upon your needs. Similar to when we are engaged in emergency response activities with customers, we leverage our Talos colleagues (the best in the business) when engaged in Threat Hunting activities with customers. Talos is baked into everything we do at Cisco Security, which benefits our IR customers during a crisis, or maneuvering treacherous waters.
The power and flexibility of the Cisco Incident Response Readiness & Retainer is the proactive service component that fits every organization. Through your Cisco Incident Response Readiness & Retainer on-boarding process, we'll work with your organization to establish that baseline on your threat management capabilities, opportunities, and limitations to enable your organization to be better prepared for incident response activities.
Please leave a comment, or feel free to reach out to me on Twitter @brgarnettor via PGP.