Threat Hunting: Remediation

Introduction to Remediation

The majority of a threat hunter’s role is looking for the “needle in the haystack” by using a variety of different tools and techniques to look for threats that may or may not even exist. However, sometimes the threat hunter actually finds something that has slipped past the organization’s defenses. At this point, it’s time to perform remediation.

At this stage in the process, the assumption is that the threat hunter already knows everything there is to know about the threat. They’ve detected signs of compromise, performed an in-depth investigation and ferreted out all its secrets. Now it’s time to get rid of it and move on.

The strategy used by a threat hunter during remediation depends on the sophistication of the hunter and the attack. In some cases, basic remediation strategies may be effective for elimination of the threat. However, advanced adversaries have the ability to detect and evade these steps, meaning that more comprehensive measures may be required.

Basic techniques for remediation

There are many ways to remediate an attack with varying levels of difficulty, sophistication and success. Depending on the sophistication of the adversary and the tools that they use, some techniques may be sufficient in some cases and ineffective in others. In this section, we explore some simple techniques for remediation of threats discovered during threat hunting.

Reboot

One of the simplest ways of dealing with malware on a computer is triggering a restart. In fact, this response is so widespread that a common question when hearing about a malfunctioning computer is “Have you tried turning it off and back on again?” This type of response is often effective for simple issues, but most malware and threat actors have evolved beyond the point where this is even a threat to their operations.

(Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/aoBKowZek0o/