IT Security Sep 17, 2020

Threat hunting – The 21st century treasure hunt.

In times when malware is spreading rapidly, you don’t have to wait long before you are hacked or have malware in your network. That’s why it’s extremely important to have the right tools and skills to detect threats, identify "Patient Zero" and introduce countermeasures as quickly as possible. Exactly these tools and skills were acquired by 17 Bechtle security engineers during a threat hunting workshop.

Share article

Dirk Eberwein
Presales Security Consultant

After a short introduction to the various tools and accesses to the single Cisco solutions such as Cisco AMP4Endpoint, Cisco Umbrella, Cisco Threat Response and Cisco Email Security, we got down to business with a realistic case study. The Bechtle security professionals were set the task of defeating the well-known “Olympic Destroyer” which aimed to paralyse the IT infrastructure of the 2018 Olympic Games in Pyeongchang.

The scenario.

"The day started like any other day. You’re sitting at your desk, minding your own business. It’s about 0930 on a cold, Tuesday morning. You’re pounding your way through your SIEM alerts, and draining your second cup of coffee of the morning. So far, things are going well. And then she walks into the room. Jane Cosnowski, the CFO for your company, just stormed into your office, all pale and shaky, her laptop clutched in her trembling hands, and she says, “I just heard about this new threat called ‘Olympic Destroyer’ on the news this morning! This sounds terrible! Are we protected?” Now it’s up to you. Let’s give Jane the peace of mind she needs to get back to counting her beans and out of your hair. First of all, we need to figure out what the threat is. We’re going to start by doing a Google search for Olympic Destroyer. Let’s use Cisco Talos intelligence to determine what this threat is, and how to eradicate it."

A lot of IT admins are confronted with the same or similar issues every day. Something spotted in the press or a notebook starts acting strangely and the search begins for the infamous needle in the haystack.

“CozyBear” and “Fish the Phish”.

The threat hunting workshop is based on realistic scenarios and is like a modern-day treasure hunt with a successive number of tasks. Just as in reality, skills are acquired very quickly and you can work your way up from beginner to junior analyst before finally becoming a master hunter.

Alongside the search for the Olympic Destroyer, there were also hunts for “CozyBear” and phishing attacks such as “Fish the Phish” where a company fell victim to a phishing attack. In this scenario, Bechtle’s security experts had to search the entire kill chain—from the gateway (e-mail) to the internal distribution and infection of PCs—and carry out a detailed analysis. At the end of every section, we were asked course-related questions and could only move up to the next level by answering them correctly.

The Cisco Threat Hunting Workshop is very helpful as it not only shows the work of a security analyst, but also presents individual solutions a business needs to be in a position to tackle today’s threats.

After the workshop, everyone agreed that a modern treasure hunt is a lot of fun and you can gain a lot of new knowledge in a very short time.

If you would like to take part in a threat hunting workshop, get in touch!