4.8.3 Root Cause Analysis & Threat Hunting
Root cause analysis and threat hunting are proactive and reactive security processes used to identify why an incident occurred and to find undiscovered malicious activity within a network.
Root Cause Analysis (RCA) Root cause analysis is the process of discovering the underlying origin of a vulnerability or security incident to ensure it does not happen again. - Identifying Vulnerabilities: A vulnerability is an inherent weakness (like a default password); the threat is the action taken against it. - Indicator of Compromise (IoC): Forensic artifacts left behind by a threat actor. Examples include unusual outbound traffic, unauthorized file permission changes, or known malware signatures. - Data Quality: Effective RCA relies on data. While quantitative analysis uses numerical values (SLE, ALE), it can be subjective or inaccurate due to incomplete data. Qualitative analysis is often preferred for assessing impacts that are difficult to measure in exact dollars.
Threat Intelligence & Research Threat intelligence is the collection and sharing of information regarding past, current, and potential attacks to help organizations prepare. - Dedicated Sources: Vulnerability databases and threat feeds help define characteristics and signature types. - Research Sources: Security analysts use academic journals, social media, and industry blogs to track emerging trends. - The Dark Web: Sites not indexed by standard search engines. These are monitored via sting operations to identify criminal activity or leaked corporate credentials. - Information Sharing: Cybersecurity professionals often collaborate with peers (ISACs/ISAOs) to notify others of new attack vectors.
Threat Hunting Tactics Threat hunting is a proactive search for cyber threats that are lurking undetected in the environment. - Establishing a Hypothesis: Analysts begin with a theory based on current threat intelligence or suspicious activity. - Analyzing Threat Actors: Hunting focuses on identifying the motive and resources of an actor (e.g., automated scripts, malicious insiders, or sophisticated hackers). - Proactive Discovery: Unlike passive monitoring, threat hunting assumes a breach has already occurred and looks for evidence that traditional security tools might have missed.
Quick recall - Vulnerability: A weakness or flaw in the system. - Threat: The potential for a threat actor to exercise a vulnerability. - IoC: Tangible evidence of an intrusion (high traffic, new accounts, changed files). - Dark Web: Non-indexed sites used to trade illegal data or tools. - Quantitative vs. Qualitative: Quantitative is data-driven but often subjective; qualitative is opinion-based or descriptive. - Threat Actor: Any individual or program capable of initiating a negative event.