Defining Threat Hunting?
Threat hunting is the discovery of malicious artifacts, activity or detection methods not accounted for in passive monitoring capabilities. Essentially, threat hunting is the process of identifying unknown threats that otherwise would be hiding in your network and on your endpoints, lying in wait to further expand access and/or steal sensitive data.
Three Strategic Approaches for Threat Hunt
Retrospective Discovery
This approach leverages new internal or external intelligence (i.e. new IOC) to look back across the environment to see if a threat exists that was not previously detected.
Artifact Discovery
Statistical analysis approach, using machine learning to collate, aggregate and crunch the data to find abnormalities (i.e. identify the least used user agent string over the last 30 days and analyze why that is)
Activity Discovery
This type of threat hunting is where analysts identify patterns of behaviors (TTPs) that could be malicious.
Why is Threat Hunting Important?
Threat hunting is derived from a shift in the approach by security professionals on how to address risks within the organization. Previously, the focus was on building defense-in-depth and quickly reacting to suspicious activity – a “Vulnerability-Centric” approach.
More organizations are beginning to shift their approach to ensure greater visibility within the environment and proactively look for anomalous activity based on various profiles and behaviors of attacks, attackers, and their tools. This detection-based paradigm shift is considered a “Threat-Centric” approach of which threat hunting is a core component.
Threat hunting provides organizations with a method for taking a proactive approach to the identification of sophisticated, unknown threats… threats that have evaded preventative and signature-based detection methods. As research has shown, the average dwell time (where an attacker is hunkered down inside a network before being discovered) is measured in months.
Threat hunting is a way to find attackers inside the network before they have had the opportunity to cause real damage – either by disrupting operations or stealing sensitive data. Additionally, threat hunting can be used to create new behavioral tactics, techniques, and procedures (TTPs) that can be added to existing detection methods/rules/tools/and intelligence. A threat hunting endeavor will help identify activity that may have gone unnoticed over time or across the infrastructure.
Where to Start with Threat Hunting?
Before threat hunting can begin, a prioritized set of questions must be determined as these will drive the hunt. You also must understand your infrastructure and your data as that will impact what types of threat hunting activities you can conduct. Also important is understanding the expertise on hand as that will impact threat hunting as well. Threat hunting is an advanced, but highly beneficial capability that requires the right people, technology and data to help answer the critical hypotheses that are created.
What are Key Capabilities to Look for in a Threat Hunting Capability?
Threat hunting requires the right expertise, along with the tools and data, so the first thing to determine is if that expertise is on staff, to be hired, or to be outsourced. Often times organizations will look to outsource their threat hunting capability through a Managed Detection and Response provider.
Important capabilities and data to effectively conduct threat hunting activities include the following:
People Skills
Threat hunting requires a unique skillset that combines multiple disciplines of security infrastructure, threat intelligence, malware analysis, data analytics and forensics, and creativity.
Threat hunters should have:
- An understanding of both networks and how operating systems (OS) work in an infrastructure.
- A background or understanding of analytic tradecraft, including the ability to create hypotheses and test those against assumptions (including biases).
- An understanding of how attacker TTPs from both a process and/or tool perspective.
Threat Hunting Process
A threat hunting process should begin by defining the level of importance that cyber risk has upon the business, what potential threats could occur and how those threats would create risk. Existing tools and teams should be used to profile the infrastructure and ensure that the profile stays up-to-date. Part of the threat hunting process also includes determining what information you need to collect and for how long, as well as what must be analyzed to ensure proactive threat analysis. By focusing on the areas within the Pyramid of Pain, you can gain the greatest impact, while minimizing alert fatigue.
Once your threat hunting process is defined, create a set of rules to identify the risk or threat and metrics to address efficiency (i.e. how many alerts are generated by a new rule versus how many tickets are closed by analysts).
Use the profile of the environment and the information collected to address the following questions:
- What can be automated versus what should be analyzed?
- What should be the focus in terms of intel sources?
- How are you incorporating the analysis process and cross-verifying with the information, such as the MITRE ATTACK framework?
By having a strong documentation and feedback process for the threat hunting activity, you can leverage the postmortem of the activity and results to further refine the process and the Cyber Threat Intelligence (CTI) IOCs.
Technology
The third pillar of being ready to conduct threat hunting exercises is having the right technology in place. If possible, ensure solutions can collect metadata from multiple layers in real time. Oftentimes a SIEM will provide a repository of raw logs but may lack the capabilities or will be over-subscribed to allow for hunting activities to occur within a specific timeframe.
Key capabilities to look for in a solution that will enable threat hunting include the ability to:
- Ingest and store metadata from network and cloud traffic, as well as endpoint activity for real-time detection and retrospective analysis.
- Overlay that rich metadata with threat intelligence and run scripts to capture specific data for visibility and context.
- Import live data from various sources (i.e. network traffic and endpoint activity) into a solution where correlation of real-time and historical activity can occur to enhance visibility and validate the activity.
- Provide visibility across the cyber terrain to validate against the current environment.
- Leverage a deception layer that can be used to provide context or validation of activity.
- Foster the analyst’s creativity to help identify anomalous activity with an extensible query solution for hosts.
- Quickly pull forensic images of memory or the hard drive for further analysis.
