Five Levels Of Threat Hunting: Key Takeaways From DNIF Konnect 2
Threat hunting has become one of the most misunderstood topics in cybersecurity. For the second session of DNIF Konnect, we wanted to address the confusion surrounding threat hunting, so we had Mr. Ankit Panchal from NSDL talk to us on “hunting maturity model”. Here are some key takeaways from the session that we feel every cybersecurity analyst should know:
Myths associated with threat hunting
Many analysts think threat hunting is some sort of tool or software, or a technology that can somehow detect threats on its own. Some even think that threat hunting is only for the elite, “blue-team” professionals, and not suited to beginners. Below are some other common myths associated with threat hunting:
- Endpoint detection and response (EDR) is not threat hunting.
- Threat hunting is not a new product category in cybersecurity.
- Threat hunting is too complicated.
- Threat hunting isn’t worth the time it takes.
- Threat hunting is expensive.
None of this is true!
What is threat hunting?
To put it simply, it is the process of finding abnormal or malicious activity on servers and endpoints that may lead to intrusion or exfiltration of data.
As Ankit puts it,
[Threat hunting] is a proactive process which a tool on its own cannot do. It involves both: the security analysts and their security tool.”
What is the Hunting Maturity Model?
We all know that nothing is “100% secure”; however, timely identification and mitigation of risks unique to one’s infrastructure is what comprises the core of threat hunting — and this helps improve an organization’s security posture over time. How can this be achieved? The answer is the Hunting Maturity Model.
Ankit defines the Hunting Maturity Model as “a measure of technique and data you can work upon to evolve and mature your threat hunting process.” For organizations that are using threat hunting but don’t know which level of maturity they are at, or for those who have not yet started with threat hunting, here are the five levels of the Hunting Maturity Model (HMM) described briefly. You can use your organization’s position in the list to understand what it will take to upgrade your threat hunting program:
- HMM 0: Use of a basic threat intelligence or threat validation tool to identify known indicators of compromise (IOCs). Organizations at this level are at least able to identify basic threats (or “low-hanging” threats) within their infrastructures.
- HMM 1: Use of platforms, such as a traditional SIEM platform, with a comprehensive flow of log data covering about 80% of the total devices that comprise infrastructure. This includes routine data collection from such devices, which produces good data sets for setting up effective correlation rules. Data enrichment and validation from external threat intelligence providers complement the data collected internally.
- HMM 2: Includes collection and analysis of network “flow data” (e.g., NetFlow), plus the technology stack in HMM 1.
- HMM 3: Characterized by a process involving a dedicated team of threat hunters whose responsibility it is to devise their own procedures. Threat hunters use their own data analysis techniques adapted to the most prominent risks for their organization. This also involves the use of machine learning to identify outliers or anomalies, aided by context-based data visualisation and drill-down analysis.
- HMM 4: In addition to the technology stack in HMM 3 the use of workflow-based automation and security automation playbooks. At this stage, security analysts focus only on the most critical alerts.
Primary threat hunting techniques
Having gone over the stages of HMM, we’ll follow up with a list of the primary techniques in threat hunting, apart from SIEM-based correlation.
- Searching: Querying the data store for events or artifacts of interest.
- Clustering: Grouping and assigning labels to events based on characteristics from a larger data set. For example, you might want to identify servers accessed by only a few machines on a specific port, at a time when other machines didn’t access those servers at all. This approach is particularly effective when applied to machine learning models.
- Grouping: Identifying occurrences of multiple sets of unique artifacts or behaviors taken as a unit. For example, you could choose to visualize the frequency with which different commands are executed across hosts in a specific timeframe.
- Stack counting: Counting numbers of occurrences for values of a particular type, and identifying deviations from this count. This is a method of outlier detection. For instance, you can categorize outbound connections on a set of ports based on frequency.
This session was really helpful in understanding the basics of threat hunting and how it improves the overall security posture of an organization. If you would like to watch the complete recording of DNIF Konnect #2, check out our post on the community forum.