March 12, 2019 / by Cheryl Dsa / In siem , security-analytics /

Getting started with threat hunting

In the previous post, we explained the concept of threat hunting and the important role it plays in an organization’s security strategy. What’s next?

In this post, you’ll learn how to plan and prepare for threat hunting. We’ve also included some practical threat hunting tips and techniques you can use.

When traditional measures fail, threat hunting comes to the rescue

Basic security hygiene and properly implemented antivirus, firewalls and other automated security tools should stop the majority of threats from getting in. However, if an attacker does manage to sneak into your network undetected, there’s often not much to stop them from staying there.

Threat hunting aims to track down attackers lurking in your network before they have a chance to cause any real damage. This stands in contrast to a forensic investigation, whose purpose is instead to work out what went wrong after a successful attack.

Where do we begin?

Threat hunting is not a reactive activity — that is, threat hunting is not a means of responding to a detected or observed threat. The goal of threat hunting is instead to search for threats that may have evaded detection. It is a proactive, hypothesis-based approach to searching for anomalies, rather than exploring a threat after an alert has been raised.

Here are some tips to help you begin your threat hunting process:

  1. First, ensure your organization is ready to hunt for threats, and that its security system is capable of ingesting and storing sufficiently large volumes of data from multiple sources.
  2. Your security setup should include blocking and monitoring tools such as a firewall, antivirus, and a security information and event management (SIEM) platform.
  3. You will also need external or integrated threat intelligence feeds to look up various indicators of compromise (IOC), IP addresses, and so on.
  4. Once you have all your tools up and ready to go, you will need a team of people to manage all the technology and data together.

Threat hunting: the process

Threat hunting aims to reveal and eliminate even the most advanced threats, and to discover malicious behavior as quickly as possible in spite of the sophisticated evasive measures taken by attackers. Despite a common misconception, threat hunting is not a technology, but a process that normally involves the following steps:

1. Forming hypotheses

The first step in the process of threat hunting is to select a particular activity that may or may not be taking place in the environment, and to formulate hypotheses to confirm whether or not the activity is actually taking place by means of careful observation. These hypotheses may be as simple as noticing an event that seems ‘out of the ordinary,’ or as complex as detecting ongoing malicious activity within the environment. For example, you may want to check if you are being targeted by advanced threats using approaches like fileless malware to avoid detection.

To keep up with the ever-changing capabilities of today’s attackers, a proactive threat hunting team needs to constantly research new attacks and generate hypotheses to test for them in their own environment.

2. Validating and testing hypotheses

After forming hypotheses, the next step is to validate and verify them. The best way to do so is using raw data from your logs. Data generated by alerts from your security tool may filter out the data you need to verify your hypothesis, so it’s always better to work with the raw data itself.

Different hypotheses may need to be validated using different data, so it’s important to begin this step by determining what data you need and from where.

After collecting this data, it can be analyzed to look for evidence of the activity or activities hypothesized to be taking place.

3. Discovering new patterns

While analyzing the data, you may come across anomalies, which need to be examined and understood carefully. If an anomaly is identified as an attack, you’ll need to assess the capabilities of the attacker. To be able to contain the attack and remove the attacker from your environment, you should also identify what specific actions they are taking, and against what targets. The attack discovered is then reconstructed to seek out any new patterns and tactics used to carry it out. New hypotheses can be formed based on this information.

Even if any anomalies found prove not to be malicious, learnings from the hunt can be used to train and educate the threat hunting teams.

5. Notification and enrichment

Using the knowledge acquired in the previous steps, the threat hunting team can also automate the hunt by (e.g.) applying machine learning or correlational techniques. The entire process is later repeated to discover different attacks.

Conclusion

Organizations don’t need to spend a lot of time in threat hunting or replace their usual threat detection and investigation activities with the hunting process. However, they should have a dedicated team to practice threat hunting. No threat hunting activity is guaranteed to be successful, however, making it an integral part of your security regimen will increase the chance of it being effective in reinforcing your cyber defences.