Cybercriminals keep improving their tactics. Their methods and tools often advance faster than mainstream technology, enabling them to bypass security systems and hide for extended periods of time. The more time they spend in your network, the more data they can steal. Finding them before they cause damage requires continual proactive defense, like threat hunting.
In 2019, there have already been a host of data breaches, state-backed hacking campaigns, and ransomware attacks. While some of these attacks were discovered quickly, some had been going on for years before being discovered.
Attackers keep improving their tactics. They are often able to bypass security systems and hide for extended periods of time. Finding them before they cause damage requires new, more proactive tactics, like threat hunting.
What Is Threat Hunting?
Threat hunting is the process of actively searching for and identifying threats. Often, hunters are looking for Advanced Persistent Threats (APTs). APTs are threats in which attackers gain access to a system and remain for an extended period of time. These threats are typically carried out by nation states or state sponsored groups. APTs are used to siphon data, monitor for classified information, or obtain credentials.
Threat hunting and traditional threat detection are two different aspects of security. When threat hunting, you proactively search for attackers. Using threat detection, you set systems in place to reactively alert when threat activity is detected. Threat hunting is not intended to be a replacement for detection, but an additional measure of defense.
Threat hunters work by assuming that attackers are already in your system but are undetected. If they find evidence of an attacker, they report that evidence to be handled according to your Incident Response PlanOpens a new window .
Threat hunting follows a standard process of:
- Data collection and processing—require the standardized and routine collection of data from across the system and users. The data is then centralized and processed for analysis.
- Hypothesis formation—hypothesis is formed based on known vulnerabilities or suspected reasons for attack. A hypothesis should be based on who, what, how, where, or some combination thereof.
- Evidence hunting—data and systems are analyzed for evidence matching hypothesis. For example, logs indicating access from suspected attack regions or evidence of registry changes.
- Threat identification—if evidence is found, the type of threat it relates to is identified. All relevant data is then collected and shared with the incident response team.
- Feedback—the results of hunting are used to refine current defense systems and future analysis. If no evidence is found, data can be added to baselines of expected behavior and events.
Tools and Tips for Actively Monitoring Your System
Effective threat hunting requires a combination of technology and human effort. You can use the following tools and tips to maximize your efforts.
System Data
Having consistent, comprehensive, and transparent system data is key to threat hunting. You should have access and event logs for servers, network devices, databases and endpoints.
You also need to have an understanding of your system architecture, including how systems connect and communicate.
The data you amass should be used to develop a clear baseline of system and user behavior. Your baseline should include routine system events, expected traffic flow and volume, and data access and use patterns. Baselines enable you to identify anomalies when evaluating your system and can help you form accurate hypotheses.
System Information and Event Monitoring (SIEM) solutions or other centralized logging solutions, like ELK stacks are helpful. These solutions enable you to centralize the collection and processing of system data and logs. Many of these solutions also have features or add-ons for analysis that can assist you in the evidence hunting phase.
Threat Intelligence Information
Threat hunting hypotheses are typically based on threat intelligence information. Threat intelligence information provides insight into the latest attack techniques, tactics, and procedures. It also provides information on known indicators of compromise or attack, malware hashes, and threat signatures.
Threat hunters use this information to identify attacker techniques, tools, or motivations that could be applied to your system. When they determine that information gained from threat intelligence can apply, they form a hypothesis and begin hunting for evidence. You can threat hunt by simply searching for abnormalities in system behavior, but it’s not a very effective strategy. Threat intelligence information allows you to refine your search goals and hunt more efficiently and effectively.
To gather threat intelligence, you need to follow and monitor a range of sources. Sources should include government research and notices, security community-based forums, and third-party databases. Sites like the National Vulnerability Database (NVD) and the Open Web Application Security Project (OWASP) are good places to start.
Advanced Analytics and Machine Learning
A large part of threat hunting is analyzing massive amounts of information. Working with a system’s worth of data takes a significant amount of time and energy. Fortunately, technology can speed up this process and uncover patterns that humans would have difficulty uncovering on their own.
Using advanced analytics and machine learning enables threat hunters to rely on machines to perform repetitive tasks. For example, querying logs for specific events or scanning for traffic from specific IP addresses. This leaves hunters free to focus on interpreting identified patterns and suspicious events.
When selecting tools to perform analytics, choose those that integrate with your data collection solutions. You should be able to easily access and transfer information between your tools. Choose tools that include features for User and Entity Behavior Analytics (UEBA). UEBA employs machine learning to compare event data to your system baselines and identify suspicious activity.
Whichever tools you choose should automatically integrate the threat intelligence data you’re already using. The ability to input custom parameters based on your hypothesis is also a key feature.
Conclusion
Once you have a mature security stance, consider adding threat hunting to your practices. It can help you identify threats that have made it past your defenses before they cause harm. However, keep in mind that threat hunting is not a fast or easy solution.
Threat hunting requires significant expertise and is not a replacement for detection and response systems. Take the time to verify that your logging, monitoring, and basic security systems are solid first. Once they are, threat hunting will be much more effective for you.