Get started with threat-hunting

How to get started with threat-hunting

06/03/2018 Augmented Intelligence UEBA

What Threat Hunting Can Do for Your Company and How to Start

With the rise of automation and artificial intelligence in IT security, you may be wondering how much of a role real people will still play. After all, with technologies like security data analytics, machine learning, and virtual patching all tirelessly working round the clock, what else is there left to do – apart from going off to get a coffee?

green eyes with data

However, these systems have a fundamental limitation. Although they may be lightning fast at spotting individual anomalies, they lack imagination. They cannot visualise how intruders might slip past defences and roam around inside systems undetected. Neither do they understand what may be motivating hackers and attackers, or why attack campaigns may be likely to unfold in certain ways. Granted, if something bad happens, they’ll be the first to send out alerts. But why wait till that moment? Why not find bad actors before any damage is done?

Humans, Your IT Security Needs You (Again)

Threat hunting could be the answer. While this cybersecurity activity is the new buzzword, it depends on an IT security resource that seems almost quaint – human beings. Threat hunters are people who look for traces of attacker presence and activity, before security systems generate alerts. They fill in the gaps where automated systems have failed to detect intrusion or where they do not provide coverage. Threat hunters start with hypothesis that undetected breaches have been made. They also assume that in the process the intruders have (unwittingly) left signs, also known as “breadcrumbs”. They then use their own logic and intuition to find and interpret those breadcrumbs, possibly using software tools to help them manage and process the data involved.

A High-Level Threat Hunting Playbook

Although different threat hunters may go about their business in their own ways, the overall process looks like this:

  • Decide what to hunt for, such as attacks on high-value or high-profile systems
  • Identify the data needed to make the hunt.
  • Collect the data, which may involve accessing multiple repositories of data held by different teams or departments.
  • Decide how best to process the data. This may be visually or via an application to help cluster data to reveal concentrations of abnormal activity.
  • Sort the results by priority for further investigation.

Essentially, threat hunters move IT security and threat detection back along the timeline of the attack. It’s a “shift-left” approach, like the one used to do testing earlier in software development life cycles. By solving problems sooner, the impact of those problems is diminished.

Examples of Proactive Threat Hunting

Threat hunting value comes from uncovering intrusion or attack activity that is then difficult for attackers to modify or hide. By comparison, automated rule based systems often focus on indicators of compromise (IOCs) that are easy to change. Examples are domain names of command and control servers, names of infected Microsoft Office files, and malware signatures. These are all items that can be changed or permuted by the attacker or by the malware itself. Threat hunters are after different game, using methods that machines would never have “thought” of. For example:

  • A confidential company merger or new product development may suggest an attack will be launched. A likely candidate could be a phishing campaign to trick employees into giving access to this information. A threat hunter might then analyse social media activity to see if employees have mentioned their involvement in the merger or new product development. Follow-up checks could be made to see if the devices or accounts of those employees have been compromised.
  • A threat hunter may leverage user and entity behaviour analytics (UEBA) to investigate abnormal activity specifically for systems with the highest impact on the enterprise if breached.
  • Outbound connections set up by hackers to exfiltrate data may be spread over several network ports to avoid raising suspicions. For example, FTP and command-and-control (C2) connections may be running on ports with “unremarkable” numbers with just one connection per port. A threat hunter will look for related groups of ports that together suggest hostile activity.
  • A threat hunter may discover a high correlation between a given attack and a specific URL. The threat hunter can investigate the URL for more information, then locate the users or systems currently connected to the suspect URL to establish how far any damage has spread. This information allows incident response engineers to properly contain and eliminate the attack.
  • Intruders may hide in virtual private networks after stealing security certificates to gain access. This may be detected by a threat hunter who collects IP address and geolocation data to identify large location changes in network usage. Follow-up actions could include checks for the presence of tools for extracting certificates, and deliberately setting up fake certificates to generate alerts if an attacker tries to steal them.

Advantages and Challenges

Threat hunting offers organisations several advantages. Earlier breach detection and identification by threat hunters means that incident response engineers can then contain the breach sooner, minimising damage. Attackers are deterred by the increased difficulty of gaining a foothold. They also suffer the frustration of seeing their attack campaigns and kill chains dismantled before they can reach their goals. In addition, threat hunting helps an organisation to understand its own IT environment better, with possible spin-off benefits of increased efficiency and lower costs.

The 2017 “Threat Hunting Report” from Crowd Research Partners offers further statistics about the advantages. For almost 50% of respondents surveyed for the report, an investment in a threat hunting platform paid for itself within a year by helping to detect unknown, emerging, and advanced threats. On average, respondents also considered that threat hunting platforms could halve the time spent to detect a threat, as well as reducing by 42% the mean time to investigate and deal with a threat.

On the other hand, hiring threat hunters may be a challenge. Ideally, they possess advanced knowledge of threats and of an organisation’s IT environment, as well as programming abilities and creativity. This combination is in limited supply. Threat hunters may then gravitate towards larger organisations with higher IT risks and deeper pockets in sectors like finance, government, and defence. The report from Crowd Research Partners shows that about 80% of respondents said that their security operations centre did not spend enough time searching for emerging and advanced threats, possibly because of a scarcity of threat hunting resources.

Getting Started in Threat Hunting

Hiring in threat hunters is not the only option. Enterprises can also develop their own threat hunting capabilities by building on what they already have. Depending on their needs, they can progress from a level zero at which they may have no threat hunting program, to a first level of threat hunting as and when required. The second level is the systematic use of known threat hunting procedures. The third level is the development of new threat hunting procedures. The fourth and final level is the automation of threat hunting procedures that have already been found, freeing up more time for threat hunters to invent new ones. This five-level model was defined by threat hunting expert David Bianco, who pointed out that the second level may already be sufficient for many organisations.

In general, threat hunting offers additional protection, rather than replacing existing security solutions. For instance, vulnerability testing, patching, and SIEM (security information and event management) are still crucial activities. Threat hunting complements them by helping to plug gaps and detect compromises earlier. No threat hunting initiative is guaranteed to be successful. However, the chances of it being effective are increased by making threat hunting an integral part of IT security, to continually reinforce cyber defences and accelerate breach detection and recovery.

What's next? 

Get our comprehensive guide on how ZoneFox slots into your ecosystem, and you can empower your security team with the tools to get threat hunting. Or chat to one of our Insider Threat experts today! 

Share This

Theresa Esser

Theresa Esser

Never miss a trick!

Sign up today!