5 Things To Consider With A Threat Hunting Program
A change in mindset and the ability to think like a malicious hacker are two key requirements.
July 1, 2016
The constantly evolving ability of cyberattackers to get past even the most fortified of enterprise defenses has intensified pressure on organizations to develop better threat detection and response capabilities.
One outcome of that focus is the growing interest in what many have taken to calling as "threat hunting," a notion that it is better to proactively scour for malicious activity on the network rather than simply waiting for something bad to happen first.
A recent survey by the SANS Institute showed that many organizations to some extent are already engaged in threat hunting practices. Eighty six percent of the 494 IT professionals surveyed by SANS say they have implemented threat-hunting processes. About 59% claimed that threat hunting had enhanced their incidence response capabilities, while 75% credited the process with reducing their attack surface.
David Bianco, a security technologist at Sqrrl Data Inc. who has developed a threat hunting maturity model for threat hunting, has described threat hunting as “the collective name for any manual or machine-assisted techniques used to detect security incidents.”
Core to the process is the quality of data that is used for hunting, the tools that are available to access and analyze the data, and the skill levels of the analysts tasked with using the data to hunt down security threats, according to Bianco.
The actual techniques that hunters might use to chase down an intruder can vary and it's difficult to point to a single approach as being the best, he noted. In fact, it is actually better for hunters to be familiar with a variety of methods so they know the most suitable one for a particular situation.
Here are five things to consider when implementing a threat hunting process in your organization:
Change Your Mindset
Threat hunting is less about new technologies and techniques than it is about a fundamental change in mindset, says Yonatan Striem Amit, chief technology officer and co-founder at Cybereason, a vendor of endpoint detection and response technologies.
The emphasis is on using human smarts to ferret out malicious activity rather than relying solely on security alerting tools. Hunches and "gut-feel" play as much a part in threat hunting as indicators of compromise and other technology metrics and alerts.
“Because of a general lack of understanding of what a complex attack looks like, there is often a huge amount of focus on how to prevent the initial break-in,” or on how and where an intruder might have broken in, Amit says. Less attention is paid on understanding what an intruder might do after the initial compromise.
“To threat hunt, you have to acknowledge that attackers are probably getting past your existing defenses,” says Richard Stiennon, chief research analyst at IT-Harvest. “While you should never cease shoring up those defenses, you do have to look for adversaries that have defeated them. You do this by threat hunting."
Amit likens the difference in attitude that is needed to the difference in approach taken by traffic police and criminal investigators when responding to incidents. “The working assumption when you are a traffic cop is that accidents happen because of inattention,” and other accidental causes, Amit says.
“But when you are a cop working on a murder investigation, you assume the people involved have a malicious reason and you go and investigate that and understand why it happened," he says.
Think Like A Hacker
To be good at threat hunting you absolutely need to think like a malicious hacker would, Amit says. For example, if your organization is the kind that measures success by how many trouble tickets you can close in an hour and how quickly you can remediate issues, there’s a good chance that attackers know that as well.
“If I was running a hacking campaign, I would send a slew of known malware just to give you lot of work. If you don’t have the habit of going down to the bottom of an event each time, I know you are going to be susceptible.”
It is vital for organizations to realize that the initial intrusion is usually the easiest first step of a complex attack. Once you understand that, a lot of other things fall into place, he says. “You look into understanding how your adversary works, and the processes and motivations driving adversarial activities,” to know what they are likely to be doing on your network and where they are most likely going to be lurking, Amit says.
Stop Focusing Solely On The Malware
The malware that attackers use on your network is just a means to an end. So merely finding and eradicating malware samples is not enough.
“Threat hunting is not just searching hosts for indicators of compromise, says John Pescatore, director of emerging security trends at the SANS Institute. “In reality, that is nothing but host-based intrusion detection using a fancy name for signatures.”
Threat hunting requires a combination of active threat monitoring and directed probing. “That is, I know how the active dangerous threats are operating, I know which of my assets they would target, and [whether they] are active against those assets,” Pescatore says.
By focusing too much on finding malware, you also run the risk of overlooking malicious activities that are being carried out by attackers using legitimate tools and access credentials on your network, Amit cautions. Often, attackers who manage to gain initial access on a system will try to figure out a way to escalate privileges and quietly move around the network by leveraging PowerShell, Windows tools like WMI, and other similar capabilities. Malware detection tools cannot help spot such activity.
Make The Right Data Available
Good data and intelligence are key to an effective cyber-hunting capability, says Kris Lovejoy, president of security vendor Acuity Solutions.
Data gathered by security systems, SIEM, and analytics platforms and network monitoring tools could provide a wealth of information on the health of a network. When properly vetted through the right filters, such data can play a vital role in helping threat hunters arrive at a more contextual understanding of what they might be seeing or chasing down on the network, she says.
“Think about the job of cyber hunting as the same thing as monitoring photographs on Facebook for child pornography,” Lovejoy says. The human staff on Facebook tasked with the job of monitoring photos sometimes have to make determinations based both on experience and on the intelligence gathered by Facebook’s systems to help them interpret what they are seeing.
Threat hunting is all about piecing together disparate data to build a picture of an attack underway, Stiennon adds. “It could be unusual behavior reported by a UEBA [User and Entity Behavior Analytics] solution. It could be a traffic spike or unusual connection identified by your netflow monitoring solution,” he says. Or it could be on a piece of threat intelligence against your SIEM or endpoint monitoring.
“Beyond technology you need digital sleuths pulling the levers on all of these modern tools,” Stiennon says. This is a role that is ideally filled by puzzle solvers and people who are inquisitive by nature.
Look for these traits anywhere in your IT department, he says. “Put them in front of a console that allows them to do link and graph analysis on lots of data. Feed them lots of data. Stand back and watch what happens.”
Do Crazy Ivans
Doing something unexpected is a good way to ferret out hidden intruders on your network, Lovejoy says.
One example would be the digital equivalent of a Cold War era tactic called Crazy Ivan that was used by submarine commanders to detect if another submarine was hiding behind them in their wake. The tactic involved abrupt hard turns and other maneuvers so a submarine following behind another would be exposed, Lovejoy says.
One way to do the same thing in the digital world is to unexpectedly change passwords to see if someone is making password-cracking attempts, she says. Another tactic is to clear DNS caches to make it easier to see if any compromised endpoints that are trying to resolve to botnets and malicious servers, Lovejoy says.
Related Content:
About the Author
You May Also Like