In this new series, we discuss certain major factors that make threat hunting effective. In this first installment, we describe the subject and its purpose.
Offense is the Best Defense
Threats facing organizations have become sophisticated and lethal, often resulting in data compromise, reputational injury and severe financial damage. Hardly a week goes by without a new alert cutting across the news media concerning a new ransomware attack or data breach in some of the world’s largest companies and government bodies. Equifax, Yahoo and Target are only three of the recent cyber breaches that have resulted in the theft of more than a billion accounts and incalculable damage to customers, clients and employees. WannaCry and WikiLeaks have entered the public discourse. Despite the exorbitant effort and expense dedicated to thwarting cyberattacks—advanced Security Operation Centers staffed with leading professionals, more than $80B spent annually on information security—the breaches keep happening.
Cybersecurity departments across the world can no longer sit passively waiting to react. They must take the battle to would be attackers by going on the offensive with threat hunting.
What is Threat Hunting?
Any adversary, insider or external entity, has the resources and capability to harm an organization. They are always looking for opportunities. Oftentimes, their nefarious deeds are already within our networks and endpoints, working to evade detection by the most sophisticated of our arsenal. In other cases, we may get ahead of their tactics, techniques and procedures by closing gaps through intelligence gained from our colleagues, the Dark Web, or other resources and can deploy countermeasures to prevent similar attacks from breaching our shores.
With worldwide consensus that preventative security technology does not stop every attack, threat hunting is quickly gaining momentum within security teams of all sizes. Threat hunting allows security teams to leverage their threat intelligence, personal knowledge and the understanding of their networks to actively search for and identify unseen internal and external threats that evade existing countermeasures. Threat hunters search across vast IT networks to detect and assess threats that have evaded the visibility and control of firewalls, intrusion detection systems and other such defensive solutions with the goal of closing vulnerabilities or catching an attack in progress, before they become a data breach.
Additional benefits of threat hunting include:
- Continuous reduction of attack surface areas to improve the overall security posture
- Visibility into insider and external threats
- Actioning internal knowledge to improve defenses
- Identification of security policies being evaded
- Analysis of internal security gaps
- Highlighting focus areas for security planning
- Collection of measurable data to build a case for additional technologies
Threat hunting specialists are vital for observing indicators and patterns of hacker activities. Effective threat hunters exploit known hacker behaviors to proactively examine networks and endpoints in order to identify threats before they turn into incidents. They generate accurate threat intelligence that can be used by the organization, industry or even across the world to detect current and future intrusions.
Threat hunters do not wait for alerts, rather they actively operationalize knowledge from various sources such as known Indicators of Compromise (IOCs), attack methodology, operating system behaviors, network activity, and other threat intelligence. They actively search across networks and endpoints for signs of threats so as to mitigate them before they attack or, at least, to minimize their damage.
Thinking like hackers, effective threat hunters look for unusual behaviors and activities, using intuition, experience, threat intelligence and advanced tools to enhance defenses and reduce the attack surface area available to hackers.
When Should We Perform Threat Hunting?
Organizations must see threat hunting as an ongoing endeavor lead by an experienced security analyst, but ingrained in the whole security team. Far-sighted organizations integrate threat hunting into existing workflows to complement their other cybersecurity efforts, creating a synergistic flow of information between threat investigation and proactive hunting.
Attacks never cease, there are so many attempts from so many sources that, effectively, this is the case. Threat hunters need to be on the lookout 24/7.
The Role of Automation
Threat hunting rarely makes sense as a stand-alone solution. When it is part of an automated platform that includes other capabilities such as prioritization of all security alerts, automated investigation, surgical response, and scalable remediation, threat hunters will not only increase the success of their hunting techniques, but also take quick action to mitigate anything they find. The key is to ensure that all the necessary features and toolsets that map to the most advanced level of techniques in a threat hunting maturity model are included in the platform and made available to the hunter.
Automation is a vital aspect of effective threat hunting, allowing hunters to focus on the campaign objective without needing to divert attention to manual tasks. Over time, threat hunters will integrate different forms of intelligence, data types and other forms of information into their process allowing questions to be answered faster and with the right information. Advancing to the next stage of threat hunting will require Artificial Intelligence (AI) and Assisted Learning to be used in combination with automation, together they allow context from previous investigations to be brought into current campaigns while predictive reasoning will ensure additional data is ready for review. There will always be a requirement for cybersecurity analysts who are experienced, understand the mindset of the attacker, and can think outside of the box—the role of automation and AI is to perfect the human solution.
There are two popular models by which a threat hunting practice can rate its effectiveness. The first, the Pyramid of Pain, rates the artifacts used in detection based on the relative amount of ‘pain’ they cause the attacker to evade detection. For example, detecting a known bad hash is easy for an attacker to circumvent (merely change something in the artifact so that the hash is unique), but identifying and preventing an attack behavior means that the hacker must find an entirely new attack-delivery mechanism—far more painful.
The Hunting Maturity Model, conceived by David Bianco in 2015, rates the ability of a cyber security organization to operationalize and automate hunting. Organizations that rely solely on automated alerting, but undertake little or no data collection are considered HMM0. As they progress toward better data collection, the incorporation of threat intelligence and inclusion of automation within their process, organizations move toward the highest level of effectiveness, HMM4.
A few years on and technology has evolved to where identification of attack behavior and the use of automation in threat hunting should be the new normal. What will set a security team apart is the capability to implement a defense measure as the result of threat hunting, and in doing so creating a proactive defense.
Achieving a Proactive Defense
Even the most overwhelmed security teams can’t afford to overlook threat hunting as a practice. Good threat hunting is an activity that provides increasing value in every stage of threat management, from security alert triage to incident response, not only reducing the attack surface area but assisting less experienced staff members in day-to-day operations.
In order to free up time for effective threat hunting, security teams must identify which activities in the security workflow they can automate without risking the accuracy and effectiveness of their results. With the time made available threat hunting campaigns can be run successfully and defenses can be updated with the knowledge attained, allowing the security team to achieve a proactive defense .
What’s Coming Up
Over the next few weeks, we will cover different aspects of threat hunting, including:
- Endpoint Visibility – You Can’t Find What You Can’t See
- Reconstructing the History of Events – Over Any Time Interval in the Past
- Effective Searches – Simple Construction of Complex Queries with Fast Results