Threat hunting is the practice of searching for cyber threats that might otherwise remain undetected in your network. According to Infosec, “Cyberthreat hunting can be quite similar to real-world hunting. It requires a uniquely skilled professional possessed of considerable patience, critical thinking, creativity and a keen eye for spotting prey, usually in the form of network behavior abnormalities.”
Threat hunting is necessary simply because no cybersecurity protections are always 100% effective. An active defense is needed, rather than relying on ‘set it and forget it’ security tools.
Some threats, such as ‘Poisoning the Well,’ involve attackers working to gain more long-term persistence in your application. Remaining undetected is vital to the success of this attack. Unfortunately, most attacks succeed at remaining undetected. A recent study by the Ponemon Institute on behalf of IBM found that the average time required to identify and contain a breach is 280 days.
Threat hunting involves using manual and software-assisted techniques to detect possible threats that have eluded other security systems. More specifically, threat hunting tasks include:
To hunt threats, you need to:
The process begins with collecting an adequate quantity of high-quality data, as poor quality data inputs will result in ineffective threat hunting. Data collected can include log files, servers, network devices (i.e. firewalls, switches, routers), databases, and endpoints.
Next, threat hunters must search for patterns and potential indicators of compromise (IOCs). If you’re monitoring, you must have someone looking at the logs. Too often, organizations don’t have enough resources and manpower to dedicate to ongoing intrusion detection monitoring. The final step is responding accordingly.
Indicators of Compromise (IOCs): Factors, including forensics data and log files, that can help identify potential malicious activity that has already occurred
Indicators of Attack (IOAs): While there’s similarity to IOCs, IOAs can help you understand attacks in progress
Network-Based Artifacts: Search for malware communication using tools such as session recording, packet capture, and network state monitoring
Host-Based Artifacts: Search endpoints and look for malware interaction within the registry, file system and elsewhere
Threat hunting requires a scope of what to look for and a way to identify anything that doesn’t fit in, such as:
In order to find anomalies, it’s important to first have a basic understanding of regular activity. Once indicators are detected, follow the trail. This is often done by establishing a hypothesis and then identifying if each IOC is a threat. Some IOCs may use a blunt approach and present obvious evidence. For example, an increased amount of traffic to a country that the organization does not do any business with. Investigating IOCs can also involve work in a lab to reproduce certain types of traffic to examine its behavior in a virtual environment.
In controlled environments, such as SCADA, it’s easier to detect something out of the ordinary. Whereas enterprise environments often have diverse traffic, making detection more of a challenge. Security solutions, such as anti-malware, are most effective against malicious codes that have already been mapped and analyzed, whereas completely new code is more challenging to detect.
While an excess of tools can make threat hunting convoluted, security information and event management (SIEM) and event correlation tools help. On the other hand, they can also hinder your ability to see details. A unified approach to cloud security is ideal.
YARA Rules enable you to create sets of rules to help match and recognize malware. “With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns.”
Sophisticated malware often hides inside something else to infiltrate service hosts, such as Windows processes that your system is always running. If they manage to inject malicious code, they can perform malicious operations in an undetectable way. Windows registry is another key location where malware might hide. Compare with the default system registry and investigate any changes.
The level of detail you go into depends on your organization’s priorities and the level of freedom each system has. Checking the integrity of critical system processes that are always active is an important part of the forensics side of threat hunting.
Infosec states, “Hunting can involve both machine-based and manual techniques. Unlike other automated systems, such as SIEM, hunting involves human capabilities to hunt threats with more sophistication.”
An important attribute of an effective threat hunting team is communication. Threat hunters must also be skilled in report writing and educating others about threats and risks. To assist management in making good decisions based on their findings, teams must be able to talk about what they’ve found in layman’s terms. Overall, hunting is more of an analyst, rather than engineer role.
CloudGuard Intelligence and Threat Hunting, part of the CloudGuard Cloud Native Security platform, provides cloud native threat security forensics through rich, machine learning visualization, giving real-time context of threats and anomalies across your multi-cloud environment.
CloudGuard ingests cloud native log and event data, delivering contextualized visualizations of your entire public cloud infrastructure and cloud security analytics, helping to enhance: