Adversaries that are good at being bad actors actively work to avoid detection. Depending on varying research, it can take enterprise security teams anywhere from a couple of weeks – to more than six months – to detect a threat dwelling on the network.
Even at the low end of this range, it’s far too long. This has largely driven the concept of threat hunting, a proactive approach to seeking out malicious activity on a network that hasn’t triggered an alert.
Over the last few years, we’ve observed a keen interest in the concept across several vertical markets – financial services, healthcare, legal and government – with data that puts them in adversarial crosshairs. Indeed, threat hunting recently earned a mention on the list of the “Top Seven Security and Risk Management Trends for 2019” by Gartner:
“The shift in security investments from threat prevention to threat detection requires an investment in security operations centers (SOCs) as the complexity and frequency of security alerts grow. According to Gartner, by 2022, 50 percent of all SOCs will transform into modern SOCs with integrated incident response, threat intelligence and threat-hunting capabilities, up from less than 10 percent in 2015.”
As security leaders look to build threat hunting teams, programs and centers, we put together a list of some of the most useful ideas we’ve seen lately around the concept of threat hunting.
1) Do you need a threat hunting program?
“Organizations that employ threat hunting use an analyst-centric process to uncover hidden, advanced threats missed by automated, preventative and detective controls,” according to a post on the Smarter with Gartner blog which references research by Dr. Anton Chuvakin, a former analyst that’s recently joined a company owned by Google parent Alphabet. “The practice is distinct from threat detection, which relies heavily on rules and algorithms.”
That definition is useful for answering the question, because organizations that have implemented threat hunting, “have typically maximized their alert triage and detection content development processes and matured their security incident response functions.” The piece suggests starting out by addressing simple questions like, “Are you targeted by stealthy advanced threats?”
2) Threat hunting is a shift in mindset.
Threat hunting is “searching not alerting,” wrote Kevin Keeney of Elastic in a contribution to GCN. The concept is by nature proactive rather than sitting back and reacting to alerts.
Threat hunting requires a mindset shift from that alert culture. It acknowledges that threats exist within the environment and they can be found by proactively hunting for them.”
3) Defining objectives for threat hunting.
There are two ways to nail down objectives for threat hunting, and this is probably a conversation for security to have with the C-Suite, reported Paul Rubens in a story for eSecurity Planet. One way to begin is to look internally and “consider threats to the company’s ‘crown jewels,’ which may be research data, customer lists, or production information. Then consider how these things could be compromised,” he writes. The flip side is looking externally at “threat intelligence sources so see what attackers are doing elsewhere to consider if any of these advanced threat activities could affect your organization.”
4) Finding the data sources for threat hunting.
Network data is an “essential data source that can be used to find indications of adversary activity in your environment,” according to David Mashburn, an IT security manager and SANS Certified Instructor, in a contribution to Dark Reading. “Data such as Netflow, firewall logs, proxy logs, DNS logs, and DHCP logs can all play a role in threat hunting.” He notes there can be organizational barriers to accessing and collecting some of these data sources. That is sometimes true which is why we’re advocates of high-fidelity metadata and providing the ability to reach back to packet capture (PCAPs).
5) Focus your hunt on specific attributes.
One way to get started in threat hunting is to identify a threat and then define a specific attribute a threat actor uses in their attacks – a protocol, an exploit or URL. The more specific you can be in zeroing in on attributes, the more likely these will stand out when you and sort and filter your dataset throughout out the hunt. If you have a red team, ask them to produce forensic artifacts to help develop those specific attributes.
6) Math and probability to surface network anomalies.
An alternative technique to hunting specific attributes is to filter out routine transactions and look for anything unusual. That’s an approach Vernon Habersetzer, who leads the hunt team for Walmart, likes to take. At an RSA presentation he notes that the average transaction on an enterprise network should be “normal,” so filter out the normal activity and zero in on the abnormalities. This idea is the application of math and probability to taper the high volume of transactions on a large network to just those activities that don’t quite fit and merit a closer look.
7) Threat hunting as a professional development program.
The point of threat hunting is obviously to find threats that have evaded detection. Yet all the steps that go into a threat hunt also present a tremendous learning opportunity. One way is to pair tier 3 analysts with tier 1 analysts for the threat hunting sessions. In the process, threat hunting can produce a positive second-order effect: a mentoring and professional development session. Training is a good way to boost retention, and so existing resources are used to help address the skills gap and talent shortage in cybersecurity.
* * *
Threat hunting isn’t a panacea by any stretch; security still has to execute on the fundamentals. Still, so long as large organizations maintain valuable data, they are going to face sophisticated adversaries aiming to infiltrate the network without tripping an alert and threat hunting will continue to evolve as a discipline.
Note: Bricata has simplified the four critical capabilities enterprises need for comprehensive network protection: visibility, threat detection, threat hunting, and post-detection actions. See this product review by CSO Online – Bricata adds threat hunting to traditional IPS/IDS – or schedule a live demonstration to see the product in action.
If you enjoyed this post, you might also like:
Network Visibility: Can You Analyze Encrypted Traffic for Cybersecurity Threats?