What is threat hunting? Threat hunting is looking for indications of malicious activities that aren’t being detected by static detection.
That’s according to Tim Crothers who is perhaps, from our perspective, among the most prominent experts on the concept of threat hunting. He’s been in security for a long time, has built and led large security teams, penned books on the topic, and routinely makes the rounds on the speaking circuit.
On a recent webinar titled Introduction to Network Threat Hunting, he gave a presentation and a demonstration of how to get started with threat hunting with the Bricata platform. The webinar was recorded and is still available for viewing.
Here are our notes summarizing his session.
What is network threat hunting?
Most organizations have some sort of static detection in use. Often this is a combination of signature detection and rules-based detection tools aimed at detecting activity known to be malicious.
While these are necessary and catch much of the basic malware, sophisticated threat actors are aware of these measures – they understand how these tools work and are good at evading them. As such, hunting becomes a method to find an activity that isn’t being detected.
Why conduct threat hunting?
In his session, Mr. Crothers identified several reasons – the benefits – for conducting threat hunting. Those reasons are:
1) To find unknown malicious activity.
This is the obvious benefit and perhaps what most people think of as the main reason. Of course, security requires a balance, we can’t forgo the fundamentals, but a good threat hunting program is one of the ways to get ahead of the reactive cycle of firefighting.
2) Threat hunting can improve static detection.
Most environments are unique and are prone to have anomalies that may not be malicious. A misconfigured server could look abnormal, or an application may perform in an odd way, for example. The virtue of threat hunting in this respect is two-fold: you learn about your environment, and if you understand your environment, you can begin to think of how an adversary might navigate it undetected.
He emphasized that successful threat hunters really understand the environment and learn how adversaries act. A stronger grasp of these two aspects will not only make you a better threat hunter, but it will also help you improve your overall defenses including static detection.
3) Threat hunting can improve professional development.
It’s no secret there’s a shortage of cybersecurity talent and one way to address this in part is by refocusing on professional development. Threat hunting exercises are a great opportunity to team level 1 and level 2 analysts with level 3 analysts. In the course of learning about the environment and thinking like an adversary, they’ll also gain from the personalized mentoring in a small group format.
How do you get started with threat hunting?
The biggest mistake organizations make in getting started with threat hunting is “trying to boil the ocean” and try to get into a platform and just “look for weird stuff.” He recommends setting clearer goals and he identified a few key steps:
1) Choose a specific adversarial activity to hunt.
Adversaries have certain likely behaviors, so choosing a specific activity to hunt will improve the chances of success. For example, if an adversary has deployed a remote access trojan on a user system, the next step they might take is to try and escalate privileges. A specific activity in this process is to use a tool to dump cached credentials looking for administrative accounts or to look for indications of command and control (C2) hiding in the network.
2) Determine the appropriate data source from which to hunt.
Determining the right data source to support the hunt can be the biggest task in threat hunting. Sometimes security may have to partner with another team to obtain the data. In the case of hunting for indications of C2, the Bricata sensors run Bro which logs network transactions. This includes logging which machines are talking to which machines, over what ports and with what protocols. When pulling a data source, Mr. Crothers recommends putting time parameters around it – somewhere between a seven and 30-day time frame.
3) Sift the data source looking for indications of that activity.
The next step is to put data into a parcel format and being sorting and sifting – that is looking for evidence of that specific activity – a cached password dump for example. A good technique is to partner with a red team, or a penetration test team to run a sampling of the tools used for that activity. The security team can then examine the traces those tools leave behind and look for those traces in the data set.
4) Thoroughly investigate discovered anomalies.
In sifting through the data and looking for traces of malicious activity, the team will find anomalies, such as content anomalies, timing irregularities, or size irregularities. These anomalies should be examined and understood. Most environments will have a sizable volume of anomalies. Even if they don’t prove malicious, the team will learn something about the environment, which both educates the staff and can be used to improve static detection.
5) Repeat the process.
The final step is to repeat the process in a methodical manner. Organizations don’t have to spend a lot of time, and they cannot forgo the fundamental security tasks. However, security teams should strive to find a way to dedicate some time to threat hunting because it’s a way to get ahead of the firefighting. More importantly, while the concept of threat hunting is straight-forward, it’s the practice that will allow your team’s skills to advance. To that end, Mr. Crothers uses threat hunting as a professional development exercise for his own teams.
* * *
The full webinar – which was recorded and is available for on-demand viewing – runs about an hour and is broken into two parts. The first part lays out what threat hunting is, why it should be done and how to begin. The second part is a demonstration with concrete examples to illustrate the concept in practice.
Register to watch the full webinar here: Introduction to Network Threat Hunting.
If you enjoyed this post, you might also like:
5 Useful Benchmarks on Threat Hunting for the Security Operations Center