Survey research shows about 40% of security operations centers (SOCs) have implemented threat hunting programs. These programs are aimed at catching emerging or advanced threats that have been missed by traditional tools.
Sophisticated threat actors are cognizant of the techniques many commercial security tools use, and so they work to evade detection. Even newer tools, including artificial intelligence and machine learning, aren’t perfect, according to Tim Crothers.
He points out these tools are effective at finding variations of known threats, but if the threat is new, or the approach novel, there isn’t a variation to be detected. This is where advanced threat actors excel and why threat hunting has become such an important SOC initiative.
Mr. Crothers, a trainer, speaker and author with a long history in cybersecurity, recently presented his insights on threat hunting during a webinar hosted by Bricata. The webinar titled, Threat Hunting: Finding Hidden & Undetected Network Threats, demonstrated some simple but effective threat hunting tips.
This session builds on a previous threat hunting webinar, which introduced the concept in easy to understand terms. In that presentation, he provided a five-step process for getting started which included the following:
1) Choose a specific adversarial activity to hunt;
2) Determine the appropriate data source for hunting;
3) Sift through the data source to look for indications of threat activity;
4) Thoroughly investigate discovered anomalies; and
5) Repeat the process and refine.
During this more recent session, he provided advanced techniques for carrying out those five steps. The link to a recording and some of our takeaways follows below.
Threat hunting tip #1: Look for tunneled communications.
A good source of adversarial activity to hunt for are indications of command and control (C2). More specifically, look for activity that is trying to emulate normal traffic, such as tunneled communications, where one network protocol is used to carry another. For example, threat actors will embed their communications in DNS traffic because many corporate firewalls permit outbound DNS traffic.
Threat hunting tip #2: Identify specific attributes.
When you’ve identified a threat, be sure to next research the characteristics of that threat and look for unique attributes such as a specific URL used. The more specific the attributes you can find, the easier it can be to identify when you sort and filter the dataset later. If your organization employs a red team or penetration testing team, this group can help produce forensic artifacts that are helpful for specifying such attributes.
Threat hunting tip #3: Scope your data.
Networks logs, data logs or even the SIEM are good sources of data for threat hunting – but you must put parameters around the data volume you are going to sift. Mr. Crothers recommends a week’s worth and certainly no more than a month’s worth of data. The key is to choose data sources that are likely to match the activity for which you are looking. In the webinar, he uses logs generated by the Zeek IDS (formerly known as Bro IDS), which is one of three detection technologies integrated into the Bricata platform.
Threat hunting tip #4: Take a wide pass at the data first.
It’s important to take a high-level pass at filtering the data and avoiding the instinct to immediately investigate in depth the first thing that catches your eye. Instead, use that first pass to bookmark those items that look interesting and then prioritize these when you are finished with the first pass. The Bricata platform provides a collaborative tool we call the “shoebox” feature for this purpose. The shoebox is a pre-digital era reference to gumshoe detectives that would store evidence collected in a shoe-sized box as an investigation was carried out.
Threat hunting tip #5: Use sorting techniques to narrow hunt.
Sorting is essential to narrowing down the data set and homing in on possible threats. For example, sort the data set from smallest to largest byte and then center your efforts on the larger file sizes. Another technique is to sort by HTTP method. For example, PUT is an HTTP method available that is not commonly used for web traffic, which makes it a good tip for sorting threat hunting data. Importantly, sorting also includes visualization and the complete webinar recording (link below) will show you how to use visualization techniques to spot communication pattern irregularities that merit investigation.
Threat hunting tip #6: Filter out known good.
Once you’ve taken an initial pass at the dataset, you are in a better position to filter out “known good.” Known good is network traffic to-and-from sources and destinations you can rule out as normal communications. The caveat here is you don’t want to make assumptions that cause you to exclude traffic worth a closer look.
Threat hunting tip #7: Look for service oddities.
Service oddities are network anomalies – a port or protocol being used in a way that is rare or unusual. For example, Port 443 is typically used for TLS/SSL traffic. Therefore, HTTP traffic on Port 443 or SSL traffic that is not on that port are prime examples of service oddities.
Strengthen Your Overall Cybersecurity Defense
Since you are hunting for adversarial activity, the process of threat hunting will give you the chance to examine your IT environment from the perspective of a threat actor. You may not always find a threat over the course of your hunts, but you will almost assuredly find misconfigurations, network anomalies and potential weaknesses by virtue of the exercise. The knowledge gleaned through threat hunting holds value because you can use it to strengthen your overall cybersecurity defenses.
* * *
The full webinar was recorded and is available for viewing on-demand with registration. Mr. Crothers walks users through these tips using practical examples you or your team can start using immediately. It runs just under an hour in length and can be found here: Threat Hunting: Finding Hidden & Undetected Network Threats.
If you enjoyed this post, you might also like:
Here’s What Network Threat Hunting Means, Why It Matters, and How to Get Started