Threat hunting 101

June 10, 2020 | By Michael Wainshtain Technical Team Leader

Threat hunting is a preemptive cyber defense process and activity, wherein a security team emphasizes on identifying and remediating sophisticated threats which have a possibility to or is evading existing defense mechanisms, across a given environment.

In our experience, the broad spectrum of attacks is successful if:

1. The security controls are not configured adequately or if they are not advanced enough to detect advanced threats.
2. Alerting isn’t provisioned in the given environment or is not optimized. In either of the cases, none of the stakeholders in the environment would be aware of the threats, as alerts wouldn’t be trigged for notifying them.
3. The attacks are sophisticated in nature, leveraging tactics, techniques and procedure (TTPs) that were not seen before

At its essence, threat hunting is a very crucial aspect in the overall scope of activities essential to modern cyber security operations. If a potential threat actor is identified proactively in a given environment, it reduces the overall dwell time (i.e. the time it takes for an organization to become aware of a breach), for potential adversaries in the network.

Where do we start?

As the majority of the targeted threats we identify are generally subtle in the way the attack vectors are operationalized, we believe the following will help an organization to get started:

1. Methodology/Framework: Organizations should commit to a proactive, evolving, and ongoing approach for threat hunting across the environment. For the same, from a cultural standpoint – dedication, patience, and commitment to the process are mandatory for the threat hunting process to show its value. A casual attitude or an ad-hoc process for Threat Hunting will not work to identify outliers.

2. Technology: This is one of the major areas which helps the organizations from a visibility standpoint. Most of the organizations have some type of endpoint/network security solutions that may leverage analytics and big data mechanisms to identify “abnormal” patterns. Threats hunting starts from here. To have an effective threat hunting process in place, an organization must have either one of such technology capability across the organization.

3. Cyber Threat Intelligence (CTI): Intelligence and identified patterns from environments which have been attacked around the globe, helps in classifying and identifying potential threat patterns. This level of influence ensures the intel consumers to have an edge and understand the threat landscape better, letting them have judgment based decision with unclassified threats.

4. Personnel: Threat hunting subject matter experts (SMEs) not only have a deep understanding of the current threat landscape or how to use the security technologies existing in an organization, but they also bring an approach (offensive security) having the ability to drill down and analyze the areas within an environment, with a 360-degree coverage – including areas wherein the tools or process may omit.

Examples for Threat Hunting

1. Changes across sanctioned processes and behavior

Having an awareness of what’s running on an endpoint in great, but when other factors are evaluated such as, whether a process which is existing for a given user is normal (as per the user role) or who is the parent spawning this process?  could let the threat hunting team correlate more points to understand, what’s exactly happening on a specific endpoint

2. Abuse of malicious scripts

Triggering or alerting on bad/malicious scripts without a signature/Yara rule is complicated as it possibly is a TEXT code which could be obfuscated not to include any identifiable normal words or characters. Investigating scripting interpreters is crucial as it may help threat hunters identify things, which cannot be identified any other way – e.g. unexpected executions of PowerShell and Windows Scripting Host is a must.

3. Honeypots – Pss.. Pss.. come here

Expands the concept of a honeypot, baiting an adversary to include more layers across accounts, files, shares, systems, and even network segments – to identify and observe the patterns from an adversary standpoint. It is crucial to think from an adversary’s standpoint, what areas within an organization they could identify as real environment vs a simulated one.

Visit our blog or Follow Us on Facebook Page for the latest news and insights on cybersecurity.

Stay Safe with TrustNet!