Operations
7/1/2016
09:15 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

5 Things To Consider With A Threat Hunting Program

A change in mindset and the ability to think like a malicious hacker are two key requirements.

The constantly evolving ability of cyberattackers to get past even the most fortified of enterprise defenses has intensified pressure on organizations to develop better threat detection and response capabilities.

One outcome of that focus is the growing interest in what many have taken to calling as "threat hunting," a notion that it is better to proactively scour for malicious activity on the network rather than simply waiting for something bad to happen first.

A recent survey by the SANS Institute showed that many organizations to some extent are already engaged in threat hunting practices. Eighty six percent of the 494 IT professionals surveyed by SANS say they have implemented threat-hunting processes. About 59% claimed that threat hunting had enhanced their incidence response capabilities, while 75% credited the process with reducing their attack surface.

David Bianco, a security technologist at Sqrrl Data Inc. who has developed a threat hunting maturity model for threat hunting, has described threat hunting as “the collective name for any manual or machine-assisted techniques used to detect security incidents.”

Core to the process is the quality of data that is used for hunting, the tools that are available to access and analyze the data, and the skill levels of the analysts tasked with using the data to hunt down security threats, according to Bianco.  

The actual techniques that hunters might use to chase down an intruder can vary and it's difficult to point to a single approach as being the best, he noted. In fact, it is actually better for hunters to be familiar with a variety of methods so they know the most suitable one for a particular situation.

Here are five things to consider when implementing a threat hunting process in your organization:

Change Your Mindset

Threat hunting is less about new technologies and techniques than it is about a fundamental change in mindset, says Yonatan Striem Amit, chief technology officer and co-founder at Cybereason, a vendor of endpoint detection and response technologies.

The emphasis is on using human smarts to ferret out malicious activity rather than relying solely on security alerting tools. Hunches and "gut-feel" play as much a part in threat hunting as indicators of compromise and other technology metrics and alerts.

“Because of a general lack of understanding of what a complex attack looks like, there is often a huge amount of focus on how to prevent the initial break-in,” or on how and where an intruder might have broken in, Amit says. Less attention is paid on understanding what an intruder might do after the initial compromise.

“To threat hunt, you have to acknowledge that attackers are probably getting past your existing defenses,” says Richard Stiennon, chief research analyst at IT-Harvest. “While you should never cease shoring up those defenses, you do have to look for adversaries that have defeated them. You do this by threat hunting."

Amit likens the difference in attitude that is needed to the difference in approach taken by traffic police and criminal investigators when responding to incidents. “The working assumption when you are a traffic cop is that accidents happen because of inattention,” and other accidental causes, Amit says.

“But when you are a cop working on a murder investigation, you assume the people involved have a malicious reason and you go and investigate that and understand why it happened," he says.

Think Like A Hacker

To be good at threat hunting you absolutely need to think like a malicious hacker would, Amit says. For example, if your organization is the kind that measures success by how many trouble tickets you can close in an hour and how quickly you can remediate issues, there’s a good chance that attackers know that as well.

“If I was running a hacking campaign, I would send a slew of known malware just to give you lot of work. If you don’t have the habit of going down to the bottom of an event each time, I know you are going to be susceptible.” 

It is vital for organizations to realize that the initial intrusion is usually the easiest first step of a complex attack. Once you understand that, a lot of other things fall into place, he says. “You look into understanding how your adversary works, and the processes and motivations driving adversarial activities,” to know what they are likely to be doing on your network and where they are most likely going to be lurking, Amit says.

Stop Focusing Solely On The Malware

The malware that attackers use on your network is just a means to an end. So merely finding and eradicating malware samples is not enough.

“Threat hunting is not just searching hosts for indicators of compromise, says John Pescatore, director of emerging security trends at the SANS Institute. “In reality, that is nothing but host-based intrusion detection using a fancy name for signatures.”

Threat hunting requires a combination of active threat monitoring and directed probing. “That is, I know how the active dangerous threats are operating, I know which of my assets they would target, and [whether they] are active against those assets,” Pescatore says.

By focusing too much on finding malware, you also run the risk of overlooking malicious activities that are being carried out by attackers using legitimate tools and access credentials on your network, Amit cautions. Often, attackers who manage to gain initial access on a system will try to figure out a way to escalate privileges and quietly move around the network by leveraging PowerShell, Windows tools like WMI, and other similar capabilities. Malware detection tools cannot help spot such activity.

Make The Right Data Available

Good data and intelligence are key to an effective cyber-hunting capability, says Kris Lovejoy, president of security vendor Acuity Solutions.

Data gathered by security systems, SIEM, and analytics platforms and network monitoring tools could provide a wealth of information on the health of a network. When properly vetted through the right filters, such data can play a vital role in helping threat hunters arrive at a more contextual understanding of what they might be seeing or chasing down on the network, she says.

“Think about the job of cyber hunting as the same thing as monitoring photographs on Facebook for child pornography,” Lovejoy says. The human staff on Facebook tasked with the job of monitoring photos sometimes have to make determinations based both on experience and on the intelligence gathered by Facebook’s systems to help them interpret what they are seeing.

Threat hunting is all about piecing together disparate data to build a picture of an attack underway, Stiennon adds. “It could be unusual behavior reported by a UEBA [User and Entity Behavior Analytics] solution. It could be a traffic spike or unusual connection identified by your netflow monitoring solution,” he says. Or it could be on a piece of threat intelligence against your SIEM or endpoint monitoring. 

“Beyond technology you need digital sleuths pulling the levers on all of these modern tools,” Stiennon says. This is a role that is ideally filled by puzzle solvers and people who are inquisitive by nature. 

Look for these traits anywhere in your IT department, he says. “Put them in front of a console that allows them to do link and graph analysis on lots of data. Feed them lots of data. Stand back and watch what happens.”

Do Crazy Ivans

Doing something unexpected is a good way to ferret out hidden intruders on your network, Lovejoy says.

One example would be the digital equivalent of a Cold War era tactic called Crazy Ivan that was used by submarine commanders to detect if another submarine was hiding behind them in their wake. The tactic involved abrupt hard turns and other maneuvers so a submarine following behind another would be exposed, Lovejoy says.

One way to do the same thing in the digital world is to unexpectedly change passwords to see if someone is making password-cracking attempts, she says. Another tactic is to clear DNS caches to make it easier to see if any compromised endpoints that are trying to resolve to botnets and malicious servers, Lovejoy says.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.