Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Morey Haber
Morey Haber
Connect Directly
E-Mail vvv

Why Threat Hunting with XDR Matters

Extended detection response technology assumes a breach across all your endpoints, networks, SaaS applications, cloud infrastructure, and any network-addressable resource.

Albert Zhichun Li, Chief Security Scientist, Stellar Cyber, also contributed to this article.

Have you ever played hide and seek? If you have, you may already understand how it relates to cybersecurity threat hunting. For those who haven't heard of the game, the object requires at least two people, where one individual finds a hiding place and the other attempts to find him. The person tasked with seeking out the other individuals typically counts to 30, giving the individual(s) hiding a chance to run, hide, and attempt to remain undetected. It is a game of persistence, visual and audible acuity, and methodical review of previous known hiding places.

In the cybersecurity realm, hide and seek is an analogy for threat hunting, and using modern tools like XDR (extended detection response) makes the task much easier than combing through gigabytes, terabytes, or even petabytes of event data.

What is XDR? XDR is an enhanced approach to traditional endpoint detection and response (EDR). It provides a model that detects attacks across endpoints, networks, software-as-a-service applications, cloud infrastructure, and really any network-addressable resource. It provides visibility into all layers of the network and application stack and provides advanced detection and automatic correlation and machine learning to reveal events traditionally missed by SIEM solutions using correlation alone. In addition, it provides intelligent alert suppression to filter out the noise that plagues most organizations. If you consider our hide-and-seek model, XDR brings a proactive approach to:

  • Maximizing the efficiency of data collected from existing security and information technology investments by collecting the right data and transforming the data with contextual information.
  • Identifying hidden threats using sophisticated behavior models through machine learning.
  • Identifying and correlating threats across multiple layers of the network or application stack.
  • Minimizing information security professional fatigue by providing precise alerts for investigation.
  • Providing the necessary forensic capabilities to integrate multiple signals and to construct the big picture of attacks quickly, so security professionals can complete investigations promptly and with high confidence for indicators of compromise.

From an organization's security perspective, XDR enables teams to prevent known cyberattacks, identify new threats, and strengthen the overall security process by literally finding the attacker hiding in your network. It becomes a better way for a security professional to become the efficient "seeker" in this new hide-and-seek game. And finally, it enables users to capitalize on an automated response in XDR which represents a potential game changer for capturing and ejecting an attacker once they are identified within an organization.

For executives and new security professionals, let us apply hide and seek and XDR to threat hunting. Threat hunting is the cybersecurity act of processing information and process-oriented searching through networks, assets, and infrastructure for advanced threats that are evading existing security solutions and defenses. Firewalls, intrusion prevention solutions, and log management are all designed to detect and protect against threats — even if they are zero-day threats and have never been seen before. Threat hunting is the layer above this. What threats are actively running in my network and are missed by the aforementioned security tools, and how I can find them? XDR assumes the basic premise that the environment has already been compromised and a threat exists within it. In a typical environment, how can you determine if a threat exists and where it is hiding with just an event correlation and aggregation solution? Realistically, you can't, and that's where XDR comes into play for our hide and seek analogy.

Dive Deep into Log Files and Access Requests
Threat hunting and an XDR solution provide better inspection of the data already being collected. This includes diving deeper into log files and access requests, and processing application events correlated from application control solutions and networks. Then, taking XDR to the next level requires automating a response potentially at any layer to contain or mitigate the detected threat. To determine whether a threat is truly present, consider these familiar hypotheses:

  • Advanced analytics via machine learning: Behaviors (or outlier events) can be assigned risk ratings and used to determine if a high-risk pattern is occurring.
  • Situational: High-value targets are analyzed, including data, assets, and employees, for abnormalities and unusual requests.
  • Intelligence: Correlation of threat patterns, threat intelligence, malware, sessions, and asset vulnerability information to draw a conclusion.

Therefore, for threat hunting to succeed, we need to meet the following requirements:

  • Consolidation tools, like an XDR system, collecting all applicable data sources for pattern recognition. As a general rule of thumb, the more security data the better. Extra data can always be filtered out, purged, or suppressed.
  • Tools for risk assessments, intrusion detection, and attack prevention are up to date and operating correctly. If these systems are faulty, your first lines of defense are in jeopardy and so is the data they are collecting.
  • Sources of information can be correlated by user account and hostname reliably. IP address changes due to DHCP and even time synchronization (due to poor NTP implementation) can jade the results. We need to trust the data nearly implicitly and a well-working infrastructure is a prerequisite.
  • Crown jewels and sensitive accounts are properly identified for data modeling. This includes monitoring when they are used, who is using them, and what actions are being performed.
  • Threats to the business, like a game-over breach event, are established and used to build a hypothesis. If an attacker did "this," could my business ever recover, and what would be the cost?
  • Documentation, such as network maps, descriptions of business processes, asset management, etc., are of high importance. Threat hunting with XDR does rely on the human element to correlate information to the actual business. Without being able to map a transaction to its electronic workflow, a hypothesis is blind as to how the threat occurred and is remaining persistent.
  • The response to the threat needs to be a part of a standard workflow and be secured. If the desired result is to quarantine an asset or change a firewall configuration, the method for automated response needs to be secure so it cannot be leveraged against the business as a denial-of-service attack.

About Albert Zhichun Li, Chief Security Scientist, Stellar Cyber
Albert Zhichun Li has over 15 years of experience in cybersecurity research. He has filed 40+ US patents and published many seminal research papers in top security, AI and system academic conferences.

Related Content:

Check out this listing of free security products and services developed for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19. 

With more than 20 years of IT industry experience and author of Privileged Attack Vectors and Asset Attack Vectors, Morey Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. He currently oversees the vision for BeyondTrust technology ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.