Albert Zhichun Li, Chief Security Scientist, Stellar Cyber, also contributed to this article.
Have you ever played hide and seek? If you have, you may already understand how it relates to cybersecurity threat hunting. For those who haven't heard of the game, the object requires at least two people, where one individual finds a hiding place and the other attempts to find him. The person tasked with seeking out the other individuals typically counts to 30, giving the individual(s) hiding a chance to run, hide, and attempt to remain undetected. It is a game of persistence, visual and audible acuity, and methodical review of previous known hiding places.
In the cybersecurity realm, hide and seek is an analogy for threat hunting, and using modern tools like XDR (extended detection response) makes the task much easier than combing through gigabytes, terabytes, or even petabytes of event data.
What is XDR? XDR is an enhanced approach to traditional endpoint detection and response (EDR). It provides a model that detects attacks across endpoints, networks, software-as-a-service applications, cloud infrastructure, and really any network-addressable resource. It provides visibility into all layers of the network and application stack and provides advanced detection and automatic correlation and machine learning to reveal events traditionally missed by SIEM solutions using correlation alone. In addition, it provides intelligent alert suppression to filter out the noise that plagues most organizations. If you consider our hide-and-seek model, XDR brings a proactive approach to:
From an organization's security perspective, XDR enables teams to prevent known cyberattacks, identify new threats, and strengthen the overall security process by literally finding the attacker hiding in your network. It becomes a better way for a security professional to become the efficient "seeker" in this new hide-and-seek game. And finally, it enables users to capitalize on an automated response in XDR which represents a potential game changer for capturing and ejecting an attacker once they are identified within an organization.
For executives and new security professionals, let us apply hide and seek and XDR to threat hunting. Threat hunting is the cybersecurity act of processing information and process-oriented searching through networks, assets, and infrastructure for advanced threats that are evading existing security solutions and defenses. Firewalls, intrusion prevention solutions, and log management are all designed to detect and protect against threats — even if they are zero-day threats and have never been seen before. Threat hunting is the layer above this. What threats are actively running in my network and are missed by the aforementioned security tools, and how I can find them? XDR assumes the basic premise that the environment has already been compromised and a threat exists within it. In a typical environment, how can you determine if a threat exists and where it is hiding with just an event correlation and aggregation solution? Realistically, you can't, and that's where XDR comes into play for our hide and seek analogy.
Dive Deep into Log Files and Access Requests
Threat hunting and an XDR solution provide better inspection of the data already being collected. This includes diving deeper into log files and access requests, and processing application events correlated from application control solutions and networks. Then, taking XDR to the next level requires automating a response potentially at any layer to contain or mitigate the detected threat. To determine whether a threat is truly present, consider these familiar hypotheses:
Therefore, for threat hunting to succeed, we need to meet the following requirements:
About Albert Zhichun Li, Chief Security Scientist, Stellar Cyber
Albert Zhichun Li has over 15 years of experience in cybersecurity research. He has filed 40+ US patents and published many seminal research papers in top security, AI and system academic conferences.
Check out this listing of free security products and services developed for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19.