Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

7/1/2016
09:15 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

5 Things To Consider With A Threat Hunting Program

A change in mindset and the ability to think like a malicious hacker are two key requirements.

The constantly evolving ability of cyberattackers to get past even the most fortified of enterprise defenses has intensified pressure on organizations to develop better threat detection and response capabilities.

One outcome of that focus is the growing interest in what many have taken to calling as "threat hunting," a notion that it is better to proactively scour for malicious activity on the network rather than simply waiting for something bad to happen first.

A recent survey by the SANS Institute showed that many organizations to some extent are already engaged in threat hunting practices. Eighty six percent of the 494 IT professionals surveyed by SANS say they have implemented threat-hunting processes. About 59% claimed that threat hunting had enhanced their incidence response capabilities, while 75% credited the process with reducing their attack surface.

David Bianco, a security technologist at Sqrrl Data Inc. who has developed a threat hunting maturity model for threat hunting, has described threat hunting as “the collective name for any manual or machine-assisted techniques used to detect security incidents.”

Core to the process is the quality of data that is used for hunting, the tools that are available to access and analyze the data, and the skill levels of the analysts tasked with using the data to hunt down security threats, according to Bianco.  

The actual techniques that hunters might use to chase down an intruder can vary and it's difficult to point to a single approach as being the best, he noted. In fact, it is actually better for hunters to be familiar with a variety of methods so they know the most suitable one for a particular situation.

Here are five things to consider when implementing a threat hunting process in your organization:

Change Your Mindset

Threat hunting is less about new technologies and techniques than it is about a fundamental change in mindset, says Yonatan Striem Amit, chief technology officer and co-founder at Cybereason, a vendor of endpoint detection and response technologies.

The emphasis is on using human smarts to ferret out malicious activity rather than relying solely on security alerting tools. Hunches and "gut-feel" play as much a part in threat hunting as indicators of compromise and other technology metrics and alerts.

“Because of a general lack of understanding of what a complex attack looks like, there is often a huge amount of focus on how to prevent the initial break-in,” or on how and where an intruder might have broken in, Amit says. Less attention is paid on understanding what an intruder might do after the initial compromise.

“To threat hunt, you have to acknowledge that attackers are probably getting past your existing defenses,” says Richard Stiennon, chief research analyst at IT-Harvest. “While you should never cease shoring up those defenses, you do have to look for adversaries that have defeated them. You do this by threat hunting."

Amit likens the difference in attitude that is needed to the difference in approach taken by traffic police and criminal investigators when responding to incidents. “The working assumption when you are a traffic cop is that accidents happen because of inattention,” and other accidental causes, Amit says.

“But when you are a cop working on a murder investigation, you assume the people involved have a malicious reason and you go and investigate that and understand why it happened," he says.

Think Like A Hacker

To be good at threat hunting you absolutely need to think like a malicious hacker would, Amit says. For example, if your organization is the kind that measures success by how many trouble tickets you can close in an hour and how quickly you can remediate issues, there’s a good chance that attackers know that as well.

“If I was running a hacking campaign, I would send a slew of known malware just to give you lot of work. If you don’t have the habit of going down to the bottom of an event each time, I know you are going to be susceptible.” 

It is vital for organizations to realize that the initial intrusion is usually the easiest first step of a complex attack. Once you understand that, a lot of other things fall into place, he says. “You look into understanding how your adversary works, and the processes and motivations driving adversarial activities,” to know what they are likely to be doing on your network and where they are most likely going to be lurking, Amit says.

Stop Focusing Solely On The Malware

The malware that attackers use on your network is just a means to an end. So merely finding and eradicating malware samples is not enough.

“Threat hunting is not just searching hosts for indicators of compromise, says John Pescatore, director of emerging security trends at the SANS Institute. “In reality, that is nothing but host-based intrusion detection using a fancy name for signatures.”

Threat hunting requires a combination of active threat monitoring and directed probing. “That is, I know how the active dangerous threats are operating, I know which of my assets they would target, and [whether they] are active against those assets,” Pescatore says.

By focusing too much on finding malware, you also run the risk of overlooking malicious activities that are being carried out by attackers using legitimate tools and access credentials on your network, Amit cautions. Often, attackers who manage to gain initial access on a system will try to figure out a way to escalate privileges and quietly move around the network by leveraging PowerShell, Windows tools like WMI, and other similar capabilities. Malware detection tools cannot help spot such activity.

Make The Right Data Available

Good data and intelligence are key to an effective cyber-hunting capability, says Kris Lovejoy, president of security vendor Acuity Solutions.

Data gathered by security systems, SIEM, and analytics platforms and network monitoring tools could provide a wealth of information on the health of a network. When properly vetted through the right filters, such data can play a vital role in helping threat hunters arrive at a more contextual understanding of what they might be seeing or chasing down on the network, she says.

“Think about the job of cyber hunting as the same thing as monitoring photographs on Facebook for child pornography,” Lovejoy says. The human staff on Facebook tasked with the job of monitoring photos sometimes have to make determinations based both on experience and on the intelligence gathered by Facebook’s systems to help them interpret what they are seeing.

Threat hunting is all about piecing together disparate data to build a picture of an attack underway, Stiennon adds. “It could be unusual behavior reported by a UEBA [User and Entity Behavior Analytics] solution. It could be a traffic spike or unusual connection identified by your netflow monitoring solution,” he says. Or it could be on a piece of threat intelligence against your SIEM or endpoint monitoring. 

“Beyond technology you need digital sleuths pulling the levers on all of these modern tools,” Stiennon says. This is a role that is ideally filled by puzzle solvers and people who are inquisitive by nature. 

Look for these traits anywhere in your IT department, he says. “Put them in front of a console that allows them to do link and graph analysis on lots of data. Feed them lots of data. Stand back and watch what happens.”

Do Crazy Ivans

Doing something unexpected is a good way to ferret out hidden intruders on your network, Lovejoy says.

One example would be the digital equivalent of a Cold War era tactic called Crazy Ivan that was used by submarine commanders to detect if another submarine was hiding behind them in their wake. The tactic involved abrupt hard turns and other maneuvers so a submarine following behind another would be exposed, Lovejoy says.

One way to do the same thing in the digital world is to unexpectedly change passwords to see if someone is making password-cracking attempts, she says. Another tactic is to clear DNS caches to make it easier to see if any compromised endpoints that are trying to resolve to botnets and malicious servers, Lovejoy says.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10102
PUBLISHED: 2019-07-22
The Linux Foundation ONOS 1.15.0 and ealier is affected by: Improper Input Validation. The impact is: The attacker can remotely execute any commands by sending malicious http request to the controller. The component is: Method runJavaCompiler in YangLiveCompilerManager.java. The attack vector is: ne...
CVE-2019-10102
PUBLISHED: 2019-07-22
Frog CMS 1.1 is affected by: Cross Site Scripting (XSS). The impact is: Cookie stealing, Alert pop-up on page, Redirecting to another phishing site, Executing browser exploits. The component is: Snippets.
CVE-2019-10102
PUBLISHED: 2019-07-22
Ilias 5.3 before 5.3.12; 5.2 before 5.2.21 is affected by: Cross Site Scripting (XSS) - CWE-79 Type 2: Stored XSS (or Persistent). The impact is: Execute code in the victim's browser. The component is: Assessment / TestQuestionPool. The attack vector is: Cloze Test Text gap (attacker) / Corrections ...
CVE-2019-9959
PUBLISHED: 2019-07-22
The JPXStream::init function in Poppler 0.78.0 and earlier doesn't check for negative values of stream length, leading to an Integer Overflow, thereby making it possible to allocate a large memory chunk on the heap, with a size controlled by an attacker, as demonstrated by pdftocairo.
CVE-2019-4236
PUBLISHED: 2019-07-22
A IBM Spectrum Protect 7.l client backup or archive operation running for an HP-UX VxFS object is silently skipping Access Control List (ACL) entries from backup or archive if there are more than twelve ACL entries associated with the object in total. As a result, it could allow a local attacker to ...