Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/27/2019
02:30 PM
David Mashburn
David Mashburn
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Threat Hunting 101: Not Mission Impossible for the Resource-Challenged

How small and medium-sized businesses can leverage native features of the operating system and freely available, high-quality hunting resources to overcome financial limitations.

Threat hunting is considered to be an essential part of modern cybersecurity operations. There are numerous benefits to this type of activity such as the proactive identification of threat actors in your environment, potentially reducing the dwell time of adversaries in your network, and the identification and resolution of benign but significant issues that can improve overall enterprise IT operations.

For resource-challenged organizations, threat hunting is often deemed mission impossible. This is not true. The benefits of threat hunting can be realized by deploying a methodical approach.

The first consideration prior to implementing threat hunting activities is the maturity of your security operations. While the thought of moving from a passive, detection-oriented posture to a hunter is an exciting prospect for many teams of defenders, it is likely that many organizations would be better off first improving their configuration management, patch management, and vulnerability management efforts, which are often challenging for organizations with dedicated teams in those functional areas.

These important processes, typically, are less mature in smaller organizations. As a result, small or resource-constrained security teams would be well served to review their operational maturity against some of the available information security guidance documentation, such as the Center for Internet Security Critical Security Controls. The CSC helps organizations prioritize security control implementation, and while threat hunting is one of the items in the CSC, it is recommended only after organizations have achieved a specific level of security operations maturity.

Onward to Threat Hunting
After demonstrating effective asset management, patch management, and vulnerability management, an organization is better suited to spin up threat-hunting efforts. Looking at the IT systems for a typical small or medium-sized organization, we often find Windows desktop in an Active Directory domain. It is also likely that there is some sort of cloud presence, most likely in the software-as-a-service area. It's in this type of environment that we can explore how some native capabilities can be leveraged to support threat-hunting efforts.

The lifeblood of threat hunting is security data. This will typically be in the form of logs, whether it is network-related data such as firewall or web proxy logs, or endpoint data from the operating system or from the endpoint security suite. To effectively hunt, data from client endpoints must be collected centrally. Given the prevalence of client-side attacks such as phishing, and the observed pattern of attack behaviors that use compromised clients to persist and move around the environment, the critical data related to adversary activity will often only be in the endpoint logs.

While the collection of endpoint logs may conjure visions of expensive SIEM solutions or yet another agent to be deployed and managed, this data collection problem has a straightforward solution. A native feature in Windows, Windows Event Forwarding, can be leveraged to solve the problem of endpoint log collection, and it is at a cost that will make management happy: zero. Managed via Group Policy, endpoints can be configured to push data to a central server. For many small organizations, a single server or even an existing low-activity server would be suitable for this data collection role.

Once this data from endpoints is centrally collected, the hunting can begin. Ideally, this data would be further consolidated into an existing SIEM or log aggregation solution to facilitate searching and correlation. However, if that option does not exist, there are projects that provide PowerShell scripts to perform analysis of this forwarded log data. One example is the DeepBlueCLI project authored by Eric Conrad, freely available on his GitHub profile. This series of scripts provides a basic set of threat-hunting capabilities by looking for evidence of malicious behavior in the endpoint log data.

Log Data and Other Indicators
If the capability does exist to roll this data into some sort of log correlation tool, then the flexibility to hunt for different indicators expands greatly. A resource such as the Mitre ATT&CK framework can be used to look for specific elements from various stages of the attack life cycle, providing a wealth of indicators to use as the basis of the hunting process. From an endpoint perspective, this methodology provides a ready way to get started with endpoint hunting in Windows event logs. However, Windows event logs are not the only source of data that can support threat hunting efforts.

Network-based data is another essential data source that can be used to find indications of adversary activity in your environment. Data such as netflow, firewall logs, proxy logs, DNS logs, and DHCP logs can all play a role in threat hunting. Collection of these log types may be more difficult in some environments due to access issues, performance overhead associated with the log generation, and the ability to effectively analyze the data source. These sources can provide a wealth of information that can show signs of threat actors, such as unusual user-agent strings, unusual data volumes or destination IP addresses, unusual client-to-client data flow for specific protocols such as SMB, odd hostnames or MAC addresses with DHCP leases, and indications of DGAs in certificate names and URLs. These are only a few of the indicators that can be used for threat hunting, but they can be highly effective components that will lead to successful hunt efforts.

Threat hunting can be effectively performed in smaller or resource-constrained environments. Leveraging native features of the operating system and using freely available, high-quality hunting resources can overcome financial limitations. Staffing constraints may be more difficult to address, but prioritization of security tasks based upon the highest value that they offer to the organization will drive the time that can be allocated to threat hunting.

If you wish to learn more about threat hunting, David Mashburn will be giving a talk on this subject "Hunting Highs and Lows: Misadventures in Threat Hunting" at SANS Pittsburgh in July, or you can research these concepts online.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

David Mashburn is a SANS Certified instructor and an IT Security Manager for a global non-profit organization in the Washington, D.C. area. He has experience working as an IT security professional for several civilian federal agencies, and over 15 years of experience in IT. ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DavidHamilton
50%
50%
DavidHamilton,
User Rank: Apprentice
4/16/2019 | 5:05:32 AM
Dig deeper
There are always a thousand and one ways to handle any given situation if we look far enough. We need to first take note of what the root of the problem is before drilling into possible solutions. We can never rectify the issue if we were to focus solely on the surface which is already chaotic enough.
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12868
PUBLISHED: 2019-06-18
app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialization.
CVE-2019-12865
PUBLISHED: 2019-06-17
In radare2 through 3.5.1, cmd_mount in libr/core/cmd_mount.c has a double free for the ms command.
CVE-2017-10720
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi name. This application is installed o...
CVE-2017-10721
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the device has Telnet functionality enabled by default. This device acts as an Endoscope camera that allows its users to use it in various industrial systems and settings, car ga...
CVE-2017-10722
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi password. This application is install...