Threat hunting is considered to be an essential part of modern cybersecurity operations. There are numerous benefits to this type of activity such as the proactive identification of threat actors in your environment, potentially reducing the dwell time of adversaries in your network, and the identification and resolution of benign but significant issues that can improve overall enterprise IT operations.
For resource-challenged organizations, threat hunting is often deemed mission impossible. This is not true. The benefits of threat hunting can be realized by deploying a methodical approach.
The first consideration prior to implementing threat hunting activities is the maturity of your security operations. While the thought of moving from a passive, detection-oriented posture to a hunter is an exciting prospect for many teams of defenders, it is likely that many organizations would be better off first improving their configuration management, patch management, and vulnerability management efforts, which are often challenging for organizations with dedicated teams in those functional areas.
These important processes, typically, are less mature in smaller organizations. As a result, small or resource-constrained security teams would be well served to review their operational maturity against some of the available information security guidance documentation, such as the Center for Internet Security Critical Security Controls. The CSC helps organizations prioritize security control implementation, and while threat hunting is one of the items in the CSC, it is recommended only after organizations have achieved a specific level of security operations maturity.
Onward to Threat Hunting
After demonstrating effective asset management, patch management, and vulnerability management, an organization is better suited to spin up threat-hunting efforts. Looking at the IT systems for a typical small or medium-sized organization, we often find Windows desktop in an Active Directory domain. It is also likely that there is some sort of cloud presence, most likely in the software-as-a-service area. It's in this type of environment that we can explore how some native capabilities can be leveraged to support threat-hunting efforts.
The lifeblood of threat hunting is security data. This will typically be in the form of logs, whether it is network-related data such as firewall or web proxy logs, or endpoint data from the operating system or from the endpoint security suite. To effectively hunt, data from client endpoints must be collected centrally. Given the prevalence of client-side attacks such as phishing, and the observed pattern of attack behaviors that use compromised clients to persist and move around the environment, the critical data related to adversary activity will often only be in the endpoint logs.
While the collection of endpoint logs may conjure visions of expensive SIEM solutions or yet another agent to be deployed and managed, this data collection problem has a straightforward solution. A native feature in Windows, Windows Event Forwarding, can be leveraged to solve the problem of endpoint log collection, and it is at a cost that will make management happy: zero. Managed via Group Policy, endpoints can be configured to push data to a central server. For many small organizations, a single server or even an existing low-activity server would be suitable for this data collection role.
Once this data from endpoints is centrally collected, the hunting can begin. Ideally, this data would be further consolidated into an existing SIEM or log aggregation solution to facilitate searching and correlation. However, if that option does not exist, there are projects that provide PowerShell scripts to perform analysis of this forwarded log data. One example is the DeepBlueCLI project authored by Eric Conrad, freely available on his GitHub profile. This series of scripts provides a basic set of threat-hunting capabilities by looking for evidence of malicious behavior in the endpoint log data.
Log Data and Other Indicators
If the capability does exist to roll this data into some sort of log correlation tool, then the flexibility to hunt for different indicators expands greatly. A resource such as the Mitre ATT&CK framework can be used to look for specific elements from various stages of the attack life cycle, providing a wealth of indicators to use as the basis of the hunting process. From an endpoint perspective, this methodology provides a ready way to get started with endpoint hunting in Windows event logs. However, Windows event logs are not the only source of data that can support threat hunting efforts.
Network-based data is another essential data source that can be used to find indications of adversary activity in your environment. Data such as netflow, firewall logs, proxy logs, DNS logs, and DHCP logs can all play a role in threat hunting. Collection of these log types may be more difficult in some environments due to access issues, performance overhead associated with the log generation, and the ability to effectively analyze the data source. These sources can provide a wealth of information that can show signs of threat actors, such as unusual user-agent strings, unusual data volumes or destination IP addresses, unusual client-to-client data flow for specific protocols such as SMB, odd hostnames or MAC addresses with DHCP leases, and indications of DGAs in certificate names and URLs. These are only a few of the indicators that can be used for threat hunting, but they can be highly effective components that will lead to successful hunt efforts.
Threat hunting can be effectively performed in smaller or resource-constrained environments. Leveraging native features of the operating system and using freely available, high-quality hunting resources can overcome financial limitations. Staffing constraints may be more difficult to address, but prioritization of security tasks based upon the highest value that they offer to the organization will drive the time that can be allocated to threat hunting.
If you wish to learn more about threat hunting, David Mashburn will be giving a talk on this subject "Hunting Highs and Lows: Misadventures in Threat Hunting" at SANS Pittsburgh in July, or you can research these concepts online.
- Mastering MITRE's ATT&CK Matrix
- MITRE Changes the Game in Security Product Testing
- Threat Hunting: Rethinking 'Needle in a Haystack' Security Defenses
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.