Threat hunting

Threat-Hunting Process

Claudio Dodt
July 13, 2018 by
Claudio Dodt

Introduction

Consider this: No system is absolutely protected from cyberthreats. Even in the case where the best, most recent and effective security solutions are in place, there is always the chance cybercriminals will develop a new form of attack that can bypass layer after layer of protection controls.

In fact, this very premise is the basis of threat hunting — the process of looking for anomalies within a company’s network or devices and determining if they represent the trails left by stealthy attackers. As expected, this is no simple task; hunting for cybercriminals will require an experienced team, lots of data (such as logs from network devices, servers and endpoints), a solution for centralizing data collection and analysis, and actionable knowledge about threats to an environment.

Become a certified threat hunter

Become a certified threat hunter

Learn how to find, assess and remove threats from your organization — and become a Certified Cyber Threat Hunting Professional, guaranteed!

With all these variables and requirements, it is essential to adequately manage all the threat-hunting elements. Otherwise the hunt effectiveness can suffer a great deal, leading to a false sense of security, while cybercriminals reign unopposed.

The best solution is understanding the threat-hunting process. Here are five simple steps that will ensure your hunt is a success.

 

1. Preparing for the Hunt

Before starting to proactively hunt cyberthreats, it is necessary to confirm that the essentials are in place: the hunter, the data and the tools.

  • The Hunter: To put it simply, cyberthreat hunting is perhaps one of the hardest security disciplines to master. Not only does it require advanced technical knowledge in areas such as network analysis, intrusion detection, forensics and malware analysis, but it will also require non-technical skills such as understanding the organizational business process. A good starting point for any cyberthreat-hunting process is making sure your team has the necessary experience.
  • The Data: No hunting can be done without sufficient data. Assets such as servers, network devices (firewalls, switches, routers), databases, and endpoints should all be identified and monitored, including both on premise and cloud-based devices.
  • The Tools: Every monitored device will generate a substantial amount of data and it is, quite obviously, not possible to process it manually. In this case, solutions like security incident and event management (SIEM) will be essential to automate a part of the process, including data collection, correlation and normalization from the devices we just mentioned. Another crucial tool is threat intelligence: as attackers are constantly updating their techniques, having updated intel on IOCs (indicators of compromise) or IOAs (indicators of attacks) can be of immense value.

2. Creating a Context-Based Hypothesis

Threat hunting should not be alert-based. It is a proactive process that must provide the answers to high-level questions defined by the cybersecurity leadership.

So, after the preparations phase is complete, the next logical step is defining what you are hunting for. Ideally this should come in the form of a custom, context-driven hypothesis, creating what is called prioritized intelligence requirements (PIR).

In a military context, the PIR determines what the commander wants or needs to know about the enemy, his purpose, capabilities and/or terrain. From a cybersecurity point of view, it is quite similar, as it represents what the CISO wants to know about cyber threats. A good PIR should be focused, specific and directly related to a decision regarding the security strategy. For example: “Can an attacker use a new vulnerability to bypass existing security controls and exfiltrate data or distribute malware inside our network?” Or “Are any of our endpoints compromised and being remotely-controlled by an attacker?”

Based on this hypothesis, a hunter can start tracking their prey, and that takes us to the next step.

3. Starting the Hunt

Now that the hunter has strategic instructions (PIR), it is time to translate this into specific information requirements (SIR) and start hunting. For example, a hunter trying to confirm the hypothesis of an endpoint being controlled by a remote party could start by checking network traffic abnormalities, such as increased DNS queries from a single host.

This can be quite a challenge, considering the number of logs to be analyzed and the fact that most attacks make use of advanced techniques to remain concealed, such as encoding and encryption, or splitting an attack payload into multiple small packets.

In the end, there can be two basic results:

  • If the hypothesis is incorrect: No problem here! If there is no evidence to confirm the hypothesis, that should be reported, the case should be closed, and the hunter will work on the next PIR request.
  • If the hypothesis is correct: As soon as the hunter collects sufficient information to confirm the hypothesis, no time should be wasted. It is necessary to confirm if it is an ongoing attack, its extent, and how it affects the company, and define a quick and effective response.

4. Responding to the attack

The hunter will work with the security team to create the best response. This should include both short-term and long-term remediation. In essence, the goal is immediately stopping the attack, and taking action to make sure it will not happen again — either to the affected host or other, similar devices.

A key point here is understanding how an attacker gained access: What sort of vulnerability was exploited? Was there a faulty firewall rule? Why did the IPS did not detect the attack? Was it a new zero-day attack? Are there missing patches that could have prevented the problem? Is it an isolated attack or only a part of an ongoing campaign against the company? Are there any new IOCs or IOAs that we should start monitoring?

Answering those questions can take some time, and one particularly key point is making sure not to lose the focus on stopping the current attack. Once this task is complete, all efforts should be directed to a long-term solution, what takes us to the final step on this process.

5. Learning the lesson

Since the hunter will have solid evidence on how the attack happened, it is important to use this information as a tool for preventing further attacks. Of course, the idea here is avoiding finger-pointing, and using a blameless approach.

The central goal of the lessons-learned phase is improving the security process, and this requires an understanding that humans are fallible. For example, if an employee failed to apply a patch, firing the person responsible will not solve the situation. A proper response would be updating the patching procedure to take this into account and create a redundant control to confirm the patch was, in fact, applied.

 

Conclusion

The practical value of threat hunting is quite clear for a cybersecurity strategy: It allows the security team to proactively investigate the organization’s environment, and detect attacks and threats that have gone undetected by traditional technologies.

It should go without saying that implementing it can be quite a challenge, which is the main reason it is so important to have a formalized process. It is essential to create the right mix of experienced professionals, data collection/processing technologies and a proper incident response structure.

Become a certified threat hunter

Become a certified threat hunter

Learn how to find, assess and remove threats from your organization — and become a Certified Cyber Threat Hunting Professional, guaranteed!

Remember, the central pillar of threat hunting is considering no environment is ever fully protected against cyberattacks. But it is also important to remember that even the most furtive threat will leave a trail and, with a good team of hunters, that should be more than enough to create an effective response. Investing in cyberthreat-hunting is not only an intelligent move; it is a crucial step that every company will have to take in order to keep up with the ever-evolving cybercrime industry.

Claudio Dodt
Claudio Dodt

Cláudio Dodt is an Information Security Evangelist, consultant, trainer, speaker and blogger. He has more than ten years worth of experience working with Information Security, IT Service Management, IT Corporate Governance and Risk Management.