Cyber Threat Hunting – Introduction
Cyber threat hunting is the process of proactively hunting for attackers or malware that are lurking in your network system and may have laid undetected. Just like real-life hunting, cyber threat hunting can be quite challenging and requires a uniquely trained professional with considerable patience, creativity, critical thinking, and a keen eye for sporting out the target prey. The prey may be quietly listening for confidential information, patiently siphoning off data, or working their way toward significant data, which can help them get access to crucial information or assets.
Every organization needs additional cyber protections in addition to commercial cybersecurity solutions. This need is because no system is 100% efficiently protected. Despite how advanced technology might be, there is still a chance that more advanced threats will maneuver the layers of protection. Basic hygiene and proper implementation of firewalls and other augmented security systems should stop many threats. However, once an intruder is in your network undetected, there may be less protection available to identify and remediate. On average, cybercriminals spend close to 192 days before being discovered on a system. This is more than enough time to cause considerable harm to a network.
Traditionally, most organizations have a security culture of solely depending on the implemented security solution for system protection. The danger with this is that protection is often signature-based. Signature-based solutions detect patterns based on known threats. But, newly developed malware with unique code is much more challenging to detect.
What/who is a Threat Hunter?
A threat hunter is a security professional who usually works from a Managed Security Service Provider (MSSP) or the company’s Security Operations Center. Threat hunters are also referred to as threat analysts and employ both software and manual techniques to detect possible incidents or on-going threats that may have intruded security systems.
Threat hunting is not an easy or straightforward task to carry out. It requires a highly skilled professional in cybersecurity as well as enterprise operations. It also requires knowledge of the business. Detecting an abnormality within a network may be as simple as discovering traffic decrease or increase to an unusual state.
Advanced threats are delicate as some (such as exfiltration techniques) use covert channels or encryption techniques. For example, in DNS Tunnelling, data is coded in DNS responses and queries. It looks nearly the same as that of a normal connection. But, a good threat hunter can identify anomalies such as fluctuation in DNS traffic per domain or size of requests and responses.
Hunting Tools for a Threat Hunter
Threat hunting is extremely complicated and involved. Even an experienced hunter would fail without proper tools. Essential items include the following.
- Baselines – this is an indicator and should be laid out before the detection process starts. Baselines are of immense value. A baseline defines what is authorized or expected to pass through a traffic network. Baselines make it easy to identify anomalies that require investigation.
- Data – access to key logins to devices on a network’s system is critical for every hacker. Devices of importance may be databases, servers, and endpoints. These devices contain important data. One technique includes creating a central point for assembling the data for analysis. Collection, correlation, and standardization of data from the various data points are essential. A common tool for data collection is a Security Information and Event Management (SIEM) device. A SIEM device is a threat hunter’s best weapon.
- Threat intelligence – cybercriminals sometimes cooperate, sharing malicious artifacts, codes, and information. An increase in the frequency of similar attacks implies a corresponding rise in the number of companies identifying the attacks. An efficient threat intelligence system should be able to acquire actionable knowledge from multiple sources about threats to an environment.
An efficient Intel system on the emergence of a new attack enhances a hunter’s ability to spot indicators of compromise or indicators of attacks (IOAs) within a network and ample time to act on this information.
What to Look for During the Hunt
The starting point of every threat hunting process is the definition of prioritized intelligence requirements (PIRs). PIR questions and answers derive appropriate response actions. For example:
From where does a threat emanate?
Does the daily alerts and multitude of logs dealt with daily indicate undetected cyber threat?
What are the most valuable assets owned by the company that may be of interest to hackers, and what are some of the probable ways that the black hats can use to gain access?
With this kind of high-level questioning, it will be easy for a threat hunter to get a response to specific information gaps. Some other questions may be:
What is the number of low-level alerts connected to a particular threat?
Are there deviations from logs of the past 30 to 60 days as per the current information on threat intelligence?
Are there anomalies such as the use of strange commands?
Therefore, during hunting, a threat hunter should look for data, analyze and interpret the results as per the given tool available, identifying abnormalities, and coming up with the right steps to stop active threats.
Where Does Threat Hunting Fit?
Threat hunting complements the standard process of identifying threats, reactions, and remediation. Traditional methods analyze raw data and generate warnings while threat hunting works parallel by the use of automation and specific queries to extract lead from the same data.
Human threat hunters then analyze the extracted leads. The professionals must be skilled in identifying signs of malicious activity. The identified indicators are managed via the same pipeline.
Defining an Ideal Hunting Maturity Level
Threat hunting programs are categorized into levels based on the following three key factors;
- Experience and skill of the threat hunter
- Quality of the information collected
- Tools and methods used to collect and analyze data.
At the initial maturity level, there is minimal, or no routine for collecting data as the organization solely relies on automated alerting. The human effort focuses on the alert resolution. At this stage, the organization is considered not to be capable of threat hunting, even with the help of an experienced hunter.
It takes effort to reach a higher level of maturity, and as expected, there exists a significant difference between the results from different levels. For example, an organization at its procedural maturity level can use adapted procedures to collect data, thus making threat hunting to become a reality.
HMM 0 Initial
- Primarily relies on automated alerting
- Little or no routine data collection
HMM 1 Minimal
- Incorporates threat intelligence indicator searchers
- Moderate or high level of routine data collection
HMM 4 Leading
- Automates the majority of successful data analysis procedures
- High or very high level of routine data collection
HMM 3 Innovative
- Creates new data analysis procedures
- High or very high level of routine data collection
HMM 2 Procedural
-follows data analysis procedures created by others
– High or very high level of routine data collection
Despite the significant difference between hunting results from the various levels, it is still vital to assess and point out the ideal level for a threat-hunting program.
In most organizations, threat hunting is done after the occurrence of an event. This is reactive threat hunting. Mature threat hunting requires proactive hunts to keep eliminating threats that may or may not exist. Lack of an apparent threat implies no clear starting point, endpoint, or path through the hunt.
Threat hunting is a multi-stage process that takes place in a cyclic manner. The hunter does not know what to look for, as the hunt is proactive. It begins with defining the threat hunting goal. The next step is analysis. The final step is remediation and response to purge the threat from the system. Below is a description of the various stages:
1. Defining the hunt
The first stage of the hunt is to figure out why the hunt is necessary. In this stage, you point out the main reasons why you are performing the hunt. Conducting an undirected hunt is likely to go astray since there is a wide variety of potential threats and data to fetch. It is preferable to have a series of small segments of a directed hunt than one large undirected hunt.
Conducting a proactive threat hunt implies that there is no specific threat to hunt. Therefore, defining the hunt becomes difficult. Below are two ways to define a hunt: data-driven hunting and target driven hunting.
– Target-driven hunt
A target-driven hunt determines if a particular threat exists within a network at that given time. Examples include:
Tools, techniques, and procedures (TTP) of an advanced persistent threat.
Indicators of Compromise for undetected attacks
Specific attack vectors from MITRE ATT&CK framework.
Having a target before the actual hunt helps to set a starting point for the search and, more significantly, streams focus towards a specific type of data to be collected. During the hunt, evidence of a threat or other critical information may be found. This may result in a change in focus.
– Data-driven hunt
This is where the hunt begins by first collecting a given set of data. Afterward, a comprehensive analysis of the collected data is performed to find out if there may be some anomalies lying unnoticed within that data set. These found anomalies form a starting point for a more specific and detailed hunt.
When choosing which data set to begin your hunt with, it is necessary to consider the life cycle of an attack. It is preferable to settle on a data set that would allow the detection of one or more threats.
2. Data collection
Good threat hunting is a reflection of the quality of data collected. If the analysis is based on incomplete data, the hunt is also half-good and only gives a false sense of security. Data collection should be revisited multiple times during the hunt.
During the hunt, it may seem as more data results in a better outcome. However, this might not always be the case due to the following reasons:
Volume – a collection of more data means than more data will be available to be processed. Depending on the circumstances of the hunt, a larger amount of data may only result in more time required.
Visibility – enhanced adversaries available within the network are likely to detect and evade data collection efforts.
Processing – some techniques work best with smaller data sets than larger data sets such as grouping and stack counting.
It is better to focus on the information required to answer the core question when performing a threat hunt. The hunt should also be a continuous process with the past hunts forming base and motivation for future hunts.
3. Analysis of data
Data analysis can be one of the most challenging tasks as there is a large amount of data to be analyzed at very high accuracy levels. Some data logs use advanced techniques such as encryption and encoding to remained concealed even after they are collected as part of the large data set. A hunter should be keen and ensure to eliminate even those logs that split attack payload into small packets to thoroughly check through every bit of collected information, asset or data.
At the finish of the analysis, two results are expected;
- If the hypothesis is not as per your definition of the hunt: then perfectly okay! This implies that there is no evidence to confirm the presence of an attack agent with the system. This should be reported, case closed, and the next set of data or PIR requests analyzed.
- If the hypothesis is correct: if there is enough information to confirm the stated hypothesis, then the hunter should immediately check the nature, extent, and effect of the attack on the system. Finally, the hunter should also be able to define an effective response to counter the threat.
4. Response to attack
In conjunction with the entire hunting team, the hunter must create the best response to the threat. The response should distinctively define both short term and long term response measures that will be used to cub the attack. The main goal of the response is to immediately put an end to the ongoing attack, prevent the system from damages by a perceived threat, and finally to eliminate chances of the attack happening again in the future. The response can be defined to protect the affected host and any other similar gadget, server or system.
5. Learning from the attack
After garnering enough evidence to confirm that an attack occurred, the hunter should now use this information to prevent similar events in the future. The basic idea here is an attempt to introduce a blameless approach other than a finger pointing a single threat.
Humans are a fallible creature by nature; therefore, the main goal of the lesson-learned stage should be to improve the security process by considering every element. The human factor is a significant threat and can be an exposure targeted by black-hats. For instance, failure to apply a security patch can lead to intrusion into a system. In this case, firing the person involved would not eliminate the threat or resolve the solution. Instead, a better response would be the implementation of a patching procedure throughout that working environment.
How to effectively hunt
Unfortunately, no system can claim to be 100% secure, and many companies and organizations have to bear consequences such as loss of revenue and data breaches. At the start of every hunt, companies expect their threat-hunting program to be effective, and they have success in mind. But do they typically achieve this? Are their systems without hidden threat agents? What techniques do successful hunters use?
Below is a brief look into some of the effective threat hunting tips to use while responding to pesky cyber-attacks and to avoid substantial financial losses or compliance-related issues.
1. Have a near-perfect knowledge of your environment
Threat hunting aims at the identification and elimination of abnormal activities that can negatively impact a network server or system. A good understanding of your environment and the regular activities that surround it is a prerequisite to understanding abnormal activities. Any abnormal activity should stand out and easily be noticed by an individual if they understand the normal operational activities.
2. Reason out from an attackers’ position
Typically, a hunter’s job is to proactively search for adversaries and mitigate impact or damage to the system. A good hunter should target at anticipating an attacker’s next move. With this next move in mind, a threat hunter should now set up triggers to alarm immediately when an attacker makes the expected move.
3. Implement an OODA strategy
The OODA strategy is similar to a military tactic used in combat operations. ODDA refers to Observer, Orient, Decide, and Act.
Observe – involves a routine data collection
Orient – combining collected data to make sense of it
Decide – after the analysis, formulate an incident response strategy to counter the identified course of action.
Act – this is the last phase, and it involves putting an end to the intrusion and appropriately adjusting a company’s security posture.
4. Employ the use of sufficient resources
Currently, threat hunting is among the best security solutions. A productive threat hunt will, therefore, require competent personnel, adequate systems, and up-to-date tools to be successful.
5. All endpoints should be protected
Neglecting certain endpoints may leave loopholes for adversaries. Endpoints, in this case, include all network devices, their activities, authorization, and software that they run on.
Other tips include;
- Having an in-depth understanding of attack patterns and activities
- Always consider the human element while hunting
- Have a record of your hunts
- Remember that even the best weapon rusts if it is uncared for
- Know the current threats
The practical value of threat hunting is that it allows security teams within an organization to proactively investigate cyber environment to detect attacks and threat vector that have by-passed traditional techniques.
Implementing an effective threat hunt is a challenge, hence the need for a formalized process. A proper hunt can be achieved with the right mix of experienced personnel, data collection, and analysis techniques and a comprehensive response structure.
Always remember that no environment is fully protected and also that even the most hidden threat will leave a trail. A pick of the right threat hunters is enough to generate the proper response. It is not only an intelligent move to invest in threat hunting as a company but also an essential move to ensure that the organization is safe from the ever-evolving cybercrime industry.
Joseph Ochieng’was born and raised in Kisumu, Kenya. He studied civil engineering as first degree and later on pursued bachelors in information technology from the technical university of Kenya. His educational background has given him the broad base from which to approach topics such as cybersecurity, civil and structural engineering. When he is not reading or writing about the various loopholes in cyber defense, the he is probably doing structural design or watching la Casa de Papel . You can connect with Joseph via twitter @engodundo or email him via [email protected] for email about new article releases”