Cyber Threat Hunting: Tricks and Tools You Need

September 5, 2018


A lot of cyber security processes are reactive. Indicators of Compromise, for instance, interpret clues that could indicate an attack in process or that data has already been compromised. This and other types of security monitoring are important for a holistic cyber security plan, but threat hunting is a different approach.

What is Threat Hunting?

In cyber threat hunting, IT professionals proactively look for weaknesses that could allow a cyber attack into a system or network so they can thwart cyber attacks before they’re executed. Threat hunting relies on the expertise and analytical skills of IT professionals looking into data activity to proactively identify those weaknesses.

Unlike other forms of cyber security, threat hunting relies on both the security tools, analytics, and threat intelligent with human instinct and good old fashioned detective work. Threat hunters often start with a hypothesis about how an attack could be carried out, then perform testing and patching as needed.

Hunting for threats relies with a strong understanding of how threats operate today. With the ever-changing landscape of cyber security, that’s no easy task. Three factors can always be identified, however, to understand threats and begin creating those hypothesizes: intent, capability, and opportunity.

Intent

Based on your industry, your business size, and the types of data you store, you can begin to understand the potential intent of a hacker. For instance, your data might be ideal for holding ransom or it might be better as a stepping stone to get more personal information about users.

Once intent is uncovered, an IT professional will know what precautions to take to ensure a hacker cannot get through.

Capability

Capability changes all the time. What are hackers capable of doing to your network and with your data?

Staying up to date on the latest cyber security trends will ensure you’re not neglecting the newest way a hacker could take advantage of you. In other words, staying agile with your cyber security defenses keeps you safe.

Opportunity

Opportunity is where intent and capability come together. What a cyber criminal wants and how they can get it breeds opportunity if you’re not careful.

Don’t let them find opportunities to get in your systems!

Before Threat Hunting

Before you can hunt for threats, you have to know your own network and system through and through.

What is a baseline for normal? What logs are typical for the day-to-day operation of your business?

This contextual knowledge is essential when threat hunting. If you don’t know what’s normal, how will you know if something is out of the normal?

To get yourself there, you can do four important things: build an architecture, implement passive defense, develop active defense, and drive intelligence.

1. Build an Architecture

Building an architecture means you have planned, established, and maintained systems with cyber security in mind. Out of date architectures that were not created around a cyber security plan can be hard to manage and open an organization up to threats.

2. Implement Passive Defense Systems

Passive defense systems include intrusion prevention and other automated defenses. These are different from active defense systems in that these are processes for human analysis and which must be monitored.

3. Develop Active Defense

Your active defense is where the human element comes in. When your passive defense system raises a red flag, your active defense must follow up to ensure threats are squashed as soon as possible.

4. Drive Intelligence

Driving intelligence through data collection is a cornerstone of cyber security. Through diving intelligence, it’s important to glean how an attacker could exploit information for insights and internal intelligence.

Essential Threat Hunting Tools

In order to hunt down the cyber threats looming around your organization, you need to employ the right tools.

As mentioned, threat hunting takes a good deal of investigative work on the part of your technical staff, but they need the right tools in order to catch any and everything before it becomes an issue.

There are three main types of threat hunting tools:

1. Analytics-Driven

Analytics-driven threat hunting tools use behavior analytics and machine learning to create risk scores and other hypotheses.

Examples of analytics tools include: Maltego CE, Cuckoo Sandbox, and Automater.

  • Maltego CE is a data-mining tool. It renders interactive graphs for link analysis and is often used for online investigations. It works by finding relationships between portions of data from different sources on the internet. If these add up to a threat, you’re alerted.
  • Cuckoo Sandbox is an open-source malware analysis system that enables you to dispose of any suspicious files while gaining up-to-the-minute detailed results. Cuckoo Sandbox is able to give you information and analytics on how the malicious files are operating in order for you to better understand how to stop them.
  • Automater focuses on intrusion data. You choose a target and Automater reviews the results from popular sources.

2. Intelligence-Driven

Intelligence-driven threat hunting pulls together all of that data and reporting you already have on hand and applies it to threat hunting.

Examples of intelligence tools include: YARA, CrowdFMS, and BotScout.

  • YARA classifies malware to create descriptions based on binary and textual patterns. The descriptions are then used to determine the identity of the malware and put a stop to it.
  • CrowdFMS is an automated application that collects and processes samples from a website that published the details of phishing emails. If something crosses into your network that matches a known phishing email, an alert will be triggered.
  • BotScout prevents bots from being able to register on forums that lead to spam, server abuse, and the database pollution. IPs are tracked as well as names and email addresses so the source can be identified and bots can be eliminated.

3. Situational Awareness-Driven

Risk assessments and/or Crown Jewel analysis are used to evaluate a company or individual’s trends. This, in turn, can indicate how much of a risk they’re running.

Examples of situational awareness-driven tools include: AI Engine and YETI.

  • AIEngine is an interactive tool and helps to modernize your network’s intrusion detection system. It can learn without human interaction and can do network forensics, network collection, and span detection.
  • YETI is a tool that shares threat details across organizations. Companies can share the data they choose from trusted partners to help keep everyone informed on the latest threat trends.

Each of the aforementioned tools are free tools that you can use with a little help from your IT Professional.

Paid Threat Hunting Tools

Paid tools exist as well, and some of the more popular paid threat hunting tools include: Sqrrl, Vectra, and InfoCyte.

  • Sqrrl is a threat hunting company. Their tools are made for advanced cyber threats and allow for organizations to target and hunt down threats. Their platform brings together link analysis, user and entity behavior analytics, and multi-petabyte scalable capabilities. It’s an incident response tools that can reduce an attacker dwell time dramatically.
  • Vectra is fast and efficient at stopping attackers in your network. Artificial intelligence delvers real-time attack visibility to put attacker details at your fingertips.
  • Infrocyte has several solutions to identify threats and unauthorized activity on a network. They are working on breach discovery assessments and aim to make them both fast and affordable to small businesses.

Powering Your Threat Hunting Tools

No matter what threat hunting tool is used, you’ll need to have logs, SIEM, and analytics to feed into your tools.

Logs

If you want to hunt threats, you have to have data. Data logs are the bare minimum an IT professional needs to sift through and interpret.

Endpoint logs, Windows event logs, antivirus logs, and proxy/firewall logs are all log types great for threat hunting.

SIEM

A SIEM is a centralized security information and event management system. Having a SIEM means your data is automatically correlated, including all your log data, better than what humans can do alone.

SIEM logs make it possible to pivot from individual pieces of information to linking these pieces in order to reveal patterns and true threats.

Analytics

Threat hunting is dependent on machine learning and data analytics because of the simple fact that there are so many pieces of data that need to be interpreted.

Automating some of the cyber threat detection to identify that red flag is hugely important. After something has been flagged, it can then be followed up on.

Should Every Company Have Threat Hunting Tools?

With the way cyber criminals evolve their practices daily, we think threat hunting tools are an essential cyber security measure for all businesses.

Threat hunting brings together the most advanced automated and machine learning tools with your IT team’s situational know-how, and is an excellent defense against cyber criminals.

This layer of security ensures you’re doing more than just waiting to react to a problem that’s already taken hold in your network.

Your Threat Hunting Program

Standardized processes will help ensure your threat hunting program is successful. An outline of when and how hunting takes place, what techniques are used in hunting, and who on the team is responsible for performing specific tasks. Your IT team should also outline the appropriate responses to common triggers and alerts.

Integrate the essential tools with best practices and a professional staff for the best program possible.
The above outline should be based on the baseline normal that was established before you began your threat hunting.