A lot of cybersecurity processes are reactive. Indicators of Compromise (IOCs), for instance, interpret clues that could lead an organization to uncover threatening activity that is already in progress or has already compromised a system. This and other types of security monitoring are important for a holistic cybersecurity plan, but threat hunting is a different approach.
What is Cyber Threat Hunting?
Cyber threat hunting is when IT professionals proactively look for weaknesses that could allow a cyber attack into a system or network. They seek out these threats so they can thwart cyberattacks before they’re executed. Threat hunting relies on the expertise and analytical skills of IT professionals looking into data activity to proactively identify those weaknesses.
Unlike other forms of cybersecurity, threat hunting relies on both the security tools, analytics, and threat intelligence with human instinct and good old fashioned detective work. Many queries come through in a single day and figuring out which are threat hunting queries isn’t something that can be automated. Cyber threat hunters often start with a hypothesis about how an attack could be carried out, then perform testing and patching as needed.
Hunting for threats relies on a strong understanding of how threats operate today. With the ever-changing landscape of cybersecurity, that’s no easy task. Three factors can always be identified, however, to understand threats and begin creating those hypothesizes: intent, capability, and opportunity.
Based on your industry, your business size, and the types of data you store, you can begin to understand the potential intent of a hacker. For instance, your data might be ideal for holding ransom or it might be better as a stepping stone to get more personal information about users.
Once intent is uncovered, an IT professional will know what precautions to take to ensure a hacker cannot get through.
Capability changes all the time. What are hackers capable of doing to your network and with your data?
Staying up to date on the latest cybersecurity trends will ensure you’re not neglecting the newest way a hacker could take advantage of you. In other words, staying agile with your cybersecurity defenses keeps you safe.
Opportunity is where intent and capability come together. What a cybercriminal wants and how they can get it breeds opportunity if you’re not careful.
Don’t let them find opportunities to get in your systems!
Before Threat Hunting
Before you can hunt for threats, you have to know your own network and system through and through.
What is a baseline for normal? What logs or queries are typical for the day-to-day operation of your business?
This contextual knowledge is essential when threat hunting. If you don’t know what’s normal, how will you know if something is out of the normal?
To get yourself there, you can do four important things: build an architecture, implement passive defense, develop an active defense, and drive intelligence.
1. Build an Architecture
Building an architecture means you have planned, established, and maintained systems with cybersecurity in mind. Out of date architectures that were not created around a cybersecurity plan can be hard to manage and open an organization up to threats.
2. Implement Passive Defense Systems
Passive defense systems include intrusion prevention and other automated defenses. These are different from active defense systems in that these are processes for human analysis which must be monitored.
3. Develop Active Defense
Your active defense is where the human element comes in. When your passive defense system raises a red flag, your active defense must follow up to ensure threats are squashed as soon as possible.
4. Drive Intelligence
Driving intelligence through data collection is a cornerstone of cybersecurity. Through diving intelligence, it’s important to glean how an attacker could exploit information for insights and internal intelligence.
Essential Cyber Threat Hunting Tools
In order to hunt down the cyber threats looming around your organization, you need to employ the right tools.
As mentioned, threat hunting takes a good deal of investigative work on the part of your technical staff, but they need the right tools in order to catch any and everything before it becomes an issue.
There are three main types of threat hunting tools:
Analytics-driven threat hunting tools use behavior analytics and machine learning threat hunting to create risk scores and other hypotheses.
Examples of analytics tools include: Maltego CE, Cuckoo Sandbox, and Automater.
- Maltego CE is a data-mining tool. It renders interactive graphs for link analysis and is often used for online investigations. It works by finding relationships between portions of data from different sources on the internet. If these add up to a threat, you’re alerted.
- Cuckoo Sandbox is an open-source malware analysis system that enables you to dispose of any suspicious files while gaining up-to-the-minute detailed results. Cuckoo Sandbox is able to give you information and analytics on how the malicious files are operating in order for you to better understand how to stop them.
- Automater focuses on intrusion data. You choose a target and Automater reviews the results from popular sources.
Intelligence-driven threat hunting pulls together all of that data and reporting you already have on hand and applies it to threat hunting.
Examples of cyber threat intelligence tools include: YARA, CrowdFMS, and BotScout.
- YARA classifies malware to create descriptions based on binary and textual patterns. The descriptions are then used to determine the identity of the malware and put a stop to it.
- CrowdFMS is an automated application that collects and processes samples from a website that published the details of phishing emails. If something crosses into your network that matches a known phishing email, an alert will be triggered.
- BotScout prevents bots from being able to register on forums that lead to spam, server abuse, and the database pollution. IPs are tracked as well as names and email addresses so the source can be identified and bots can be eliminated.
3. Situational Awareness-Driven
Risk assessments and/or Crown Jewel analysis are used to evaluate a company or individual’s trends. This, in turn, can indicate how much of a risk they’re running.
Examples of situational awareness-driven tools include: AI Engine and YETI.
- AIEngine is an interactive tool and helps to modernize your network’s intrusion detection system. It can learn without human interaction and can do network forensics, network collection, and span detection.
- YETI is a tool that shares threat details across organizations. Companies can share the data they choose from trusted partners to help keep everyone informed on the latest threat trends.
Each of the aforementioned tools are free tools that you can use with a little help from your IT Professional.
Paid Threat Hunting Tools
Paid tools exist as well, and some of the more popular paid threat hunting tools include: Sqrrl, Vectra, and InfoCyte.
- Sqrrl is a threat hunting company. Their tools are made for advanced cyber threats and allow for organizations to target and hunt down threats. Their platform brings together link analysis, user and entity behavior analytics, and multi-petabyte scalable capabilities. It’s an incident response tools that can reduce an attacker dwell time dramatically.
- Vectra is fast and efficient at stopping attackers in your network. Artificial intelligence delvers real-time attack visibility to put attacker details at your fingertips.
- Infrocyte has several solutions to identify threats and unauthorized activity on a network. They are working on breach discovery assessments and aim to make them both fast and affordable to small businesses.
Powering Your Threat Hunting Tools
No matter what threat hunting tool is used, you’ll need to have logs, SIEM, and analytics to feed into your tools.
If you want to hunt threats, you have to have data. Data logs are the bare minimum an IT professional needs to sift through and interpret.
Endpoint logs, Windows event logs, antivirus logs, and proxy/firewall logs are all log types great for threat hunting.
A SIEM is a centralized security information and event management system. Having a SIEM means your data is automatically correlated, including all your log data, better than what humans can do alone.
SIEM logs make it possible to pivot from individual pieces of information to linking these pieces in order to reveal patterns and true threats.
Threat hunting is dependent on machine learning and data analytics because of the simple fact that there are so many pieces of data that need to be interpreted.
Automating some of the cyber threat detection to identify that red flag is hugely important. After something has been flagged, it can then be followed up on.
Should Every Company Have Threat Hunting Tools?
With the way cybercriminals evolve their practices daily, we think threat hunting tools are an essential cybersecurity measure for all businesses.
Threat hunting brings together the most advanced automated and machine learning tools with your IT team’s situational know-how and is an excellent defense against cybercriminals.
This layer of security ensures you’re doing more than just waiting to react to a problem that’s already taken hold in your network.
Threat Hunting Techniques
As we have touched on, the techniques used to hunt cyber threats are a mix of tools, understanding your network, and some detective work on the part of your IT professionals.
When threat hunting queries are made, your cybersecurity professionals will be alerted to the suspicious activity, either through reviewing cyber threat hunting query reports or through an automated alert system. They will then need to then dig deeper into that web traffic to understand if it is in fact a threat. That is where the detective work comes in. It’s not always black and white. Knowing your network, knowing the cyberthreat landscape, and some intuition will all be part of their cyber threat hunting techniques.
Your Threat Hunting Program
So, how do you start with cyber threat hunting? A standardized process will help ensure your threat hunting program is successful. A cyber threat hunting framework of when and how hunting takes place, what techniques are used in hunting, and who on the team is responsible for performing specific tasks. Your IT team should also outline the appropriate responses to common triggers and alerts.
Integrate the essential tools with best practices and a professional staff for the best program possible.
The above outline should be based on the baseline normal that was established before you began your threat hunting.
Need help with cybersecurity? Connect with GadellNet today.