With the constantly growing IT infrastructure of companies, most of the CISO’s nowadays have a question! Am I under attack? This question can be answered by ‘Threat Hunting’. Some call it just a Fad or a fancy service to be sold in the IT market, but it definitely makes sense. On the conceptual grounds, Threat Hunting is nothing but reviewing your IT environment for signs of malicious activity and operational faults. Reviewing is the first step in IT security.
Threat hunting is where security professionals look for threats that are already in their organization’s environment. This is something different from Penetration Testing or Vulnerability Assessment which looks for vulnerabilities that an attacker can use to get inside your network. In short, it’s a focused hypothesis-based plan to search, find, and contain threats that are already inside your network. For a threat to actually be a threat, it must include the intent, capability, and opportunity to commit harm.
Threat hunting is a proactive technique that combines security tools, analytics, and threat intelligence with human analysis and instinct. The threat hunting process typically starts with a hypothesis or a consideration of an attack being present. The hypothesis is developed through a security alert, risk assessment, penetration test, external intelligence, or some other discovery of anomalous activity. Threat hunters will explore and test these hypotheses through a variety of investigative, analytical, or offensive activities.
Threat Hunting vs Threat Detection
Threat hunting is an early stage of threat detection. Many people confuse threat hunting with threat detection. Alerts generated by an automated tool such as an EDR isn’t threat hunting. It is log management. In short, hunting is a proactive effort that applies a hypothesis to discover a suspicious activity that may have escaped your security devices. But this does not mean you don’t use any tool, tools are necessary.
As quoted in this tweet by Robert Lee “If it’s not a hypothesis led proactive investigation it doesn’t fit. Also, it has to go beyond your current automation footprint, so by default, if a tool is doing it it’s not threat hunting. But an analyst could use any tool to go on a hunt if it helps test the hypothesis”
What is Threat Hunting?
When we say applying a hypothesis for a threat hunt, you are assuming that something has already happened and you have been breached. Some attacker has got inside your network and got access to some critical resources. Considering this you now need to find out them. The entire process can be complicated, but when done well, it can be reduced to a few basic concepts and methods.
You now know the attacker is present somewhere but don’t know where he is. The next step is to create a theory based on what might have gone wrong due to the attacker’s presence. This theory can be built using common attack tactics used by attackers. Such as for deploying a RAT, an attacker would send malicious email attachments.
Once we have built a hypothesis and a theory of how the attack might have happened, you need to collect data that can support the theory. We need to look closer to the activities that the attacker will perform and collect the relevant data. The attacker might perform a privilege escalation to achieve administrator capabilities, so the configuration change monitoring data becomes relevant to us. Some cases you may also need to use other tools such as network port scanners or other pen-testing tools. Even running tests to footprint the presence of any malicious activity can be done.
Once the data is gathered, we need to define what is malicious and what is normal. Things that don’t look normal might become an investigative case. This leads to further review by the threat hunter. If the hunter could not conclude with affirmation or rejection of he may proceed to the earlier stages again to rebuild the theory and recollect more meaningful data. This continues until you confirm the hunt has yielded any result.
The Basic Hunting Requirements
As we have elaborated the Threat Hunting, we should also know what are the basic requirements to start threat hunting for your organization.
1. The people / Threat Hunters:
Hunting starts with a hypothesis, and the hypothesis is created by a human. Basically, in any security operations, activity people is an important entity. Human judgment and skill are required to begin your threat hunting activity.
2. Tools and Data:
Security people should be fed with data. Though we say Log Management or alert management is not threat hunting, it can be a kick starter for a hunt. Generally, data from your end-point security system such as an antivirus or an EDR is good to start for a hunt. Many times, data from Firewall, your authentication devices also provide a good feed for threat hunters.
As we say Data, tools are also important. A threat hunter might wish to perform a network scan to identify open ports and services or sometimes want to capture network packets. So tools are the second basic need for the hunter’s feed.
3. A list of ‘To Hunt For’ things:
When you are ready with the people and tools, you should probably know where to start and what to hunt for. The ‘MITRE Attack Framework’ is a good starting point to understand what you should look for. you consider what you want to hunt for you’ll have to make sure that you have tools that can feed you the specific type of data you need. And be realistic about how much time you have. MITRE Framework will outline tactics and techniques attackers commonly use at each stage of the attack.
Threat hunting is an important part of every cybersecurity team. This focused, proactive, ongoing method of rooting out current threats allows your business to minimize the potential damage a hacker could do in your network. Happy Hunting!