An increasing number of cybersecurity threats are compromising organizations; in 2019, over 15.1 billion records were exposed. As the gravity and the number of these threats are increasing, a more proactive approach is required to repel attacks and cyber threats: Threat Hunting. Despite being a relatively new approach, threat hunting is rapidly becoming a key factor in the modern security operations center (SOC).
Defining Threat Hunting
In part 1 of Understanding Threat Hunting, we have defined threat hunting as ‘the proactive pursuit of abnormal activity on servers and endpoints that may be signs of compromise, intrusion, or exfiltration of data.’ Using threat hunting, threats can be detected by relying on human expertise and analytical skills, as well as knowledge of environment context to help find evidence and detect unauthorized activities much faster and more efficiently instead of sitting back and waiting for technological methods to issue alerts.
Threat hunting maturity is the level of effectiveness achieved through the hunting process. In order to achieve that effectiveness in the threat hunting process and avoid inefficient steps, it is necessary to implement a formal threat hunting process. First developed by Sqrrl, the threat hunting loop consists of four steps that define an effective threat hunting approach.
The first stage of a hunt is to come up with a hypothesis based on the evidence. Hypotheses can establish the basis for the threat hunter to create an attack scenario with detection and analytics techniques. An example of a hypothetical scenario would be the update mechanism of a third-party software vendor has been compromised and distributes a malicious payload (e.g. PowerShell code). To create and verify the hypothesis, the threat hunter can proactively search for anomalies and signs of compromise in the network segments and the systems currently using the third-party software updater. Hypotheses can be generated manually but also automatically; automatic hypotheses are generated by risk assessment algorithms that assess a variety of factors and flag suspicious users or entities based on the outcome of evaluating those factors.
Investigating via tools and techniques
The next stage is to investigate the hypothesis via various tools and techniques. Threat hunters answer the generated hypotheses using a selection of data sources and analytic tactics, techniques, and procedures. They also work towards discovering an attacker’s Tactics, Techniques, and Procedures (TTPs) using various tools.
Practical tools will employ both raw and linked data analysis techniques such as visualizations, statistical analysis, or machine learning to combine various datasets. Linked data analysis makes the data a threat hunter needs for investigation understandable and can add context and directionality to visualizations, making it easier to search large datasets.
Uncovering new patterns and TTPs
The next step of the threat hunting loop is to uncover the malicious patterns and TTPs adversaries use to carry out their attack. TTP stands for Tactics, Techniques, and Procedures. Tactics are the strategy used by cybercriminals to conduct their malicious activities. For instance, accessing and using confidential information, gaining access to a website, or making lateral movements. Each tactic can be made up of several techniques. Techniques are the methods attackers use to achieve their goals. For instance, if the goal is to steal confidential data, the technique could be phishing.
To carry out a phishing attack, a cybercriminal develops a plan, installs a malware file, sends this file, etc. These are the Procedures used by cybercriminals in their efforts to ensure that they achieve their goals. Uncovering and understanding the attackers’ TTPs allows threat hunters to follow a series of properly developed guidelines that combine automatic actions with manual verification.
Successful threat hunting methods establish the basis for informing and enriching automated analytics (e.g. pattern recognition). Once you find a technique that works to detect threats, automate it so that your team can continue to focus on the next new hunt.
The Threat Hunting Loop is a simple yet effective step by step process that can dramatically enhance an organization’s authority over its network security.
Secure Your Organization’s Mind with Securemind.se