Story image

Carbon Black asks: So what exactly is threat hunting?

26 Apr 17

​Information security professionals used to put all of their chips towards incident prevention. With the right defences, they believed they could keep any attacker from compromising their defences and accessing the crown jewels — whatever they might be.

This didn’t work out very well.

Attackers, patient and resourceful, soon discovered they could break into virtually any organisation provided they followed time‐proven techniques of research, reconnaissance, stealthy intrusion and quiet exfiltration. This led to the modern philosophy of information security — assumption of breach.

Assumption of breach simply means that we must accept the very real possibility that intruders are already inside our networks and systems, regardless of defences and the victim’s ability (or inability) to detect them. Much like it’s almost impossible to say that a program is entirely free of vulnerabilities, not many people can state confidently and correctly that there are, or have been, no intruders in their networks. To think otherwise is foolish.

Just because we can’t see intruders or technology hasn’t alerted us to their presence doesn’t mean they aren’t there. The absence of security alerts simply means that security mechanisms haven’t detected intrusion.

What is threat hunting?

Quite simply, threat hunting is the pursuit of abnormal activity on servers and endpoints that may be signs of compromise, intrusion or exfiltration of data. Though the concept of threat hunting isn’t new, for many organisations the very idea of threat hunting is.

The common mindset regarding intrusions is to simply wait until you know they’re there. Typically, though, this approach means that an individual be waiting an average of 220 days between the intrusion and the first time that he/she hears about it. And even then, it’s typically an external party such as law enforcement or a credit card company that’s telling them.

With threat hunting, humans are used to ‘find stuff’ versus waiting for technology to alert them. Don’t sit back and wait for a knock on the door. Proactively chase down signs that intruders are present or were present in the recent past. What to look for when you’re threat hunting?  Seek out anomalies — things that don’t usually happen.

To do this effectively, you need tools that give highly granular visibility into the goings‐on in the operating systems of every endpoint and server — things like processes that are launched, files that are opened, and network communications that take place.

Tools such as Cb Response are tailor made for effective threat hunting across an enterprise.

Defining hunted threats

Threat hunting is systematic. Threat hunters need to be continually looking for anything that could be evidence of intrusion. Threat hunting needs to be instilled as a process that security teams make and schedule time for. The types of threat attributes that are hunted include the following:

✓ Processes: Hunters are looking for processes with certain names, file paths, checksums, and network activity. They want to find processes that make changes to registry entries, have specific child processes, access certain software libraries, have specific MD5 hashes, make specific registry key modifications, and include known bad files.

The MD5 hash, also known as checksum for a file, is a 128‐bit value (like a fingerprint of the file). You can get two identical hashes of two different files. This feature can be useful both for comparing the files and their integrity

✓ Binaries: Here hunters look for binaries with certain checksums, file names, paths, metadata, specific registry modifications, and many other characteristics.

✓ Network activity: This threat attribute includes network activity to specific domain names and IP addresses.

✓ Registry key modifications: Hunters can look for specific registry key additions and modifications.

Threat hunting isn’t about just finding ‘evil’ within your systems. Instead, it’s about anything that could be evidence that evildoers leave behind on those systems. With threat hunting, look for things that indicators of compromise (IOC)‐based detection wouldn’t catch.

Why you need threat hunting

The definition of insanity is doing the same thing over and over and expecting a different result. Many organisations may work in this insanity pattern because they continue to use passive intrusion detection, which clearly isn’t working (hence the word passive).

Attackers’ initial objectives generally include stealing valid login credentials. These attackers are virtually insiders that seek out ‘live off the land’ activities of organisations’ networks, systems, and applications. But like the personnel whose login credentials they’ve stolen, attackers use these credentials to carry out search‐and‐steal (or search‐and‐destroy) missions, using tools and techniques that end‐users don’t use. These are the anomalies that threat hunters should be actively seeking.

Instead of passive intrusion detection, threat hunting is essential for the following reasons:

✓ Malware stealth: Passive intrusion detection doesn’t work because of the stealthy techniques used by cyber criminal organisations and the malware they produce. Today’s malware is able to easily evade antivirus software through polymorphic techniques that enable it to change its colours like a chameleon.

✓ Evolving attack vectors: Attackers are innovating at a furious rate, which results in new forms of attack that are developed regularly.

✓ Dwell time: We can’t afford to wait weeks or months to learn about incidents. From the moment of intrusion, the cost, damage and impact from a breach grow by the hour and by the day. The average time to detection of 220 days is no longer acceptable.

Stakeholders will want to know what an organisation is doing to seek out and detect the advanced attacks, with a skilled human being on the other side. Threat hunting is the answer.

Threat hunting is becoming a part of infosec table stakes: the essential tools and practices required by all organisations. Threat hunting will soon be a part of the due care for information protection expected by customers, regulators and the legal system.

Article by Carbon Black. This text appears in the free eBook: Threat Hunting for Dummies.

Ramping up security with next-gen firewalls
The classic firewall lacked the ability to distinguish between different kinds of web traffic.
Gartner names LogRhythm leader in SIEM solutions
Security teams increasingly need end-to-end SIEM solutions with native options for host- and network-level monitoring.
Cylance makes APIs available in endpoint detection offering
Extensive APIs enable security teams to more efficiently view, enrich, and contextualise real-time intelligence collected at the endpoint to keep systems secure.
SolarWinds adds SDN monitoring support to network management portfolio
SolarWinds announced a broad refresh to its network management portfolio, as well as key enhancements to the Orion Platform. 
JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.
Securing hotel technology to protect customer information
Network security risks increase exponentially as hotels look to incorporate newer technologies to support a range of IoT devices, including smart door locks.
Why total visibility is the key to zero trust
Over time, the basic zero trust model has evolved and matured into what Forrester calls the Zero Trust eXtended (ZTX) Ecosystem.