Carbon Black asks: So what exactly is threat hunting?
Information security professionals used to put all of their chips towards incident prevention. With the right defences, they believed they could keep any attacker from compromising their defences and accessing the crown jewels — whatever they might be.
This didn’t work out very well.
Attackers, patient and resourceful, soon discovered they could break into virtually any organisation provided they followed time‐proven techniques of research, reconnaissance, stealthy intrusion and quiet exfiltration. This led to the modern philosophy of information security — assumption of breach.
Assumption of breach simply means that we must accept the very real possibility that intruders are already inside our networks and systems, regardless of defences and the victim’s ability (or inability) to detect them. Much like it’s almost impossible to say that a program is entirely free of vulnerabilities, not many people can state confidently and correctly that there are, or have been, no intruders in their networks. To think otherwise is foolish.
Just because we can’t see intruders or technology hasn’t alerted us to their presence doesn’t mean they aren’t there. The absence of security alerts simply means that security mechanisms haven’t detected intrusion.
What is threat hunting?
Quite simply, threat hunting is the pursuit of abnormal activity on servers and endpoints that may be signs of compromise, intrusion or exfiltration of data. Though the concept of threat hunting isn’t new, for many organisations the very idea of threat hunting is.
The common mindset regarding intrusions is to simply wait until you know they’re there. Typically, though, this approach means that an individual be waiting an average of 220 days between the intrusion and the first time that he/she hears about it. And even then, it’s typically an external party such as law enforcement or a credit card company that’s telling them.
With threat hunting, humans are used to ‘find stuff’ versus waiting for technology to alert them. Don’t sit back and wait for a knock on the door. Proactively chase down signs that intruders are present or were present in the recent past. What to look for when you’re threat hunting? Seek out anomalies — things that don’t usually happen.
To do this effectively, you need tools that give highly granular visibility into the goings‐on in the operating systems of every endpoint and server — things like processes that are launched, files that are opened, and network communications that take place.
Tools such as Cb Response are tailor made for effective threat hunting across an enterprise.
Defining hunted threats
Threat hunting is systematic. Threat hunters need to be continually looking for anything that could be evidence of intrusion. Threat hunting needs to be instilled as a process that security teams make and schedule time for. The types of threat attributes that are hunted include the following:
✓ Processes: Hunters are looking for processes with certain names, file paths, checksums, and network activity. They want to find processes that make changes to registry entries, have specific child processes, access certain software libraries, have specific MD5 hashes, make specific registry key modifications, and include known bad files.
The MD5 hash, also known as checksum for a file, is a 128‐bit value (like a fingerprint of the file). You can get two identical hashes of two different files. This feature can be useful both for comparing the files and their integrity control.
✓ Binaries: Here hunters look for binaries with certain checksums, file names, paths, metadata, specific registry modifications, and many other characteristics.
✓ Network activity: This threat attribute includes network activity to specific domain names and IP addresses.
✓ Registry key modifications: Hunters can look for specific registry key additions and modifications.
Threat hunting isn’t about just finding ‘evil’ within your systems. Instead, it’s about anything that could be evidence that evildoers leave behind on those systems. With threat hunting, look for things that indicators of compromise (IOC)‐based detection wouldn’t catch.
Why you need threat hunting
The definition of insanity is doing the same thing over and over and expecting a different result. Many organisations may work in this insanity pattern because they continue to use passive intrusion detection, which clearly isn’t working (hence the word passive).
Attackers’ initial objectives generally include stealing valid login credentials. These attackers are virtually insiders that seek out ‘live off the land’ activities of organisations’ networks, systems, and applications. But like the personnel whose login credentials they’ve stolen, attackers use these credentials to carry out search‐and‐steal (or search‐and‐destroy) missions, using tools and techniques that end‐users don’t use. These are the anomalies that threat hunters should be actively seeking.
Instead of passive intrusion detection, threat hunting is essential for the following reasons:
✓ Malware stealth: Passive intrusion detection doesn’t work because of the stealthy techniques used by cyber criminal organisations and the malware they produce. Today’s malware is able to easily evade antivirus software through polymorphic techniques that enable it to change its colours like a chameleon.
✓ Evolving attack vectors: Attackers are innovating at a furious rate, which results in new forms of attack that are developed regularly.
✓ Dwell time: We can’t afford to wait weeks or months to learn about incidents. From the moment of intrusion, the cost, damage and impact from a breach grow by the hour and by the day. The average time to detection of 220 days is no longer acceptable.
Stakeholders will want to know what an organisation is doing to seek out and detect the advanced attacks, with a skilled human being on the other side. Threat hunting is the answer.
Threat hunting is becoming a part of infosec table stakes: the essential tools and practices required by all organisations. Threat hunting will soon be a part of the due care for information protection expected by customers, regulators and the legal system.
Article by Carbon Black. This text appears in the free eBook: Threat Hunting for Dummies.