How to make attackers’ lives harder with effective threat hunting
In today's threat landscape, modern security teams recognise that compromise is unavoidable, but this doesn't mean that a breach should be inevitable as well. In fact, the majority of threats can be avoided if organisations have good cyber hygiene practices such as regular patching, upgrades, and having the right people and processes in place. But it is also important that threat hunting is in an organisation's cybersecurity strategy and culture.
So how can organisations learn to be more proactive rather than reactive and how can we change the culture if we set up a threat hunting capability within our Security Operations Centers (SOC)?
I believe that threat hunting means proactively searching through data. We've been doing this on the network for a long time using network analysis tools, but these new attacks have caused a contextual problem: there are leaks and evasion techniques that bypass tools.
For example, sandboxing was big, but I believe that in two years sandboxing won't provide any value and won't be an effective control, because the bad guys understand it. Threat hunting can be used as a powerful tool not only to detect malicious behaviour missed by other security measures, but also to drive a deeper understanding of how malicious software, actor tools, and behaviours work.
Threat intelligence is also a valuable weapon when combined with retrospective analysis, allowing the hunter to uncover previously unknown indicators in historical data. With detailed and complete knowledge, an intelligent strategy can be implemented to proactively detect, respond to, or prevent attacks.
Today's next gen SOC needs to be able to fuse together external threat feeds with the knowledge the security team has about their own environment and end users. The good news is that you don't need big budgets to undertake threat hunting and equip the SOC with a more proactive approach, you can start simple. Below are a number of pointers to consider:
Change the mindset of your SOC. Get them to think like a detective. They don't need to look at all the endpoints; threat hunting doesn't need to start with an all-encompassing approach. The security team could just look at a particular incident. The website: Threathunting.net provides all kinds of open source process scripts to find information and is a good place to start for free.
Centralise your data. The SOC needs to centralise all its data – SIEMS, logs, tools etc. – needs to be consolidated and correlated. In particular, look at the mean time-to-detect and mean time-to-respond – these are the two key metrics that matter.
Recognise that this is a process issue. Security teams should not only centralise their data but also activate directory logs, e-detection and response tools. They should consolidate what they have and, where possible, get rid of technical debt and normalise their environment from the endpoint to the network.
Think through use cases. List out a couple of strategic projects to start. Provide the team with a data set. For example, pick an endpoint, pick a network, or pick a small data center.
View this as an agile, iterative process. Get the team to come back with problems. Prove the model and then show how you can now do the job faster. Once you have done a hunt four or five times the team will start to adopt hunting behaviour.
Allocate time for threat hunting. Look strategically at time because it is an issue. The security team should review the low value security activities that they undertake and reallocate that time. This means saying no to some activities that have low value.
Show the value of threat hunting. If you want the organisation to adopt a threat hunting culture you need to be able to show the return on investment (ROI) on your recommendation. “I'm saving XX dollars by performing this activity, so we won't have to go out and buy YY more technology.
Over time, the security team needs to perform these tasks faster, to move at the speed of the attacker. Likewise, they need to consider the people, process, then technology. And finally, to threat hunt successfully, you need a team that is interested and incentivised to do threat hunting, so make sure they are rewarded in the right way.
Once the organisation has a simple approach in place then it is all about replicating this so that it can perform threat hunting tasks faster each time. And this is where technology comes in as the organisation looks to scale its threat hunting capabilities and automate. Orchestration and automation are the next steps in building out the threat hunting capability of a progressive SOC.