Proactive Threat Hunting – no longer a whim
We are undoubtedly in the era of huge security alert fatigue. This has been caused by the vast number of false positive alerts generated every day by countless security products that organizations put in place to improve their defences. Because of this, it’s hard to justify resources who would essentially focus on… Producing even more alerts instead of reacting to the current ones. Those who do, however, want to invest in a second layer of more fine-grained detection often steer their organization towards proactive threat hunting activities. The ultimate goal of the threat hunting process is to find malicious actors already present in the environment who have the intent, capability and opportunity to cause harm.
This is accomplished in parallel to and in cooperation with other detection systems and methods like Anti-Virus (AV), Host Intrusion Prevention System (HIPS), Endpoint Detection and Response (EDR), Intrusion Prevention System (IPS), Security, Security Information and Event management (SIEM), Advanced Threat Defense (ATD), etc. Successful threat hunting activity should provide at least three visible effects:
- Security Incidents being reported only for identified and properly scoped intrusions. Reducing false positives.
- High quality threat intelligence combined with Indicators of Compromise that can be utilized by detection and remediation tools being created. This intelligence can’t be fully replaced by third party feeds. Security savvy organizations in general do not share intelligence about what they believe are the active Advanced Persistent Threats attackers (at least not as soon as they have it). Doing so would mean losing the leverage they’ve gained.
- Gradually improving the automation of hunting and detection capabilities.
“Manual” threat hunting is also available to supplement and utilize existing security monitoring mechanisms and not to replace them. Two good use cases are:
- Finding previously unseen threats (including not only malware but also Tactics, Techniques and Procedures used by adversaries).
- Better scoping and understanding of events that manifest themselves in some manner, like IPS or AV detection, but in many cases are ignored and considered as successfully remediated when in fact they could be some tiny crumbs dropped by a much more serious intrusion.
What is needed
In short – visibility.
The common issue organizations face with security incident detection and response is that they focus on the Interruption step (the numerous alerts) without assuring mature Monitoring processes (to ensure all alerts are necessary). Large sums of money are invested in tooling but there is no resource allocated to operating and using these tools beyond responding to automatically detected events – real or unreal. This results in a fractional understanding of any given threat’s real scope and leaves organizations chasing their own tails when it comes to fighting off Advanced Persistent Threats.
Figure 1: Visibility is crucial to early response. It allows an organization to transform from a reactive to hunting approach. The later in the kill chain the bigger the risk, costs and effort.
Threat hunting is not a recent invention. It’s been there in various forms for many years. What is new is the mindset and approach that needs to be applied. Setting up a successful threat hunting process requires:
- Dedicating full time people to this in the same way as is done in the case of Security Operation Center analysts, responders etc. These people should not be responsible for Incident Response (IR) process.
- Integrating with existing detection methods.
- Some additional tools that are rarely deployed will be needed like threat intelligence exchange framework, data analytics solutions, network traffic recording and analysis capability, enterprise scale endpoint visibility.
- Baselines need to be created and constantly updated to understand ‘the normal’.
- Building a solid understanding about the protected environment.
- Defining realistic goals. Threat hunters can’t be required to find X intrusions in a month or they will focus on trivial things.
A possible simplified process could look like the following:
Figure 2: A simplified threat hunting process
- Analytics is used to help automate finding of known indicators by applying Threat Intelligence (TI) feeds on enterprise wide gathered data. A TI platform can be implemented for example with use of MISP.
- Threat hunter works with analytics to deep dive on automated findings but also to look for events that look out of ordinary to them.
- Threat hunter uses TI platform to get more context on TI recorded there and to submit new TI information coming from their findings.
- Findings that match the criteria of a security incident are forwarded to the Responder for IR process.
- Responder applies additional context to findings and performs IR process.
- Additional findings gathered during the IR process get recorded in the TI Platform to close the loop.
In my next article, I’ll take you through some practical use cases of proactive Threat Hunting.