(Editor’s Note: The text appears in the free eBook: “Threat Hunting for Dummies.”)
Information security professionals used to put all of their chips toward incident prevention. With the right defenses,
security professionals believed they could keep any attacker from being able to compromise their defenses and get to the crown jewels — whatever they might be.
Attackers, patient and resourceful, soon discovered that they could get into virtually any organization provided they followed time‐proven techniques of research, reconnaissance, stealthy intrusion, and quiet exfiltration. This led to the modern philosophy of information security — assumption of breach.
Assumption of breach simply means that you must accept the very real possibility that intruders are already inside your networks and systems, regardless of your defenses and your ability (or inability) to detect them. Much like it’s almost impossible to say that a program is entirely free of vulnerabilities, similarly, not many people can confidently and correctly say that there are or have been no intruders in their networks. To think otherwise is foolish.
Just because you can’t see intruders or technology hasn’t alerted you to their presence doesn’t mean they aren’t there. The absence of security alerts only means that security mechanisms haven’t detected intrusion.
What is Threat Hunting?
Threat hunting is, quite simply, the pursuit of abnormal activity on servers and endpoints that may be signs of compromise, intrusion, or exfiltration of data. Though the concept of threat hunting isn’t new, for many organizations the very idea of threat hunting is.
The common mindset regarding intrusions is to simply wait until you know they’re there. Typically, though, this approach means that you’ll be waiting an average of 220 days between the intrusion and the first time you hear
about it. And even then, it’s typically an external party such as law enforcement or a credit card company that’s telling you.
With threat hunting, you use humans to go “find stuff” versus waiting for technology to alert you. Don’t sit back and wait for a knock on the door. Proactively chase down signs that intruders are present or were present in the recent past. What are you looking for when you’re threat hunting? You look for anomalies — things that don’t usually happen.
To do this effectively, you need tools that give you highly granular visibility into the goings‐on in the operating systems of every endpoint and server — things like processes that are launched, files that are opened, and network communications that take place.
Tools such as Cb Response are tailor made for effective threat hunting across an enterprise.
Defining Hunted Threats
Threat hunting is systematic. Threat hunters need to be continually looking for anything that could be evidence of
intrusion. Threat hunting needs to be instilled as a process that security teams make and schedule time for. The types of threat attributes that are hunted include the following:
✓ Processes: Hunters are looking for processes with certain names, file paths, checksums, and network activity. They want to find processes that make changes to registry entries, have specific child processes, access certain software libraries, have specific MD5 hashes, make specific registry key modifications, and include known bad files.
The MD5 hash, also known as checksum for a file, is a 128‐bit value (like a fingerprint of the file). You can get two identical hashes of two different files. This feature can be useful both for comparing the files and their integrity
✓ Binaries: Here hunters look for binaries with certain checksums, file names, paths, metadata, specific registry modifications, and many other characteristics.
✓ Network activity: This threat attribute includes network activity to specific domain names and IP addresses.
✓ Registry key modifications: Hunters can look for specific registry key additions and modifications.
Threat hunting isn’t about just finding “evil” within your systems. Instead, it’s about anything that could be evidence that evildoers leave behind on your systems. With threat hunting, you’re looking for things that indicators of compromise (IOC)‐based detection wouldn’t catch.
Why You Need Threat Hunting
The definition of insanity is doing the same thing over and over and expecting a different result. Many organizations
may work in this insanity pattern because they continue to use passive intrusion detection, which clearly isn’t working (hence the word passive).
Attackers’ initial objectives generally include stealing valid login credentials. These attackers are virtually insiders that seek out “live off the land” activities of organizations’ networks, systems, and applications. But like the personnel whose login credentials they’ve stolen, attackers use these credentials to carry out search‐and‐steal (or search‐and‐destroy) missions, using tools and techniques that end‐users don’t use. These are the anomalies that threat hunters should be actively looking for.
Instead of passive intrusion detection, you need threat hunting for the following reasons:
✓ Malware stealth: Passive intrusion detection doesn’t work because of the stealthy techniques used by cybercriminal organizations and the malware they produce. Today’s malware is able to easily evade antivirus software through polymorphic techniques that enable it to change its colors like a chameleon.
✓ Evolving attack vectors: Attackers are innovating at a furious rate, which results in new forms of attack that are
✓ Dwell time: You can’t afford to wait weeks or months to learn about incidents. From the moment of intrusion, the cost, damage, and impact from a breach grow by the hour and by the day. The average time to detection of 220 days is no longer acceptable.
Your stakeholders will want to know what your organization is doing to seek out and detect the advanced attacks, with a skilled human being on the other side. Threat hunting is the answer.
Threat hunting is becoming a part of infosec table stakes: the essential tools and practices required by all organizations. Threat hunting will soon be a part of the due care for information protection expected by customers, regulators, and the legal system.
To learn more about threat hunting, download the guide: “Threat Hunting for Dummies.”