(Editor’s Note: The text appears in the free eBook: “Threat Hunting for Dummies.”)
Consider the fact that attackers don’t think of their success as optional. Given that, effectiveness and success
of a threat hunting program are critical. Organizations that start a threat hunting program have success in mind, but are they able to achieve it? The ten tips in this chapter help your organization and its threat hunters be effective and successful.
1 – Know Your Environment
The purpose of threat hunting is the discovery of abnormal activities that point directly to reconnaissance and attacks. To recognize activities that aren’t normal, it’s first important to understand what’s normal. Furthermore, it’s important to become familiar with the architecture overall and at a detailed level to understand where vulnerabilities and weaknesses are that could be targeted by attackers.
Understanding one’s environment involves deep and wide exploration of the technical environment: networks, systems, and applications. But it’s more than that; it’s also imperative that a threat hunter also build relationships with key personnel in and outside of IT.
Why build relationships? These people help threat hunters better understand normal activity versus anomalous activity. When a threat hunter finds a problem, it’s not always an attacker, but sometimes it’s an unsafe practice. Without a trusting relationship between threat hunters and others, threat hunters can’t be effective change agents to help the organization make key security improvements and keep its house in order.
2 – Think Like an Attacker
A threat hunter’s mission is to find signs of intrusion, and quickly, so attacks can be stopped and their effects mitigated to minimize damage. But rather than adopting the mindset of always chasing attackers, better threat hunters anticipate their next move.
In a threat hunt, this process involves looking for things that attackers might do. With tools like Cb Response, threat hunters can set up triggers that fire when an attacker ever does those things. This practice is also known as laying tripwires, which are triggers that a threat hunter sets up, anticipating an attacker’s move, and alerting personnel if such a move is ever made.
3 – Develop the OODA Mindset
Observe. Orient. Decide. Act. This is how the military thinks about combat operations. Threat hunters are soldiers in the cyberwars, so it makes sense to think about threat hunting in this way. The steps to OODA are as follows:
OODA is mental discipline that keeps threat hunters from acting impulsively. In the cyberwar arena, acting before thinking can blunt a threat hunter’s effectiveness.
4 – Devote Sufficient Resources to the Hunt
Threat hunting can be a great idea that goes sour if there aren’t enough resources to properly carry it out. This
includes both personnel as well as tools and systems to run them on. Further, it includes personnel who know how to
carry out threat hunts. Here’s a breakdown on what’s needed:
✓ Personnel: One or more trained and/or experienced threat hunters. These people have a deep understanding
on the inner workings of operating systems, plus subsystems such as web servers, database management systems, and application servers. And perhaps most important of all, they need to have a thorough and growing familiarity of the inner workings of the organization, as well as its applications, networks, and users.
✓ Tools: You don’t go on a safari without appropriate equipment, and you can’t do a threat hunt without threat hunting tools. This includes Cb Response, which is installed on every endpoint and provides a step‐by-step detailed forensic history of every activity on every endpoint. The real power of Cb Response is its central querying capability, wherein a threat hunter can create and store queries, asking about whether certain detailed events have occurred anywhere in the environment.
✓ Infrastructure: Of course threat hunting does require some systems resources. This includes management consoles, and it may also include a “test range” where advanced threat hunters can experiment with suspected malware in a safe environment. Here, hunters can hone their skills with “live fire” and also hone their hunting skills in production environments.
5 – Deploy Endpoint Intel across the Enterprise
In cyberwarfare defenders must protect all endpoints all the time, but attackers only need to be successful one time. This principle underscores the urgent need for an organization to cover not just a subset of endpoints with advanced threat hunting tools, such as Cb Response, but all endpoints.
Leaving some endpoints unguarded creates blind spots where organizations are unable to detect or remediate attacks. This is why it’s so important for an organization to cover all endpoints.
6 – Supplement Endpoint Intel with Network Intel
Endpoints are the hills on the cyberwarfare battleground. While they’re the principle focus of attacks by intruders, endpoints are by no means the only place where information about intruders can be found. In addition to endpoint tools, it’s often useful to have network‐centric visibility by using tools, such as:
✓ Intrusion detection systems (IDS)
✓ Intrusion prevention systems (IPS)
✓ Web filters
✓ Data loss prevention (DLP) systems
These tools provide a network‐centric view of activities that may help a threat hunter corroborate attack patterns and
activities. Collecting additional intel from the network and other sources is a part of Observe and Orient.
7 – Collaborate across IT
Threat hunting isn’t just about technology. The essential ingredient in threat hunting is strategic relationships with key personnel in the IT organization. Better threat hunters work with systems engineers, network engineers, endpoint engineers, service desks, and application developers in different ways:
✓ Understanding normal: As threat hunters build their knowledge of environments, they’ll be in dialogue with key IT personnel to hone their understanding on how systems and applications function.
✓ Remediation of vulnerabilities: While searching for intruders, threat hunters also encounter weaknesses in the design and implementation of applications, systems, and networks. Relationships built on trust enable threat hunters to convey the need to fix those weaknesses.
✓ Remediation of incidents: When threat hunters find signs of intrusion, they need to work with key IT personnel
to correctly diagnose intrusions and remediate them effectively and completely with minimal impact.
The OODA methodology applies perfectly here. Using their relationships across IT, they collect information (Observe), work with others to understand it (Orient), before acting on it (Decide and Action).
With relationships based on trust, IT personnel are more likely to cooperate with threat hunters to reduce risks in the organization.
Even a single threat hunt can have more details than most people can remember. But over time, when a single threat hunter has performed 10, 20, 30, or more threat hunts, the details quickly become a blur.
For this reason, threat hunters should document each threat hunt. Better threat hunters include important high‐level business information with each hunt — most notably, the reason for the hunt in the first place.
A detailed history of threat hunts helps a threat hunter better understand, at any level of detail, the ground that’s already been covered, what’s been looked at, and what’s been overlooked. And while it’s important to sometimes revisit old hunts (meaning repeating a prior threat hunt if the threat hunter suspects intrusions since last time), IT environments quickly change over time, potentially leading to new intrusions by using methods examined earlier.
9 – Hone Your Security Skills
Innovation in the cybersecurity arms race is occurring at a dizzying pace. Seasoned threat hunters know this, and they take time out from the hunt to hone their skills through:
✓ Technical training: The SANS Institute (www.sans.org) and other organizations provide high‐quality technical training in attack and defense techniques.
✓ Conferences: Local gatherings such as BSides, as well as national and international conferences like RSA, Black Hat, and DEFCON, provide tremendous networking and education opportunities.
10 – Be Aware of Attack Trends
Threat hunters can’t exist on intellectual islands. Instead,they need to be continually aware of the techniques used by cybercriminal organizations against other organizations. Only with this knowledge can a threat hunter anticipate attacks and be able to find them.