Threat Hunting – Where to Start
While security threats in general are a consistent concern for IT departments, the specific types of security threats change over time. For instance, according to the WatchGuard Internet Security Report - Q1 2019, “Cyber attackers are now using a wider range of security attacks including: an increase in malware, a decrease in network attacks, two wide-spread Mac adware variants, and a surge in web application attacks (specifically, XSS and SQLi).”
Since security threats are changing, this could mean that YOU also need to change, or at least augment, your security tactics. One tactic that has been increasing for a couple years now is to actively hunt for threats on your network. Passive security practices just aren’t good enough anymore. You need to be proactive to stop a breach, as the threats themselves have become much more sophisticated and harder to detect.
So, what can you do about it? Proactive threat hunting is one tactic. A word of caution here though. Before you start this type of endeavor, you need to ask yourself two questions:
- What is your level of commitment – i.e. how much time can you consistently dedicate to this?
- What type(s) of threat are you planning to look for – command and control (C2), data destruction, unexpected data encryption, data exfiltration, etc.?
While the level of commitment question may sound rudimentary, it’s not. Threat hunting takes time. To be successful, you must dedicate a certain amount of time each and every week to this cause. Otherwise, the inconsistency will allow threats to go uninvestigated. Even if you buy a threat hunting tool (which is highly recommended as it can significantly reduce the load for you), you will still need to dedicate time to investigate the flagged instances of potential security threat.
With respect the second question, you need to know exactly what you are looking for so that you don’t try to “boil the ocean.” Then, you can start to figure out what data you have and what you will need for the inspection process.
So, what kind of data do you need? That obviously depends upon what you are looking for. Here are some common data types and their challenges.
1. Log data
- Need to decide on how many and which ones – there is often an extensive number of log files to review
- Certain threats can evade log capture – so how important is this data to your specific threat search
- On-premises logging is often inconsistent
2. Endpoint data
- Only provides visibility into system processes
- Lacks context of the threat – this requires correlation later on
- Is heavily determinant upon response capability in this area
3. Network data
- Contains an extremely large amount of data to sift through
- Does not show system internal information
At this point, it is highly advised to implement a visibility architecture. By constructing a visibility architecture, which is a fairly easy and straight forward task, you can eliminate the data issues we just looked at. The visibility architecture will give you access to all the data you need. You just insert a tap anywhere it is needed and you get a copy of all that data. After that, installing a network packet broker (NPB) is easy too. However, the NPB is a powerful ally for you.
The NPB allows you to set up criteria to filter out all of the unnecessary data so that a threat hunting tool can use deep packet inspection (DPI) to quickly and efficiently hunt through the data for indicators of compromise (IOC). While some people don’t think they need a packet broker, it will take you a lot longer to find threats without one. There is also a greater chance of missing a threat.
What the packet broker does is remove all of the unnecessary data so that the threat hunting tool does not have to waste time. A basic analogy is to look for a needle in a haystack. Would you rather that haystack be 100 feet high and 100 feet in circumference or 5 feet high and 5 feet wide? There is a much higher probability that you will miss that needle in a 100 hundred foot high stack. It will also take you a lot longer to search through that volume of data. During that extra time, the malware may already have launched itself and caused a breach. Now you are in real trouble.
The next step is to actively use a threat hunting tool, like ExtraHop’s Reveal X, to comb through the data and analyze it for potential threats. After that, you will need more of your dedicated time to review the anomalies flagged by your threat hunting tool and compare snapshots of the data over time. Finally, you will need to make a determination on the anomaly. This is where you can decide to investigate the anomaly further or dismiss it as a false positive.
Whether you are part of the DevOps or SecOps team makes no difference—threats and problems are a daily, if not hourly, occurrence. What you need is good quality data as fast as you can get it to counter security threats, troubleshoot network outages, and search for security threats.
Unfortunately, IT security and analytics tools are only as good as the data they are seeing. An integrated approach for proper network visibility, network security, and network testing ensures that your tools get the right data at the right time, every time. Without an approach like this, IT teams will continue to struggle with preventing security breaches—and many will fail.
If you want more information on this topic, try reading this white paper Threat Hunting 101.