According to the SANS 2018 Threat Hunting survey, 59.9% of the organizations that answered the survey said they have an active threat hunting program. This information surprised and disappointed me, because when I talk to security practitioners about how they run their threat hunting programs, I often hear answers that are not exactly hunting but more similar to monitoring.
In order to understand how to do threat hunting, we first need to understand what threat hunting is. And what it is not.
Threat hunting means that even though your CISO bought expensive security solutions for your on premise, cloud, endpoint, SIEM, paid for the annual pentesting and ran phishing awareness programs, even after all of that, your digital crown jewels are still at stake. Once you acknowledge that you’re ready to hunt. Because the sophisticated attackers are out there. They identify your blind spots, they use insiders, they trust one of your DevSecOps team members will f**k up, and they might even have zero-days to use, if you’re really worth it.
The threat hunting team’s job is to identify that there is an attacker in your network, where exactly, what are the attack vectors that are used and what are the attackers after (or what damage did they cause).
Once the threat hunting team suspects it found a threat, a game of cat and mouse begins. The attacker will notice weird things that are happening: ports that close, credentials that get cancelled, backups that are being created or used and a lot of other steps that you as the environment owner will take. Once the attacker notices these steps, they will go under the radar. Taking loud action and showing the attacker you’re on to them should only happen once you’re sure about the attack vector and the backdoors the attackers left as backup.
So what should you be doing for effective threat hunting? Here are my five key ingredients:
- Who’s job is it to hunt? Threat hunters are people with two important skills: hacking and architecture. They complement and affect one another. The hunter knows the infrastructure of the organization well, and he knows how would a potential criminal hacker try to exploit it.
- The threat hunting team needs FULL visibility to the infrastructure, network and every action that is taken there. The only way to do it is to retain all the logs that are produced in your environment. Yes, ALL of them. From the cloud, the endpoint, the DNS server and all the other services you were too lazy to check the “yes, please keep my logs” box. The hunters will need context to different actions that were taken and the logs will provide the answers they need.
- More intelligence sources. Fortunately enough, the cyber intelligence community is very collegial. Researchers often share the IOCs (indicators of compromise) they find, which helps with faster detection and attribution. Don’t forget that in order for this to be effective you need to give your share too.
- The attackers leave trails. Good attackers try to cover up, but there are always some breadcrumbs to find and follow. The crumbs are cross-platform, just like the attack vector that they came from. From the mobile end-point to the cloud and even cross cloud-vendors. Be ready to provide accessibility to all logs from all platforms in one place.
- The last step (for now) is the action and the scale. I’m not talking about the incident response that should take place after a threat was detected. I’m talking about all the steps that needs to be taken in order to prevent such attack vectors and similar ones to be executed. That might mean policy changes or architecture changes. A lot of these steps can and should be taken automatically. It’s the threat hunting’s job to automate the process and make it, based on their good analysis and understanding of the events.
I wish you effective and fruitful hunting, because if it’s not fruitful you must be doing it wrong.