I have been recently asked by a number of Clients about Threat Hunting, so I thought it worthwhile to share some thoughts on the subject to help inform anyone considering implementing (or purchasing) such a capability.
According to Wikipedia, (Cyber) threat hunting involves proactively and iteratively searching through networks to detect and isolate advanced threats (which may evade traditional security measures).
SANs describes the process of Threat Hunting as a progression based on maturity.
In my experience, advising organisations on proactive measures involves understanding:
What they are trying to protect
The credible threats that they may face
Their current defensive position
Their desired future state
The desired strategy or roadmap to get to their desired future state
In my travels, I have seen a number of insights emerge:
Most organisations do not know the boundary of their networks or systems, and have not maintained vital documentation on the same (e.g. Network Maps, System and Platform Architecture, etc)
Many do not clearly understand what Threats they are likely to be subjected to (Nation State vs Disgruntled Ex-employee)
Many do not have a defined approach (Prevention, Detection, Response, Recovery) to addressing these Threats (incident response plan or playbook) and to what degree (risk appetite) they could or should respond.
Assuming that they are well prepared to address today's Threats, many do not proactively track new Threats and risks as well as potential sources of Vulnerability or exposure (e.g. new partners, networks, assets, applications etc.)
Practically speaking, what does true Threat Hunting require (not exhaustive):
Sufficient time and resources - it takes time (and lot of effort) to systematically analyse a network, chasing down specific leads, confirming assumptions, analysing data, trends and intelligence. This usually requires a variety of skills (network, application, database, operating system, procedures etc) and a well resourced team that is commensurate with the size of the environment (and data) being analysed.
Local knowledge, access rights and data - analysing data for a network you don't own means that organisational context is lost. Whilst it may be possible to identify a well-known or high-noise issue (in much the same way as a traditional SIEM), it is difficult to ascribe organisational context without local knowledge and experience as well as access to the data itself. In addition, there is a certain critical mass required in order to identify anything of consequence.
Analysis, statistics and correlation - many threats can only be identified based on a sufficient sample size. i.e. analysis of network traffic when a malicious actor is asleep will likely yield little information of value, however when trended and tagged with day of week, time of day, Browser type, IP geolocation or HTTP Referrer this may tell a very different story to an informed Threat Hunter - e.g. It seems a bit weird that one of our users is accessing our application at 2am from Uzbekistan using Wget
Methodical process and patience - how engaged, fulfilled and satisfied will your well-resourced and highly-motivated team be if they are systematically searching for the non-existent needle in the haystack? Threat hunting can often be a thankless task with very little fanfare.
So what sorts of things can we expect to find from threat hunting:
Broken networks and routing
Poor administrative processes
Discovery of advanced persistent threats (APTs)
Preparing for threat hunting therefore involves increasing the signal to noise ratio through the reduction of false positives through:
Patching systems and applications
Properly segmenting networks
Having access to up to date documentation
Having access to the right internal resources and experts
Having supportive analytics platforms and tools
Understanding the Cyber Kill Chains that relate to your organisation
Having access to timely and relevant threat intelligence information
Author: Clinton Smith