Halkyn Security Blog
Specialist Security & Risk Management Consultants

Threat Hunting – essential for every business

Equifax - Needed good threat hunting

Equifax – Needed good threat hunting

Lots of articles, blog posts and webcasts talk about threat hunting. Despite this few, if any, organisations do it. This is a mistake.

Security hit the headlines again recently, when Equifax admitted to a breach exposing around 143 million records of personal data. While details are still emerging, it looks like the attackers compromised an external website and exfiltrated the data. There are no specifics on the attack yet but it takes time to copy out that much data1. Good threat hunting uses this time to detect attackers. This would have allowed Equifax to implement countermeasures to minimise the breach2.

Any organisation can threat hunt. Threat hunting uses your existing security controls to identify attackers before they can destroy your business. It doesn’t replace anything. You cant use it to replace your AV or firewalls, no matter what vendors say. Hunting doesn’t mean you can get rid of your incident response teams.

In our experience, effective threat hunting simply makes everything else work better. The hunts give your IR teams better data to work from. Lessons you learn from hunting helps establish more effective controls.  In short, good threat hunting makes everything better.

Every organisation should hunt threats on their network. You don’t need to buy anything new and you can do it with your own staff. This post gives some tips to get you started but nothing beats experience and formal training. Halkyn Security offer a threat hunting service, which includes helping set up your teams to hunt. However if you want formal training we strongly recommend SANS courses, at least for key staff.

Cyber Security and Threat Hunting

Traditional security focuses on established controls. This is your firewall, endpoint antivirus, mail filter and similar tools. A very good example of traditional security is the Cyber Essentials scheme. As the name says, this is essential.

Next you need to ensure a way to respond to incidents. From Talk Talk to Equifax, it is apparent that incidents will continue to happen. As a result, incident response really does matter.

Even with this in place, problems will still happen. Advanced Persistent Threat might be a marketing term, but the reality is persistent attackers exist. Criminals, or nation states, will spend time subverting your controls.

Here lies the problem. If an attacker can bypass your controls, what triggers your incident response process? Often, sadly, it is public notification when other people discover your breach.

Threat Hunting - The IR Equation

Threat Hunting – The IR Equation

Defending your information relies on a simple equation. If the time to detect (D) the attackers and the time to respond (R) to the attack is less than it takes the attacker (A) to complete their mission, you win. If it isn’t, the attacker wins. The fundamental goal of threat hunting is to speed up your side. This is how you win.

When the dust settles, it turns out most breaches last months. Attackers spend time moving around. They collect sensitive data. The data is hoarded into staging servers. Eventually, the attackers exfiltrate the data. At this point it is too late for anything other than a PR exercise to limit the damage. However, in the weeks and months before this your organisation has thousands of opportunities to detect and defeat the attack. Threat hunting really does make the difference.

Threat hunting for beginners

You agree threat hunting is a good idea, now where do you start? This guide can help but remember nothing matches either skilled staff or bringing in dedicated threat hunting teams.

To get started, think of each threat hunt as a way of testing a theory. Build a theory. Decide what evidence would support it (or disprove it) and then collect the data.

Every environment is different so we cant give you a specific examples for your network here. However, we can provide some examples you might want to tailor:

Threat hunting example scenarios

Here are some example threat hunting scenarios. This is not an exhaustive list and the idea is you will build on this to develop good practices for your own organisation.

Network Threats

  • Command and Control Channels. If you have a compromised device, it has to talk to the attackers. Collate your firewall and proxy logs. Split them into hourly segments. Find any device which is present in every segment. Establish why.
  • Unusual protocols. Check the data going out of your organisation. If you see encrypted traffic on port 80 it is unusual. Establish what has caused this.
  • Suspicious encryption. When your users visit HTTPS sites, there is a TLS/SSL handshake. When malware calls home it normally uses preset encryption. Look at your Port 443 traffic and investigate any connections without a handshake.

Endpoint Threats

  • Persistence. Collate startup entries (registry keys, autoruns etc) from all endpoints and scan for unusual entries. Any machine with unique software in startup / run keys should be investigated.
  • Account use. Collate event logs from all endpoints and scan for user account logins. Investigate outliers and unusual events like remote logins with local accounts.
  • Unusual software. Audit the software installed on all your devices. Sort the list to identify what software is only on one or two devices. Investigate this software.

Threat Hunting – the future

As we said, this is just the start. Run some hunts with the information here and see what happens. If you find attackers, roll into your incident response. When it comes to the lessons learned feed back into your future threat hunting. As you mature, you can integrate threat intelligence feeds.

If you aren’t sure where to begin, consider sending your staff on training courses or bringing in external help.

The more you hunt, the better you will get and the more you will learn. The time to start is right now.


1 – If each record was 1kb in size, this is a 143gb data set for the attackers to exfiltrate without detection.

2 – We have no way of knowing if Equifax was running threat hunts or had other controls in place. This is not a dissection of their specific situation, it is just an example.

Similar posts
  • UOC – Cybersecurity Conference ... Cybersecurity is big news with governments and businesses suffering at the hands of cyber attacks. As a result of this, the University of Chester (UoC) STEMs society is hosting a Cybersecurity Conference on the 28th March 2017. The primary aim is to raise awareness of Cybersecurity. In addition, it will provide an opportunity to build professional networks and encourage career [...]
  • Dashboards vs Security – are th... Metrics, Dashboards and Security Like them or not, metrics are a fundamental part of every organisation. Security doesn’t get to a free pass. It is a rare CISO who doesn’t demand dashboards showing how all the security controls are performing. Therefore for most organisations, this is a fight long lost. This may not always be a [...]
  • Security Incident Response Really Doe... Incident response is one of those things you really hope you’ll never have to use, but know you will. Or at least you should know! Even with the best security, there will come a day when you are up to your eyes in chaos. Either a live security incident or, worse still, picking up the pieces [...]
  • North Wales Cyber Security Cluster &#... The North Wales Cyber Security Cluster is meeting on 21 April at Solvings Ltd, in Mold, Flintshire. Solvings provide a great location and the cluster is a wonderful opportunity to learn about cyber security. Access to cluster meetings is free and everyone is welcome. No prior knowledge is needed. There really are no stupid questions! Clusters [...]
  • Ransomware: Don’t panic –... Since Cryptolocker appeared in late 2013, it seems hardly a day can go by without some ransomware attack hitting the news. The variations all have entertaining names like Teslacrypt, Locky, PayCrypt (etc). The impact on the victims can be monumental. Tracking sites show new versions appearing several times a day – much faster than most [...]

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Tweets Recent Tweets