Lots of articles, blog posts and webcasts talk about threat hunting. Despite this few, if any, organisations do it. This is a mistake.
Security hit the headlines again recently, when Equifax admitted to a breach exposing around 143 million records of personal data. While details are still emerging, it looks like the attackers compromised an external website and exfiltrated the data. There are no specifics on the attack yet but it takes time to copy out that much data1. Good threat hunting uses this time to detect attackers. This would have allowed Equifax to implement countermeasures to minimise the breach2.
Any organisation can threat hunt. Threat hunting uses your existing security controls to identify attackers before they can destroy your business. It doesn’t replace anything. You cant use it to replace your AV or firewalls, no matter what vendors say. Hunting doesn’t mean you can get rid of your incident response teams.
In our experience, effective threat hunting simply makes everything else work better. The hunts give your IR teams better data to work from. Lessons you learn from hunting helps establish more effective controls. In short, good threat hunting makes everything better.
Every organisation should hunt threats on their network. You don’t need to buy anything new and you can do it with your own staff. This post gives some tips to get you started but nothing beats experience and formal training. Halkyn Security offer a threat hunting service, which includes helping set up your teams to hunt. However if you want formal training we strongly recommend SANS courses, at least for key staff.
Cyber Security and Threat Hunting
Traditional security focuses on established controls. This is your firewall, endpoint antivirus, mail filter and similar tools. A very good example of traditional security is the Cyber Essentials scheme. As the name says, this is essential.
Next you need to ensure a way to respond to incidents. From Talk Talk to Equifax, it is apparent that incidents will continue to happen. As a result, incident response really does matter.
Even with this in place, problems will still happen. Advanced Persistent Threat might be a marketing term, but the reality is persistent attackers exist. Criminals, or nation states, will spend time subverting your controls.
Here lies the problem. If an attacker can bypass your controls, what triggers your incident response process? Often, sadly, it is public notification when other people discover your breach.
Defending your information relies on a simple equation. If the time to detect (D) the attackers and the time to respond (R) to the attack is less than it takes the attacker (A) to complete their mission, you win. If it isn’t, the attacker wins. The fundamental goal of threat hunting is to speed up your side. This is how you win.
When the dust settles, it turns out most breaches last months. Attackers spend time moving around. They collect sensitive data. The data is hoarded into staging servers. Eventually, the attackers exfiltrate the data. At this point it is too late for anything other than a PR exercise to limit the damage. However, in the weeks and months before this your organisation has thousands of opportunities to detect and defeat the attack. Threat hunting really does make the difference.
Threat hunting for beginners
You agree threat hunting is a good idea, now where do you start? This guide can help but remember nothing matches either skilled staff or bringing in dedicated threat hunting teams.
To get started, think of each threat hunt as a way of testing a theory. Build a theory. Decide what evidence would support it (or disprove it) and then collect the data.
Every environment is different so we cant give you a specific examples for your network here. However, we can provide some examples you might want to tailor:
Threat hunting example scenarios
Here are some example threat hunting scenarios. This is not an exhaustive list and the idea is you will build on this to develop good practices for your own organisation.
- Command and Control Channels. If you have a compromised device, it has to talk to the attackers. Collate your firewall and proxy logs. Split them into hourly segments. Find any device which is present in every segment. Establish why.
- Unusual protocols. Check the data going out of your organisation. If you see encrypted traffic on port 80 it is unusual. Establish what has caused this.
- Suspicious encryption. When your users visit HTTPS sites, there is a TLS/SSL handshake. When malware calls home it normally uses preset encryption. Look at your Port 443 traffic and investigate any connections without a handshake.
- Persistence. Collate startup entries (registry keys, autoruns etc) from all endpoints and scan for unusual entries. Any machine with unique software in startup / run keys should be investigated.
- Account use. Collate event logs from all endpoints and scan for user account logins. Investigate outliers and unusual events like remote logins with local accounts.
- Unusual software. Audit the software installed on all your devices. Sort the list to identify what software is only on one or two devices. Investigate this software.
Threat Hunting – the future
As we said, this is just the start. Run some hunts with the information here and see what happens. If you find attackers, roll into your incident response. When it comes to the lessons learned feed back into your future threat hunting. As you mature, you can integrate threat intelligence feeds.
If you aren’t sure where to begin, consider sending your staff on training courses or bringing in external help.
The more you hunt, the better you will get and the more you will learn. The time to start is right now.