Without threat intelligence via managed detection and response, it is impossible to know what information is available across all digital platforms. Especially regarding business information and data. In fact, most organisations are unaware of who or what is targeting them at any given time.
This is why threat experts look for signs that risks, such as vulnerabilities, sensitive data, user credentials, or intellectual property has been exposed. So that businesses know what is vulnerable, know what information is available, and are aware of who and what is targeting them before an attack is made.
‘Threat hunting gives you the ability to hunt. For too long we have built our defences and we sit, and we wait to be attacked. When you threat hunt, you get to see what the attackers are doing, you get to see what they are looking at, and from that you can prepare yourself. Forewarned is forearmed’ – Feras Tappuni, CEO, SecurityHQ
What is Threat Hunting?
‘It is a process used to find unidentified threats in a given network to identify attacks, breached corporate material, credentials, intellectual property and brand infringement by harvesting data available on the visible, dark, and deep web. This is done by getting down deep into the logs, pulling data apart and analysing the anomalies. This may sound similar to penetration testing, but it is very different because penetration testing actually identifies vulnerabilities which could be used by an attacker to get inside the environment. For instance, a penetration tester will come along and say, ‘You have a vulnerability on that specific server, and on that server, and I was able to exploit it.’ Whereas Threat Hunting works in reverse so, instead, the analyst will say, ‘That vulnerability was exposed publicly for 7 days, have we been compromised, is there anything suspicious happening on that particular server that we don’t know about?’. – Eleanor Barlow, SecurityHQ
What is the Difference Between Threat Hunting and Threat Intelligence?
‘Threat intelligence is a data set about attempted or successful intrusions, usually collected and analysed by automated security systems with machine learning and AI.’- IBM
Cyber threat intelligence can be collected from open-source intelligence, technical intelligence, deep and dark web, social media, human intelligence and more. Wherever there is an online presence, cyber threats can be detected and the information about these threats collected.
Threat hunting uses this threat intelligence to carry out a thorough, system-wide search for bad actors. In other words, threat hunting begins where threat intelligence ends. Even more, a successful threat hunt can identify threats that have not yet been spotted in the wild.
Also, threat hunting uses threat indicators as a lead or hypothesis for a hunt. ‘Threat indicators are virtual fingerprints left by malware or an attacker, a strange IP address, phishing emails or other unusual network traffic.’ – IBM
What Can you Hunt For?
- Indicator of Compromise (IOC’s)
These are basically quick wins like a file hash, or a file name or a known malicious IP address. It could be any type of behaviour that has been captured by intelligence, by blogs, by researchers, that is known to be malicious, and this is what’s called an IOC. So, analysts will look for those within the environment. IOC’s are normally identified through research of Threat Intelligence platforms.
‘Indicators of compromise are any recorded or captured pieces of digital evidence from a security incident that can be used to provide information about an intrusion or issue.’ – IBM
- Tactics, Techniques and Procedures (TTPs)
TTPs are the patters of activities or methods associated with a specific threat actor or group of threat actors.
‘The interesting thing about TTP’s is that most adversaries use the same TTP’s. However, some groups also have their own unique set of TTP’s. These can be compared to the tools used and the methods implemented to do the job. So, for example, a builder may go and lay a brick wall one way, and then another builder will go and build the same wall a different way. Or if we tried to break that wall down, one builder may use a sledgehammer the other may take it apart brick by brick. So those tactics, techniques and procedures are mapped against different groups to these actors and adversaries. And analysts can focus on an adversary that focused on, say, the middle east, and telecommunication companies. Analysts can then say ‘ok, ATP 34, they are known for these TTP’s, go out and look for those TTP’s without our environment, do we have anything suspicious etc’. – Aaron Hambleton, SecurityHQ
- General Anomalies within the Environment
There may be a situation whereby you identify no IOC’s, no attacker TTP’s, but you identify other anomalies within the environment which need to be investigated. Maybe accounts are logging on to various servers, at different times of the day, there is no pattern between those account logons. Maybe one account is just spraying across the environment – those anomalies will just naturally come to the surface when you look at the data and you understand the environment.
- Unknown Insider Threats
An insider might be able to circumvent security controls. Threat Hunting enables the detection of potential insider threat activity.
An insider will know how to get data out of the environment. So, just like you would if you worked in a company who said you can’t take a USB of data, or you’re not allowed to go on file sharing websites, naturally, as a human, you reverse engineer this to get data out of the network.
Looking for unknown insider threats is looking for any way of circumventing controls as an insider.
So, it could be someone sending emails outbound, which means some analysis needs to be performed on emails activity. Is there is a particular user sending more outbound emails than usual, that is not being flagged by Data Loss Prevention (DLP) because they are sending password protected zip files? Maybe DLP is not looking for password protected zip files. Is there a user who is hammering the print server, so they are printing loads of data, and is that a data leakage concern? People set up auto forwarding rules on their in-boxing, so as soon as an email hits their work mailbox it automatically sends it to their personal mailbox like Gmail, or Hotmail. These are just a few examples the SecurityHQ team have seen in the past. There are many more.
But, in order to action on these threats, companies need to know the basics. Including knowing the answers to what is Threat Hunting? Where does Threat Hunting fit? What is needed to start Threat Hunting? What triggers Threat Hunting? What are analysts hunting for? How is Threat Hunting skill mapping carried out? And what are the outputs of Threat Hunting?
Which is why SecurityHQ’s paper ‘The Fundamentals of Threat Hunting. Hunt Like a Pro’ answers these questions and is aimed at people who want to quickly understand the core of what Threat Hunting is, and how Threat Hunting can work for their business.
SecurityHQ prides itself on its global reputation as an advanced Managed Security Service Provider, delivering superior engineering-led solutions to clients around the world. By combining dedicated security experts, cutting-edge technology and processes, clients receive an enterprise grade experience that ensures that all IT virtual assets, cloud, and traditional infrastructures, are protected.