Courses SentinelOne - Six Steps to Successful and Efficient Threat Hunting

[dEEpEst]

What is Cyber Threat Hunting?​

Cyber threat hunting is proactively and systematically searching for signs of potential cyber threats within an organization’s network or systems. This can be done through manual and automated techniques, such as analyzing log data, conducting network scans, and using threat intelligence feeds. Cyber threat hunting aims to identify potential threats that may have evaded traditional security controls, such as firewalls or intrusion detection systems. By detecting and responding to these threats early, organizations can reduce their risk of being impacted by a cyber attack and maintain the security and availability of their systems and networks.

Threat hunting can be defined as a practice designed to help you find adversaries hiding in your network before they can execute an attack or fulfill their goals. Unlike most security strategies, threat hunting is a proactive technique that combines the data and capabilities of an

This link is hidden for visitors. Please Log in or register now.

with the strong analytical and technical skills of an individual or team of threat-hunting professionals.

Threat hunting is quite a different activity from either

This link is hidden for visitors. Please Log in or register now.

or digital forensics. The purpose of DF/IR methodologies is to determine what happened after a data breach has already come to light. In contrast, when a threat-hunting team engages in threat hunting, the aim is to search for attacks that may have already slipped through your defensive layers.

Threat hunting also differs from

This link is hidden for visitors. Please Log in or register now.

and vulnerability assessment, too. These attempts to simulate an attack from the outside, whereas threat hunters work from the premise that an attacker is already in the network and then try to look for

This link is hidden for visitors. Please Log in or register now.

, lateral movement and other tell-tale artifacts that may provide evidence of attack behavior.

What Do You Need to Start Threat Hunting?​

As we’ve seen, the cyber threat hunting process is all about aggressively seeking out hidden IOCs and covert behavior by assuming a breach has occurred and then searching for anomalous activity. To do that, security analysts must separate the unusual from the usual, filtering out the noise of everyday network traffic in search of as yet-unknown activity.

Doing that effectively begins with comprehensive visibility into your network and rich data from your endpoints. Device telemetry should include things like encrypted traffic,

This link is hidden for visitors. Please Log in or register now.

, system and event logs, data on user behavior, denied connections trapped by

This link is hidden for visitors. Please Log in or register now.

and

This link is hidden for visitors. Please Log in or register now.

activity. Ideally, you want tools such as

This link is hidden for visitors. Please Log in or register now.

(Security Information and Event Management) that allow a clear overview of all this data with powerful search capabilities that can contextualize what you see to minimize the amount of manual sifting through raw logs.

Features that can

This link is hidden for visitors. Please Log in or register now.

, IoT devices, and mobiles and discover running services on your network are a major boon, as are

This link is hidden for visitors. Please Log in or register now.

that you can incorporate into your browser to speed up threat detection and research.

A threat-hunting program requires proper reporting tools to provide analysts with quality data, but it also presupposes that they have full confidence in the

This link is hidden for visitors. Please Log in or register now.

protecting their network. Threat hunting is time-consuming, and your

This link is hidden for visitors. Please Log in or register now.

analysts can’t afford to waste time manually catching threats that your EDR solution should have found for them autonomously. Detecting advanced threats is the most difficult challenge security teams face, particularly if the organization is limited by a cyber skills

This link is hidden for visitors. Please Log in or register now.

or is stuck with an infosec (Information Security) solution that swamps them with masses of alerts or a high degree of false positives.

Another vital security tool for analysts is good

This link is hidden for visitors. Please Log in or register now.

. There are several public or

This link is hidden for visitors. Please Log in or register now.

(open source intelligence) feeds where hunters can keep up to date with the latest IOCs, such as malicious IP addresses, newly announced CVEs and sample hashes of the newest malware. For example, the SANS institute keeps a compiled list of

This link is hidden for visitors. Please Log in or register now.

. The

This link is hidden for visitors. Please Log in or register now.

is also a powerful tool to help cyber threat hunters learn about the tools, tactics and procedures (TTP) used by advanced

This link is hidden for visitors. Please Log in or register now.

. You can, for example, search the MITRE ATT&CK database for groups that are known to target your sector or industry and learn about the techniques they have used. Armed with this intel, you can start to threat hunt across your network for evidence of that group’s TTPs. For more information on the steps needed for Threat Hunting, read

This link is hidden for visitors. Please Log in or register now.

.

How Do You Know What to Look For?​

Using

This link is hidden for visitors. Please Log in or register now.

tools and frameworks like MITRE ATT&CK only works effectively if you know what you’re looking for, and that brings us to one of the essential components of effective threat hunting: hypothesis formation and testing.

Threat hunters need a solid understanding of the organization’s profile, business activities that could attract threat actors (such as hiring new staff or acquiring new assets, companies, etc), and baseline usage.

Attackers will often want to blend in with ordinary users and try to acquire user credentials such as from a

This link is hidden for visitors. Please Log in or register now.

or

This link is hidden for visitors. Please Log in or register now.

, so understanding users’ typical behavior is a useful baseline for investigating anomalous file access or log in events. Combining that with understanding what company data is of value to attackers and where it is located can lead to hypotheses such as “Is an attacker trying to steal data located at xyz?”. This in turn could prompt data collection that answers questions such as:

“Which users have accessed location XYZ for the first time in the last n days?”

Advanced threat-hunting techniques will try to automate as many tasks as possible using statistical analyses and machine learning. Monitoring user behavior and comparing that behavior against itself to search for anomalies, for example, is far more effective than running individual queries, though both techniques are likely to be required in practice. Both are made easier if you have tools like SentinelOne that have a rich set of native APIs enabling full integration across your security software stack.

How Often Should You Threat Hunt?​

Some businesses only hunt for new threats on an ad hoc basis. This might be triggered when a certain event (e.g., an access attempt on a particularly sensitive service or file location) or staff has free time from other duties. While ad hoc hunting allows organizations with restricted staff and budgets to still engage in this extra layer of defense, it has the drawback of only allowing minimal hunts for a limited set of behaviors and is the least effective way to employ the strategy.

Scheduled threat hunting, where time is dedicated for staff to conduct hunts at regular intervals, is an improvement and can allow organizations to prioritize searches at different times and improve efficiency. However, scheduled threat hunting has the drawback of offering a certain

This link is hidden for visitors. Please Log in or register now.

for advanced attacks to try to operate in between those intervals, so the shorter the interval, the better.

Ideally, organizations with sufficient staff and budget should engage in continuous, real-time threat hunting in which the network and endpoints are proactively engaged to uncover attacks on the network as part of a sustained effort.

Who Should Conduct Your Threat Hunting?​

It’s probably clear by now that threat hunting is a specialist task. It requires a security analyst who can use various tools, understand and analyze the risks your organization faces, and is versed in the methods and tools used by advanced attackers.

While hiring in-house threat hunters can be a great way to go, organizations need to have the budget for it and access to people with the relevant skills. For many enterprises, a more realistic approach can be to engage threat hunting services from

This link is hidden for visitors. Please Log in or register now.

(Managed Security Service Providers) for some or all of their threat hunting work.

Conclusion​

Threat hunting allows you to get out in front of the latest threats by proactively hunting for malicious activity. Advanced solutions like behavioral AI will stop most cyberattacks in their tracks and are prerequisites to providing the visibility threat hunting requires, but malicious actors are always innovating and looking for ways around enterprise network security. Organizations need to be vigilant to prevent vectors such as

This link is hidden for visitors. Please Log in or register now.

and highly targeted attacks. Adding the expertise of human analysts can provide that extra layer of security for your organization.

More info:

This link is hidden for visitors. Please Log in or register now.

DOWNLOAD​