There is a saying in the sports world, “If you stay ready, you won’t have to get ready”. If you are prepared and proactive in your approach towards the obstacle in front of you, then you will be ready for anything. This same analogy can be applied in the cybersecurity world, particularly when it comes to threat hunting.

Threat hunting is the practice of proactively searching for cyberthreats that are prowling undetected in a network. It’s a skill that requires an analyst to dig deep using gathered intelligence—sometimes with little to no guideline on how or where to find malicious actors within an environment. The goal is to locate malicious activity that may have slipped past your initial anti-virus and endpoint security defenses.

Attackers Calling an Audible Play: Advanced Persistent Threats

Threat actors are always evolving and finding ways to up their attack game plan, which is why new Advanced Persistent Threats (APTs) often go undetected by most of today’s security technologies. Proactively hunting for complex malware, and covert command and control servers can make the difference in uncovering an already compromised network.

According to IBM’s 2020 data breach report, threat actors spend an average of 207 days inside a network before being detected. That is more than enough time for data to be exfiltrated and privileged accounts to be created, which can lead to devastating damage, financially and reputationally. Finding these actors is critical.

After performing reconnaissance and sneaking into a network, an attacker can stealthily remain in an environment for weeks, even months, as they silently collect data, look for confidential documents or obtain login credentials that will allow them to move laterally across the environment.

Once an attacker is successful in evading detection and an attack has penetrated an organization’s defenses, it is too late. Unfortunately, many organizations lack the advanced detection capabilities needed to stop the advanced persistent threats from remaining in the network.

Playing Defense: Threat Hunting Steps

The process of proactive threat hunting typically involves three steps: a trigger, an investigation and a resolution. These steps can be seen as defensive plays to counter-attack an adversary.

Play #1: Triggered Event

Triggered event alerts lead threat hunters to a specific system or area of the network for further investigation when advanced detection tools identify suspicious actions that may indicate malicious activity. Triggered events also aid threat hunting techniques when tracking down compromised endpoints communicating with a command and control server. When hunting for command and control activity, it is important to review network traffic for suspicious patterns that reflect endpoint beaconing, data exfiltration, direct IP connections or connections to recently registered DNS queries. New intel about a new threat can be the trigger for proactive hunting. A security team may hunt for advanced threats that use PowerShell to generate fileless malware, which is used to evade existing defenses.

Play #2: Investigation

During the investigation phase, threat hunters can use Endpoint Detection and Response (EDR) technology to dive deeper into a potential compromise of a system. System or endpoint investigation should continue until either the activity is considered a false positive, confirmed a security scenario test or if investigation results prove to be malicious behavior.

Based upon the suspicious activity that is discovered, the investigator can create detection rules within the EDR tool that will automatically detect and generate alerts and incidents for future occurrences.

Play #3: Incident Resolution

The resolution phase involves reporting any relevant malicious activity intelligence to the security operations and incident response teams so they can respond to the incident and remediate the threats. The data gathered from both malicious and false positive activity can be fed into a SIEM or EDR to improve its effectiveness without further human intervention.

Throughout this process, threat hunters gather as much information as possible about an attacker’s actions, methods and goals. This approach is like one sports team studying film of the other team to learn the other team’s attack methods. Threat hunters also continue to analyze collected data to determine trends in an organization’s security environment, eliminate current vulnerabilities and make predictions to enhance security in the future. Being reactive is no longer acceptable from a security standpoint. Proactivity allows you to stay ready, so you don’t have to get ready.
Contributors: