For a long time, and still today, many entities have had and still have a reactive conception regarding threat detection. This type of activity takes place through regular monitoring from security operations centers (SOCs) based on detection through security alerts.
However, it has been proven that, due to the appearance of new criminal actors using increasingly sophisticated techniques and the complexity of IT environments, this approach is not enough. For this reason, it is necessary and convenient to adopt a proactive attitude towards the detection of threats that allows reducing the time during which an attacker remains unnoticed from its initial access (dwell time) as well as the associated impact
In this way, Threat Hunting is defined as a proactive and iterative activity that looks for signs of compromise within the organization's environment with the aim of reducing dwell time by minimizing the impact after suffering a possible security breach.
|
|
Proactive
- It does not wait for an event or alert to take place (monitoring)
- It is not a reactive activity (Incident Response)
|
Iterative
- Constant and continuous threat hunting process
|
What is NOT Threat Hunting?
Sometimes the activities carried out during a Threat Hunting exercise are confused or mixed with the activities carried out by other specialties.
- Threat Hunting ≠ Threat Intelligence: The activities related to CTI are focused on the collection of data and information that allow providing a better understanding of the threats that the organization faces, improving its security posture. For this reason, this information often serves as a starting point for carrying out a Threat Hunting exercise.
- Threat Hunting ≠ Incident Response: Although the technical knowledge required is similar and the people who do one can often be involved in the other, they are two totally different activities. Based on the definition of a hypothesis, during the threat hunting exercise it is intended to discover fraudulent activity that confirms the proposed hypothesis. If so, there will be occasions when, after an in-depth investigation, it is determined that a compromise has occurred, declaring a security incident and initiating the incident response plan.
What is a threat hunting exercise?
Threat Hunter is based on the premise that a security breach has occurred, assuming that the attackers are within the corporate environment. Based on this, an investigation will begin to validate said hypothesis through the available IT environment data sources. In a general way, within the threat hunting process we can define the phases shown in the following image.
- Creation of the hypothesis: the hypothesis is defined on which to work throughout the exercise and which will try to confirm based on the data collected.
- Preparation of the exercise: first, the objective and scope of the exercise are defined. Once these parameters are defined, the sources of data and information necessary to carry out the exercise are determined and prepared.
- Hunting: the Hunt is executed based on the hypothesis set forth.
- Analysis and investigation of the results: the results obtained after the execution of the exercise are analyzed. At this stage it may be necessary to carry out more in-depth investigations in case there are indications of a possible security incident.
- Reporting: results report with the evidence and actions to take proposals that have been reached after carrying out the exercise.
And now what?
Despite the fact that the main objective of Threat Hunting is the discovery of possible fraudulent activities that have not been detected until now, this is not the only value that it can contribute to security. On the other hand, the synergies with the rest of the security areas are multiple. The following image shows a pipeline proposal with its independent elements that can start a hunting exercise (triggers) and its multiple value contributions as outputs.
The generation of a Threat Hunting hypothesis can be caused by multiple reasons, some of them:
- Cyber Threat Intelligence. From a report or intelligence feeds. For example; malware analysis, appearance of new vulnerabilities (ZeroDay), etc.
- Monitoring. As a result of a management or action carried out from the SOC from which a new technique is discovered, for example.
- Network Teaming. After a red team exercise some of the TTPs will be detected by the SOC. However, certain activities are likely not, so a
Threat Hunting exercise can be carried out with the aim of discovering them and improving the security posture.
- Thread Modelling. Based on the threats identified, Threat Hunting exercises can be designed that focus on these aspects.
- Others. Expert knowledge, box exercises, etc.
The results obtained during a threat hunting exercise may vary depending on the exercise by adding different elements that add value to the security posture.
- Reports. Reports with the analysis of the results obtained regarding the Threat Hunting exercise carried out.
- Detection rules. After the end of the exercise, in the event that the detection of the studied hypothesis complies with defined precision and accuracy parameters, proposition of detection rules for its monitoring in the SOC.
- Activation of the incident response plan. In the event that the investigation carried out confirms the existence of a security incident.
- Recommendations. As a result of the Threat Hunting exercise, it is often possible to generate proposals for improvement related to bad practices discovered during the investigation.
By: Rubén Revuelta Briz