From Ferdinand Magellan to Lewis and Clark to Neil Armstrong – humans have an innate desire to understand the unknown. In security operations, we see this phenomenon every day in several forms, one of which is threat hunting. Threat hunting is not triggered by an event, but by the unknown. It is the practice of proactively and iteratively searching for abnormal indications within networks and systems.
Proactive threat hunting has become such an important aspect of effective security operations that it is now one of the top three areas of improvement in Incident Response (IR) that organizations plan to make this year. According to the 2018 SANS Incident Response Survey, 45.3 percent of the 452 respondents prioritize it above developing/improving IR playbooks and automating response and remediation workflows.
But what does it take to prioritize threat hunting? We all know that you don’t simply decide one day that you’re going to sail around the world or travel 8,000 miles across uncharted territory or head to the moon. You need a well-defined plan and the right resources, aligned to work together. The same is true for hunting threats.
In general, there are two approaches to threat hunting: 1) An outside-in approach, where you learn of a threat from an external report and hunt for associated indicators within your environment, and 2) An inside-out approach, where you observe suspicious behavior in your environment, pivot to the adversary and external sources to learn more about associated indicators, and then hunt for and find additional indicators in your environment.
Whichever threat hunting approach you’re using, you need a way to ensure your hunting efforts are focused on high-risk threats and that the team is operating efficiently since time is the enemy. These three tips can help:
1. Use context to prioritize. Effective prioritization requires context to understand what is relevant and high-priority to your organization. To help with prioritization lots of threat intelligence providers publish “global” risk scores based on their own research, visibility and proprietary methods. But what is relevant to one company may not be relevant to another. You need to be able to prioritize based on parameters you set. Because you have multiple sources of context (external threat intelligence, internal data and intelligence, etc.) you need a central repository to aggregate data and events and manage and automate the prioritization process. With an approach to threat hunting that includes aggregating, scoring and prioritizing within the context of your environment, your high-value resources don’t waste time chasing ghosts.
2. Don’t go it alone – collaborate. Analysts must be able to conduct investigations collaboratively to search for and compare indicators across your infrastructure and find matches between high-risk indicators and internal log data that suggest possible connections. Traditionally, this has been difficult and time consuming to do because teams and tools are often siloed. With a single shared environment, collaboration is embedded into all processes, including threat hunting. Teams can work together to explore every corner of the organization to pinpoint adversary tactics, techniques and procedures (TTPs) and find the malicious activity for total remediation.
3. Never stop learning. Threat hunting must be a continuous process. As new data and learnings are added to the central repository, intelligence must be automatically reprioritized to support ongoing hunts. Teams and tools improve over time, facilitating future investigations, automatically strengthening defenses and adjusting policies to improve detection and prevention.
The desire to understand the unknown has driven humans for centuries. With the ability to prioritize, collaborate and learn, security operations teams can turn the unknown into the known more quickly to create a better, safer future.