Threat Hunting – Shifting Security Operations up a Gear
Security teams have relied on signature-based threat detection since the earliest days of the Internet, however, signatures alone have been for some time considered second best to a more intelligence based approach to fighting cybercrime. Threat hunting is the new discipline that’s giving SOC teams an edge over attackers.
Yet few security operations teams are making the shift to hunting for threats as effective as they could, oftentimes because of risk-averse management thinking constrained by conventional wisdom. Let’s look at some of the contemporary operational security initiatives that really deliver what modern organisations need from their investment in security operations.
Understanding the New Breed of Cyber Attacker
No one will disagree that we still need traditional security solutions like intrusion prevention systems (IPS), firewalls, anti-malware scanners and security information event management (SIEM) systems. Furthermore, we know that most of these technologies rely on knowledge of past attacks and indicators of attack, most notably in IPS and antivirus solutions. When malware was written to behave in a particular way, signatures worked well (and this approach to malware is still pervasive) but the new breed of attacker is spawning new ways of hacking that signatures won’t catch.
When well-funded attackers have a target in their sights and they have a team of malware researchers from all over the world working on developing exploits that no one has seen before, all this legacy technology won’t protect us. To this end, each attack can be different, tailored to the target and the needs of the attacker.
This means that each attack will produce a different set of indicators within the targeted infrastructure, so new ways of detecting these attacks are required that can spot the attacker who isn’t using off-the-shelf malware.
Basic Threat Intelligence isn’t Enough
Security operations centres (SOCs) are often built around a technology stack that includes a Security Information and Event Management (SIEM) system and several reputable feeds of indicators of compromise (IOC).
IOCs can be obtained from open source feeds, such as Hail a TAXII, which aggregates threat intelligence from a variety of sources, as well as paid subscriptions from vendors, oftentimes the same vendors that produce antivirus signatures and IPS signatures. IOCs are usually lists of IP addresses and URLs relating to bad actors (systems on the Internet that launch attacks, send spam or host malware) so they have the same issues with coverage as these legacy attack signatures. IOCs won’t help your security operations team detect a targeted attack or hostile insider, so analysts need to develop new ways of modelling threats and hunting for indicators that are not previously known.
Last year the buzz around the word hunting reached fever-pitch. Vendors all jumped on the bandwagon suggesting their products were supportive of threat hunting, even the IPS and antivirus vendors whose products are still, largely, signature based. But aside from the hype, what really is threat hunting? Threat hunting is the job that security analysts have always wanted to do, but the security technology we traditionally use gets in the way. Amid the swathe of false positives, technology updates and tail chasing that SOC analysts often have to deal with, there is little time to properly investigate anomalies, where the investigation relies on the analyst’s knowledge and experience.
In essence, threat hunting is not about the security technology we have become so reliant upon, it’s more about adopting analytical approaches and incident analysis techniques that model threats and allow analysts to dig into what’s really going on, under the organisation’s hood.
The Importance of Logs
Threat hunters need to be able to find evidence of threats and dig into what’s really going on with a system, database or application. To do this effectively, the underlying systems need to be producing enough of an audit trail to ensure the investigator can profile normal and potentially adversarial behaviours. Without good logs, the chances of an investigation being successful are negligible, since it’s like a murder investigation, where there is no body, no weapon and no suspect. The best people to speak with are the subject matter experts that run the technologies, since it is unlikely the threat hunter will be a deep technical expert on every system they are looking at. Threat hunting, like the work of a detective, frees the analyst from the drudgery of looking at any one technology, process or personnel issue, instead empowering them to work with specialists to determine what went on.
Tuning is vitally important, since the default logging configuration on most technologies is substandard, under-reporting on the most important security-relevant activities. Work with specialists to tune the logging subsystems within each infrastructure capability to report when it’s under attack conditions, and if this is something you are unfamiliar with, use penetration testing as a way to simulate those technologies under assault.
Many modern User Behaviour and Entity Analysis (UBEA) technologies and Endpoint Detection and Response (EDR) solutions have been designed with this in mind. They can detect abnormal activity and the machine learning capability underpinning them can baseline your environment and help identify those breaks from what’s considered normal. Once you have the environment tuned, your modern technology baselined and your SIEM configured to alert you to anomalies, it’s time for security analysts to get threat hunting.
The Hunt – Using Bugles and Beagles
Fox hunting, while a barbaric and antiquated sport, is a useful analogy. The fox was a small, agile threat to farmland that hunters (people) could not catch without the use of tools: bugles, beagles, horses and guns. The hunt would follow the beagles, which were much better at detecting the fox than the people were, signalling to each other when they were closing in for the kill. When security analysts go on the hunt, then need their own bugles and beagles to obtain the signals when there is something to investigate and then logs files (beagles) to follow to locate the attacker.
Once the initial triage of alerts has occurred, analysts can assemble a team of specialists, the rest of the hunting party, and ride off in pursuit of the wily fox. This is where you’ll be coordinating the efforts of scripters, database query experts, active directory gurus and operating system specialists, all together into a unit that works together as an investigatory team. The leader of the hunt remains the security analyst, whose primary goal is to direct and control activities, allowing the specialists to dig as deep as they can within the scope of the investigation.
Lead the Hunt with Cyber Security Automation
Modern security teams need to regroup and reform into a more effective threat hunting capability, employing automation where possible to remove the legacy overhead of dealing with known attacks and signature based detections. Only then will the organisation be able to raise its operational security capability sufficiently to deal with the pervasive, dangerous new threat landscape that continues to challenge.
Introducing Innovative Automation
Huntsman Security has developed the Huntsman Analyst Portal®, a product with Automated Threat Verification, a superior correlation engine and a variety of visualisation capabilities to help analysts pivot into the new paradigm of hunting. Find out more here.