Threat Hunting: Tools and Tips for Success

in threathunting •  5 years ago 

Attacks that bypass security measures have huge implications on attackers and system security. The more time an attacker remains in your system, the more damage they can cause. The potential payouts for stealthy attacks are so great that organizations with questionable ethics, like Zerodium, are offering significant bounties for valuable exploit information.

Security and data breaches are expensive, both in fines and brand reputation. The challenge is to figure out how you can protect your assets despite an underground economy working against you. However, even the best security tools typically only work against identifiable threats. This is where threat hunting comes in.

What Is Threat Hunting?

Threat hunting is a security practice that you can use in addition to automated and defensive tools. It involves proactively seeking out evidence of undetected attacks in your system. Threat hunting employs a human’s ability to predict attacker intent in combination with security analyses to locate and eliminate attackers.

Threat hunting doesn’t rely on detection or response tools to initiate investigations, like in traditional Incident Response (IR). Instead, security personnel or threat hunting solutions actively work to identify undetected attacks. You can perform threat hunting with members of your Security Operations Center (SOC) or IR teams, or with third-party contractors.

Tips for Successful Threat Hunting

Tools alone are not enough to effectively threat hunt. To make the most of your efforts, you need to subscribe to a variety of best practices. The following three tips can help you get started.

Monitor Your Endpoints
Endpoint data is critical to understanding activity inside your network and in edge devices. Endpoints are any point of access into your system, including workstations, routers, and communication ports. Monitoring your endpoints can provide insight into attempted breaches and help you trace attackers’ entry points.

A variety of tools can help you collect and process data from endpoints and your wider system. System Information and Event Management (SIEM) solutions are one example. Using SIEMs, you can create filters that alert to suspicious events or users. You can also use SIEMs to analyze data and identify suspicious patterns. Alerts can provide leads for your hunt. Analyses can provide you with information on an attacker’s motives and methods.

Know Your Systems
It is vital to understand the configurations, architecture, and expected activity of your systems. You cannot effectively search if you are unaware of how your systems function or are designed. Effective threat hunting also requires an understanding of operations and business models. For example, understanding where customer traffic is expected to come from or what time of day to expect traffic influxes.

It’s helpful to create a baseline so you can more easily identify abnormal activity. You can use User and Event Behavior Analysis (UEBA) tools to form baselines and filter suspicious patterns. UEBA solutions employ machine learning algorithms to identify patterns and abnormal behavior according to data trends and policies you specify. UEBA in combination with SIEMs can be used to guide and partially automate your hunt.

Form Solid Hypotheses
Hypotheses form the basis of your hunt and guide how you search for and interpret evidence. Having a clear hypothesis formulated from a concrete understanding is likely to make your hunt more effective.

To create a strong hypothesis, you need to understand the three main elements of possible attacks:

  • Intent — what is the purpose of the attack? Possible intents include stealing information, collecting ransoms, disabling systems, or gaining access to other systems.
  • Capability — how can an attacker gain access to or use your systems and data? This includes tools for gaining access, such as compromised credentials or rootkits. It also includes how attacker can use your resources once inside with techniques—such as malware distribution—and what they can do with the data—for example, commit financial fraud.
  • Opportunity — what vulnerabilities exist in your system? Opportunities for system infiltration can include email phishing campaigns, disgruntled employees, or out-of-date applications.

Once you understand these three elements, you can form a meaningful hypothesis. You can also narrow down where and how to begin your search.

Tools For Successful Threat Hunting

Cuckoo Sandbox
Cuckoo Sandbox is an open-source tool for automated malware analysis. You can use it to test and analyze suspicious files in a sandboxed environment. You can then use the analysis results to better understand the intent of the malware and the attackers who created it.

Cuckoo Sandbox includes features for analyzing URLs, scripts, Windows .exe files, and documents. You can use it on its own or you can integrate it into a framework.

Elastic Stack
The Elastic Stack, formerly ELK Stack, is a combination of four open-source tools:

  • Elasticsearch — a scalable search and analysis engine that indexes and stores log data.
  • Logstash — a log aggregator and distributor that collects, processes, and transforms log data.
  • Kibana — a visualization layer with a user interface for analysis.
  • Beats — agents you install on edge devices to collect data.

You can use Elastic Stack to monitor your environments and collect business intelligence or web analytics. It enables you to centralize monitoring across complex, distributed systems. Elastic Stack can be customized according to your needs. It can be integrated with a variety of tools, including redis, kafka, and NGINX.

Threat Intelligence Feeds
Threat intelligence feeds are not a single tool, but a category of resources. These feeds provide information on known threats, vulnerabilities, and Indicators of Compromise (IOCs). IOCs are evidence of an attack, such as traffic from malicious IP addresses. This information is useful for anticipating attacker behavior and directing investigative efforts.

You can use official sources or unofficial sources to gather threat intelligence. Official sources include the National Vulnerability Database (NVD) or vendor sites. Unofficial sources include community forums and feeds.

This GitHub repository is one example of the collections of resources that have been put together. It includes a significant number of open-source threat intelligence resources, as well as tools and frameworks.

Conclusion

Threat hunting can be a powerful addition to your security practices. It combines the best of human understanding and security technologies, enabling identification of threats that would otherwise be missed. However, threat hunting requires significant expertise and can consume significant resources.

Consider adding threat hunting to your current practices, but don’t forget your standard security best practices. The idea is for threat hunting to uncover the most advanced attacks. It is not meant to provide general defense for your systems.

threathunting
5 years ago by

Downvoting a post can decrease pending rewards and make it less visible. Common reasons:

  • Disagreement on rewards
  • Fraud or plagiarism
  • Hate speech or trolling
  • Miscategorized content or spam

Submit
$0.00
    2 votes
    0
    Authors get paid when people like you upvote their post.
    If you enjoyed what you read here, create your account today and start earning FREE STEEM!