When a threat hunting program is established by an organization, their goal is to proactively hunt threats, with a focus on newer, more sophisticated attacks for which reliable signatures or indicators are not yet available. However, without an effective threat hunting program, the attacker is better positioned for success. How can they be stopped? The six tips in this post aim to put threat hunters in the driver’s seat and outsmart their adversaries.
1) Know Your Normal
Discovering abnormal activities within your organization is the first sign of an attack. Without an understanding of what normal is or looks like, it’s impossible to identify what is out of the ordinary. Normality is a fluid state that is created over time and threat hunters must maintain an understanding of what has and hasn’t changed in order to dictate what is or isn’t normal. Tracking attacks and remediations over the course of an organization’s history helps threat hunters understand and maintain an organization’s virtual environment efficiently and effectively.
2) Trust Your Team
Threat hunters cannot effectively protect an organization from external attacks if they do not have trusting, communicative relationships with internal teams and stakeholders. If a threat is detected by a hunter, they must have a strong, cooperative relationship with personnel from IT in order to remedy the problem in a timely manner. Three reasons threat hunters should forge relationships with other teams, particularly IT, are:
- Knowing Normal: Understanding the every-day functions of systems and applications relies heavily on a threat hunters’ ability to communicate with IT about their understanding of normal.
- Productively Managing Weaknesses: Attackers are not always the first ones to find a vulnerable endpoint within an organization’s network. Threat hunters often happen upon design, application, system and network weaknesses when trying to hunt threats. When these vulnerabilities are identified by threat hunters, dialogue between the threat hunter and the appropriate person or team must take place to strengthen the weak endpoint before it is taken advantage of by an attacker.
- Rapid Remediation: When a threat or intrusion is detected by a hunter, appropriate actions must be taken in order to eliminate the attacker from the system entirely. IT personnel must be involved with this process to ensure that business impact is minimized while an intruder is effectively and completely removed.
By forging relationships with individuals in IT, a threat hunter is able to collect information, work with others to understand it, and act on it accordingly.
3) Observe. Orient. Decide. Act.
Threat hunters are comparable to combat soldiers fighting in a cyber war. Soldiers are trained to take on the OODA mindset when handling an attack: Observe. Orient. Decide. Act.
Without the appropriate mindset and process, a threat hunter could make a mistake and tamper their efficacy. Understanding normal conditions and collaborating with other teams helps a threat hunter inherit the OODA mindset.
For example, when a threat hunter establishes a healthy dialogue with personnel from IT, they have more information available to them, they are able to orient the information in more ways than just the way that works for their goal, and they are able to make confident decisions and take actions that are backed up by other members of the company.
4) Threat Hunters Need Good TIPs
Threat hunters have to have the appropriate resources in order to effectively identify threats. The resources necessary to running an effective threat hunting mission are tools, infrastructure and personnel.
- Tools: An important tool for threat hunters is CB Response, which is installed on every endpoint and provides a step‐by-step detailed forensic history of every activity on every endpoint. The real power of CB Response is its central querying capability, wherein a threat hunter can create and store queries, asking about whether certain detailed events have occurred anywhere in the environment.
- Infrastructure: A threat hunter’s infrastructure may include management consoles and a “test range,” where advanced threat hunters can experiment with suspected malware in a safe environment. Here, hunters can hone their skills with “live fire” and also hone their hunting skills in production environments.
- Personnel: A good threat hunting team must include at least one trained and/or experienced threat hunter. These individuals should have a deep understanding of the inner workings of operating systems, application servers, and subsystems, such as web servers, database management systems, as well as maintain an understanding of the latest attack trends.
Qualified threat hunters not only understand the way they and their organization function, but also the way attackers’ function and the trends and tactics they employ in situations relevant to the threat hunters’ environment. Most importantly, they need to thoroughly understand the inner workings of the organization, its users, networks and applications.
5) Guard Your Endpoints
Threat hunters must monitor and protect all of an organization’s endpoints at all times in order to identify an attacker and remedy the attack. Attackers only require one unprotected endpoint to infiltrate an environment and if a threat hunter is not monitoring all endpoints, the attacker is able to dwell within a system undetected. While endpoints are the principal focus of attacks by intruders, they are by no means the only place where information about intruders can be found.
6) Hunt Smarter
In addition to endpoint tools, it’s useful for threat hunters to have unfiltered endpoint-level visibility, as well as the ability to integrate network‐centric visibility via tools such as:
✓ Intrusion detection systems (IDS)
✓ Intrusion prevention systems (IPS)
✓ Netflow
✓ Web filters
✓ Firewalls
✓ Data loss prevention (DLP) systems
Tools like these enhance threat hunters’ visibility into patterns and activities that help identify potential attacks and vulnerabilities. These tools also provide threat hunters with additional information which helps to contextualize events and increase understanding of its orientation within an environment. Threat hunters must stay up to date with the most effective tools and strategies in their field in order to effectively hunt threats.
Other resources for threat hunters to stay on top of cybersecurity innovations are conferences and technical trainings.
Conferences, such as RSA, Black Hat, and CB Connect, provide threat hunters with opportunities to attend industry events that help further their understanding of the current state of cybersecurity, while also providing networking opportunities for threat hunters to connect with others in their field to share findings, challenges and strategies.
What to learn more about effective threat hunting on the CB Predictive Security Cloud?