Cyber attackers are relentlessly upping their games, and enterprise cybersecurity professionals have to do the same. That means moving from a reactive cybersecurity stance to a strategy that’s proactive and anticipatory.
One way to do that is to launch a threat hunting program or enhance one that’s already underway. Threat hunting refers to the process by which cybersecurity analysts proactively search for breaches or signs of potential breaches rather than responding to alarms and alerts indicating them after the fact. Analysts can undertake threat hunting techniques manually or with the assistance of AI and machine learning.
At the highest level, the threat hunting process is straightforward: Cybersecurity analysts craft a hypothesis that the enterprise may have been breached in a particular way. They then review the data looking for indicators of compromise (IOCs) to validate or invalidate that hypothesis. AI and machine learning can assist both in crafting the hypothesis and reviewing the environment.
Step 1. Capture relevant data
A good first threat hunting step is for cybersecurity professionals to make sure they’re capturing all the relevant data and providing it to analysts in an easy-to-read consolidated feed.
Running a threat hunting program sounds simple enough, but as always, the devil is in the details. The first detail is knowing what it means to review the environment. Practically speaking, that means reviewing data about the environment. But what data? Several fundamental types of data can serve as IOCs that threat hunters need to be familiar with. These include the following:
- Hash values are the most basic data set. Every file, packet or message can be characterized by its hash value — a unique, fixed-length string of characters, or message digest, resulting from the application of a hashing algorithm, like Message Digest 5 or Secure Hash Algorithm, to that file, packet or message. The goal of the hashing algorithm is to create a unique fingerprint that will change if the file, packet or message has been modified from the original in any way. Comparing original to current hash values is a fast way to uncover IOCs. It’s the technique used by most antivirus and antimalware software packages and should be the foundation for any threat hunting program.
- Network data includes IP addresses, domain names and network artifacts, such as Simple Mail Transfer Protocol mailer values, HTTP user-agent values and the like. Any that match with known attackers would be an IOC.
- Host artifacts are indicators that hosts have been compromised, including registry keys or values known to be created by specific pieces of malware, files or directories dropped in certain places or using certain names or descriptions of malicious services.
- Tools refer to indicators of software used by attackers, such as utilities designed to create malicious documents for spear phishing or backdoors used to establish password crackers.
- Tactics, techniques and procedures (TTPs) refer to indicators or markers of how attackers go about accomplishing their mission. Indications that cached authentication credentials have been dumped and reused or PDF files have been compromised could be examples of TTPs.
To make the feed valuable, security pros need to ask themselves the following questions:
- Is it quick and easy to determine whether hash values indicate file modification?
- Can analysts see at a glance if the enterprise has been penetrated by attackers from known IP addresses or domain names?
- Can they detect the presence in hosts of malicious documents or backdoors?
- Are known TTPs quickly highlighted?
Step 2. Detect anomalies
To craft an effective threat hunting practice, next apply anomaly detection to the compiled data. Once cybersecurity professionals have confirmed they’re capturing the relevant data, they can detect anomalies that indicate the presence of a threat or compromise.
At the most basic level, this involves comparing data that should exist to data that does exist. This means looking for files that have changed, based on hash values, or for the presence of host artifacts or tools that correlate with the activity of attackers. The process of detection is often augmented by behavioral threat analytics or user behavior analytics, which includes embedded machine learning to quickly identify anomalies from standard behavior.
Step 3. Look into threat hunting frameworks
Threat hunting frameworks can help guide both the process of data collection and the process of anomaly detection by providing a checklist to cybersecurity professionals of what data to collect and what anomalies to search for. To put it another way, these frameworks help guide the creation of hypotheses to make it faster and easier to search for threats.
One of the best known is the Mitre ATT&CK framework, which is essentially a list of all the known techniques by which attackers implement an attack — also known as the cyber kill chain of the attack. The kill chain comprises a step-by-step approach beginning with reconnaissance and ending with impact — for example, data destruction or denial of service. Mitre currently recognizes 14 steps in that process and describes the techniques attackers use for each. Mitre’s approach is the most comprehensive, due to the fact that it is compiled via open source. Other frameworks, though less comprehensive, are also provided by groups such as the SANS Institute and ISACA.
To use such a framework, cybersecurity professionals must look at each technique and subtechnique for each step and ask two questions:
- Are we capturing the data that would indicate if an attacker is engaged on this step in the kill chain?
- How are we reviewing this data to look for IOCs — to check whether an attacker is engaged on this step in the kill chain?
If a cybersecurity team is capturing the right data and reviewing it on an ongoing basis, the team is at least moderately effective at threat hunting.
Final step. Measure success
The best metric a cybersecurity professional can use to measure the effectiveness of threat hunting is mean total time to contain (MTTC) all attacks. MTTC includes the time required to detect an attack, verify that it is an attack and contain it.
According to Nemertes’ 2019-20 Cloud and Cybersecurity Research Study that assessed 335 organizations across 11 countries, the median MTTC was 180 minutes, with the most effective organizations able to do so within two minutes.
The more proactive an organization is, the more effective it is in reducing MTTC.