Detecting threats on your network is hard work. That’s especially true for sophisticated threats that can evade traditional detection products to stay hidden for weeks, months or even years.
Threat hunting is the proactive approach of searching out malicious activity that may have evaded traditional detection mechanisms. In last week’s webinar “Building a Threat Hunting Practice Using the Cloud,” my colleague Tom Hegel and I presented our tips for helping security teams grow from only reactive detection to proactive threat hunting. Here are some highlights including insights from our audience participants.
Act proactively, not reactively
Twenty-three percent of our attendees said their organization has a formalized threat hunting program. That number aligns with a recent SANS survey that asked a similar question and found that 28% of organizations it queried have a designated program with assigned staff for threat hunting.
That’s great news, and supports a trend in turning towards a proactive security posture. But what about the organizations that aren’t quite as far along? They are doing one of two things: hunting for threats in an ad-hoc way or doing nothing at all.
First, let’s look at the ad-hoc group. Of course, it’s better to be doing something rather than nothing, but chances are these hunters are spending a lot of time chasing down the evidence they need to prove (or disprove) is an active threat. Having a formalized process, however, allows for proper documentation and resources rather than trying to wedge it in between regular responsibilities.
We already know that the dwell time for most breaches is nearly 100 days, and that detecting threats sooner can reduce risk significantly. If you haven’t begun building out your threat hunting capabilities, there’s never been a better or more critical time to start. But first, you have to be ready. Threat hunting when you’re not prepared to do so can leave you unable to respond to
Collect the right data, and know your landscapeSo you’re already collecting data from your network. Great, but is it the right data, and are you keeping enough of it to be effective? Only 25% of our attendee’s organizations store network data for more than three months.
Having a longer retention window gives you more information to work with when hunting threats, but keeping as much network data as possible is one part of the equation. The other is to make sure you’re keeping the right data. Capturing full PCAPs is the holy grail for network threat hunters. It has a complete collection of data from which to extract the artifacts you need to look for: HTTP, DNS, Netflow, SSL, extracted files, email protocols, SMB, FTP, and more.
Rely on the cloud for scalability and power you need
There’s only one place that has the unlimited capacity you need to keep such a massive volume of data, and to do so cost-effectively: the cloud. It’s scalable, and it’s more affordable than ever, so you can unify your haystack in one secure place. But it’s not just the scalability of storage in the cloud that’s important; it’s the cloud’s ability to handle complex processes like indexing all of that data.
The cloud has the power you need to process, retrieve, and search the data you capture. It provides the computing power to perform advanced analytics that the tools security teams use today can’t handle. That’s important because threat hunters can’t always wait hours or days it can take traditional tools or on-premises storage to complete complex queries.
Follow best practices
Some best practices are the result of learnings of others, and following them keeps you from repeating their past mistakes so you can be more efficient. Chiefly for threat hunters, those are:
Foster an investigative mindset: Think like a detective, and leave no stone unturned when pursuing a hypothesis. Learn about what you do and don’t know, and grow!
Develop and pursue leads: Derive leads that can help your investigation continue. For example, do analysis on TTPs to discover similar activity.
Gather evidence: This is where PCAP comes into play, remember to collect evidence for both things that do and do not support your hypothesis. It’s important to always question yourself, and document the difference between what you know and what you think.
Keep asking questions: Continue to question why and to drill down to the actual source if something doesn’t make sense. It’s ok to prove yourself wrong.
Avoid confirmation bias: Try not to interpret new evidence as confirmation of your existing beliefs or theories. Instead, try proving something isn’t suspicious. Learn and internalize the different types of bias, and always check yourself against those.
Be realistic about outcomes and results
Threat hunting isn’t always about finding the next big threat, or about becoming an InfoSec rockstar. Instead, embrace having an analyst mindset. Chase theories, learn, share, and explore. Doing so helps expand your knowledge because there’s an endless amount of stuff to learn. And learning more, especially with a team of analysts from varying backgrounds and experiences, isn’t just great for your business, it’s great for you because it makes your job more enjoyable -- one that you want to come in to do every day.
To learn more, watch our webcast “Building a Threat Hunting Practice in the Cloud” today.