How to Begin Proactive Threat Hunting

Sophisticated cyber-attacks are not uncommon nowadays; even global IT consultancy giants, such as Accenture, could also be suffered from them. Yet, it is still possible to avoid significant impact if the involved adversary tactics and techniques could be detected at the earlier stage of the cyber kill chain. Take the ransomware incident of Accenture in August 2021 s an example. There was no sensitive data involved, which is a good motivation for us to put more effort into ensuring our threat detection strategy is effective. In other words, how to conduct proactive threat hunting effectively is the very first question.

The four key success factors of proactive threat hunting are VIMP – visibility, intelligence, machine learning and people.

Visibility

Visibility refers to the visibility of meaningful security events. Take a simple example, if it is in a Windows environment and no sysmon is deployed, many important event logs will be absent, for example, event ID 25 (process tampering). Imagine if a malware was successfully bypassed the host-based malware protection and attempted to conduct process herpaderping, but sysmon is absent. The event logs related to such an attack could be missing, which is a lack of visibility for this threat.

Besides increasing the visibility of event logs of systems and applications, by deploying canary in a suitable position of the monitored network (e.g., deploying a canary with realistic SMB service with hostname aligning with the organizational convention in a Windows server subnet) and implementing a network traffic analyzer to monitor network activates that interact with sensitive subnets, you could further enhance the visibility of threat activities. Suppose the deployed canary was attacked by an unknown device attached to the adjacent subnet. In that case, you could feel how great the “extra” visibility brought by the canary and the network traffic analyzer.

Intelligence

Intelligence refers to threat intelligence, which could be further divided into indicators of compromise (IoC) and indicators of attack (IoA). For IoC, it is like the signature of antivirus, the fingerprints of former attacks. For example, public IP address, domain name and file checksum value. For IoA, it is more about the strategic view on the tactics, techniques and procedures (TTPs) of known threat actors or groups (e.g., FIN7, a financially-motivated threat group that has been active since 2013, primarily targeting the US retail, restaurant and hospitality sectors, often using point-of-sale malware.) The MITRE ATT&CK knowledge base and matrix is one of the best sources of IoA that illustrates all known real-world attacks’ TTPs and provides an informed hypothesis for threat hunters to conduct proactive threat hunting with directions.

Machine Learning

Machine learning refers to security information and event management (SIEM) solutions that could recognize patterns rather than only pre-defined if-then condition triggering. A straightforward example is when a user account typically logged in during daytime, but suddenly logged in at midnight and a large volume of outbound traffic, the machine learning powered SIEM solution could still flag that as abnormal, even if there are no hardcoded correlation rules about user login time. Yet, please bear in mind that machine learning takes time to learn the pattern; it may take several weeks to re-learn the patterns after significant infrastructure changes.

People

People refers to providing sufficient training and authority. Threat hunters should not just be familiar with vendors’ tools but also digital forensics skills (not necessarily to be a forensics specialist), for example, how to inspect a suspicious file. It’s very important to be given enough time to attend relevant training, participate in BlueTeam CTF and conduct threat intelligence research. Besides, suppose the threat hunter doesn’t have enough authority to further check the potential affected machine/device promptly. In that case, the efficiency of the threat hunting process could be significantly affected.

Last but not least, regularly conducting breach and attack simulation (BAS) or red teaming exercises can help identify gaps and improvement opportunities, which continuously validates the effectiveness of VIMP. As a final reminder, though this article doesn’t cover any detail of incident response, incident response should always be very ready with the Assume Breach mindset.

What’s Hot on Infosecurity Magazine?