Lately we’ve talked a lot about how the digital security landscape is changing and the different kind of threats you might be facing (WannaCry, Phishing, etc). There’s a lot of bad hombres out there that could potentially affect your digital well being.
Not only should you be aware of them but it’s time you started actively looking for them as well. Threat hunting should be a part of any balanced InfoSec diet.
Okay, first off, you might be wondering what exactly Threat Hunting is. We’re borrowing this definition from the fine people at SANS and we think it fits pretty well:
“Threat hunting is the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions”
What we’re getting at is this: you’ve probably already done a lot to secure your digital assets already but now it’s time to start thinking a little differently. That’s why we’ve put together a list of things you can do to proactively look for threats.
A Little Background
You may or may not be familiar with SANS Sliding Scale of Cyber Security. We’re going to give you a crash course and get you up to speed. We think it’ll help paint a better picture when it comes to fitting threat hunting into your digital security model.
There are five different segments on the SANS Sliding Scale of Cyber Security:
- Architecture – The planning, establishing, and upkeep of systems with security in mind
- Passive Defense – Systems added to the Architecture to provide reliable defense or insight against threats without consistent human interaction
- Active Defense – The process of analysts monitoring for, responding to, and learning from adversaries internal to the network
- Intelligence – Collecting data, exploiting it into information, and producing Intelligence
- Offense – Legal countermeasures and self-defense actions against an adversary
So what does that all mean? In more simple terms the architecture segment represents all the aspects of your design (network, systems, etc) and it’s the stage where you address any potential vulnerabilities.
Passive defense are the tools and systems that you add to your design to protect those vulnerabilities with out much interaction from a living, breathing person. Active defense includes threat monitoring where as the intelligence stage is where you leverage gathered information to protect the environment.
The fifth and final stage is pretty self explanatory. Offense is where things start to get real. It’s where law enforcement might get involved or where potential law suits might live.
Heck, if you’re feeling spunky the offense stage might be the place and time for you to put on your tights, grab your utility belt and alternate between fighting crime and acting moody while perched on a dark, rainy roof top.
Where does Threat Hunting Come In?
Believe it or not Caped Crusader, if you’d guessed stage 5 you’d be wrong. Threat Hunting actually comes in between stage 3 and 4. It takes the best both has to offer and really produces some useful knowledge.
Whether you know it or not your organization is probably already doing some Threat Hunting. Depending on how mature your organization and it’s security posture is, the more lucrative the hunting of threats might be.
Become a Threat Hunting Expert
There are four key steps to remember when hunting:
Hypothesis First – The first step in threat hunting is the hypothesis. If you’re going to start hunting a threat you should treat the endeavor like a scientific experiment. “If I do A then I expect B to happen.”
Even with little to no evidence your supposition alone should be enough to get you involved in a hunt. You know your systems better than almost anybody and if you feel like there’s something amiss there probably is.
A good hypothesis isn’t always easy to develop but it you’re able to put something of value together you’ll have solid footing when it comes to starting your investigation.
Investigate Second – You’ve established your hypothesis, now it’s time to dig through the data. You didn’t start hunting on a whim. You noticed something or realized things were off. Because you’ve “hopefully” got a strong hypothesis you already know where to start.
As a heads up, a proper investigation can be incredibly time consuming BUT worthwhile in the end. Just be ready to pivot quickly from data set to data set. The rabbit hole can get pretty deep and you need to be prepared to consume large amounts of data.
Employing things like dashboards that can be set up to automatically include and process multiple data streams in one place can be incredibly helpful. (We’ll be talking more about dashboards and what we do with them for our clients soon).
Expose and Uncover Third – When trying to expose trends or start looking for patterns, visualization can be really helpful. Being able to visualize your data will help you successfully prove or disprove your hypothesis.
If you can visualize your data it’s going to make it so much easier to expose the threat you’ve been hunting. Uncovering a threat can take a lot of time and effort but in the end it’s worth it.
Analysis and Remediation Fourth – Once you’ve investigated your data and exposed any threats it’s time to analyze those threats, close the holes and access points that allowed the threat in and to remediate any damage they might have caused to your system.
Once you’ve got those four steps down you’ll be ready to move on to the different techniques and technology you can use to get to really bring your threat hunting skills to the next level.
We’ll be talking about that next week so stay tuned!
*We mean digitally. Don’t go strolling down a dark ally at night in a shady part of town. We take no responsibility for you getting beaten up. This isn’t The Most Dangerous Game