The Complete Guide To Threat Hunting

By
Praveen Yeleswarapu
July 23, 2021

Incident response strategy has evolved rapidly over the past decade as Cyber attacks are targeted and complex, executed by extremely advanced adversaries who are no longer compromising one or two systems in an enterprise. Rather, they move laterally within the organization’s network in stealth and may present virtually everywhere.

Hence, obsolete Incident Response and management methodologies fail in identifying compromised systems, fail to provide effective containment of the breach, and eventually fail in faster response and remediation of an incident.

What is Threat Hunt?

Threat hunt is a combative procedure in uncovering hidden adversaries with the presumption that the attacker may be present inside an organization’s network for days, weeks, and even months, preparing and executing attacks such as Zero Day, Advanced Persistent Threats, and unknown threats.

Threat Hunt intends to uncover these malicious activities, seeking out indicators of compromise(s) (IOC’s) based on Threat Intelligence (TI) or using Hypotheses. Sources of tactical and strategic TI can be industry or company-specific reports and/ or information from previous incidents.

Purpose of Threat Hunting

Threat hunt combines a proactive methodology, innovative technology, highly skilled people, and in-depth threat intelligence to find and stop malicious activity. These attacks are hard-to-detect and executed by stealth attackers. Existing preventive tools often miss these attacks before they can execute their objectives.

Threat Hunting is your last line of defense against reducing the Dwell Time of attackers. So, it is no surprise that Threat Hunting is seen as a consistently growing area of investments in organizations.

Purpose of Threat Hunting

What is NOT Threat Hunting

There is a lot of disinformation about Threat Hunting, so while defining Threat Hunting, it is also important to note what is not Threat Hunting:

  • It does NOT replace existing security monitoring
  • It is NOT a form of PenTest or Vulnerability Assessment
  • It is NOT Security Monitoring
  • It is NOT Incident Response – though it often triggers an Incident Response when it uncovers something malicious
  • It is NOT a process that has a guaranteed result
  • It is NOT a process to check if security analysts in the monitoring team are doing their job well.
  • It is NOT for the faint-hearted. If Security Monitoring is too challenging, then you have miles to go, before you are mature enough for Threat Hunting.

Why Threat Hunt?

  • Better ability to uncover hidden and established threats.
  • The ability to detect threats before the attacker causes damage, hence reducing incident losses.
  • A threat response process that effectively delivers "negative time" lag, and improvements beyond fast response.
  • Improved knowledge of the IT environment, with a focus on the hiding places frequented by advanced threat actors.
  • A reduced attack surface resulting from discovered and removed vulnerabilities.
  • Improved security incident response process.
  • Identification of gaps in visibility necessary to detect and respond to attackers and their TTPs.
  • Uncovering new threats and TTPs that can feed data back to Threat Intelligence.
  • The ability to ensure system hygiene before a critical mission or business transaction, M&A activity, etc.
  • A way to validate that the controls both preventative and detective are in proper shape and no threat actors have established a foothold within the environment.‍

Why does your organization need Threat Hunt today?

  1. Discover hidden and established Threats

Being a combative process. Threat hunt functionality enables an organization in the proactive lookout for Cyber-attacks that have surfaced in the world.

Example: One of your competitors has been hit by a complex ransomware attack. Your being in the same industry domain, the chance of your organization to be the next target is exponentially high. With Threat hunt functionality- you can first collect the necessary Indicators associated with the attack (Proactive such as Tools Techniques and Practices- the TTPs) that took place in your competitor’s environment via mediums such as Bulletins from CERT, FBI, CIA, etc. and Threat Intel sources such as OSINT, Commercial feeds.

You can utilize the threat hunt tool to proactively perform a detailed check/ scan within your environment if the malicious adversary has ever entered within your organization or not: thereby increasing your ability to detect threats before the attacker causes damage, reducing incident/ operational losses to your organization.

  1. No more panic-driven Incident Response process

Today, the majority of organizations lack data insights in formulating an incident response post a breach and this leads to a lot of panic-driven approaches in responding to an adversary.

Practices such as isolating compute devices such as Server/ Desktop/ Laptop or disconnecting your organization from the internet not only impact your business productivity but also ensure that a roadblock is created for better incident response.

Threat hunt as a functionality will allow your organization to quickly identify malicious assets via proactive Indicator scan associated with the attack. This enables in quickly establishing a reduced, and more importantly, a contained threat surface- isolating the threat actor enabling the rest of your organization’s operations are intact while the threat adversary is being acted upon.

  1. Update efficient threat intelligence

With automation all around and consistent proactive hunts within your organization- you are being enabled to build much more efficient and reliable threat intelligence.

Threat Hunting is a highly data-driven process and requires detailed logs, which can be divided into Network Data and Endpoint Data. You also would need Threat Intelligence Data and knowledge of the environment you operate in, for a good Threat Hunt. Typically, it is easier to get access to Network Data than Endpoint Data. The higher the quality of data, the higher the likelihood of success of Threat Hunts.

What you need for successful threat hunting

  1. Threat Intelligence
    Good Actionable Threat Intelligence is very useful for the Threat Hunting process. In most cases of Threat Hunt:
  • Threat Intelligence is used as a starting point for hunting
  • Threat Intelligence is also used for contextualizing and driving the hunt process
  • Threat Hunt by itself results in generating new Threat Intelligence to be fed back into
    the Threat Intelligence cycle.
  1. Data Enrichment
    You can also optionally (highly recommended) enrich the data with fields like IP reputation, Geo IP, and Autonomous System Numbers (ASNs) to find evidence of potentially unwanted activity.
  2. Advanced Data Analytics
    Tools allow you to perform various data transformations and manipulations for proper analysis. Visualizations and statistics used to display the change of values of specific fields over time, like frequency or entropy values are vital for investigations.

    Clustering, Stacking, Aggregating, grouping, and/or frequency distribution techniques are most often used to look for outliers and detect anomalies.

  3. MITRE ATT&CK Framework (MAF)

    The MITRE ATT&CK Framework can be used as input for potential attack vectors and techniques. MAF provides a wealth of technical information for hunters, guiding the hunt process with detection techniques. Though MAF is primarily used for Security Monitoring, it often acts as a great guide for Threat Hunters too.

  4. Automation
    Automation should be applied where possible to make the life of a Threat Hunter easier. This allows the team to be more productive. While it is not possible to automate all tasks completely, automation reduces the time to hunt and aids in the scheduling and repeatability of Hunts.
Tools Role In Threat Hunt Example Scenario
End Point Detection and Response (EDR) Collect endpoint data and search endpoints for evidence of attacker actvity Find all machines where svchost.exe is running but its path is not in Windows system directory
User and Entity Behavior Analytics (UEBA) Analyze user activity data and find anomalies that may indicate suspicious activity Display the list of users that behave unusually regarding authentication activity
Network Traffic Analysis(NTA) Analyze and capture log data based on network traffic real time Large File downloads/ Uploads taking place from a specific IP
Network Behavior Anomaly Detection (NBAD) Build Hypothesis Based on outcome of analysis of flow data via behavioral techniques such as machine learning in detecting anomalies CnC/ Botnet communications
Threat Intelligence (TI) Deliver a list of threat indicators and threat actor TTPs for use as initial hunting clue Gather all common persistence mechanisms reported to be used by threat groups looking for specific corporate data
Security and Event Management Systems (SIEM) Collect logs, enrich them and enable the analysts to search them in context Review rare events, rare event sequences and other log-related anomalies
Threat Hunting Tool Deliver a list of threat indicators and threat actor TTPs for use as initial hunting clue Gather all common persistence mechanisms reported to be used by threat groups looking for specific corporate data

Using BluSapphire For Complete Threat Hunt Visibility and Capability

BluSapphire has brought down the dependency on people dramatically in performing a threat hunt activity within the environment by introducing ‘Threat Hunt via Agentless Framework’.

In most Hunting exercises while network data is usually easily obtained, Endpoint Data is the most difficult to acquire. Majority of organizations refrain from collecting in depth memory logs from end points/ servers to avoid cost of log ingestion and maintenance. This is a weakling which is exploited well by attackers.

BluSapphire’s agentless hunting capability has effectively addressed this problem allowing for Live On-Demand Threat Hunts rather than relying on insufficient data or long deployment cycles.

Our Agentless Framework allows organizations and their security analysts to Hunt, Find, Analyze, Respond and Remediate all in one tool. This drastically reduces the Dwell Time and dramatically improves the analyst’s capabilities.

The framework supports indicators consumption via Threat Intelligence Feeds (STIX2.0) - Adapting indicators from identified threats OR as MITRE Tactics.

IOC’s identified during a Hunt can be exported On-Demand into STIX2.0 and shared with Threat Intelligence collection processes or external Threat Intel Agencies.

BluSapphire consumes Threat Intelligence from over 70 sources along with support for commercial feeds. The intelligence obtained is normalized. The normalized intelligence is utilized both for detection and in Threat Hunts.

Today, BluSapphire has the capability to hunt extensively based on the artifacts collected specific to Tactic ID of MITRE Matrix.

BluSapphire Hunt Capabilities

Presence of Malicious Executable/ Document An attacker would ship a malicious executable in having privilege escalation etc. Endpoint file search (EDR) File Search with Name/ Hash
Known filenames with Non-Standard file paths May indicate the attacker running processes masquerading as Windows system processes Endpoint process search (EDR) File Search with Name/ Hash
Interactive logons with service accounts Likely indication of abuse or at least violation of policies System log search (SIEM, log management with system logs) Event ID, OS Event Log, etc.
Traffic to sites in dynamic DNS (DDNS) A large amount of traffic to a DDNS site may indicate exfiltration or C2 activity Detailed DNS logs, outbound connection logs or traffic capture (SIEM or NTA, NBAD) Indicators via Traffic Analysis, Least/ Most Occurrence of DNS Requests
Processes in Windows AutoRun registry keys Uncommon entries that set processes to AutoRun on Windows may indicate intruder tampering with the system Endpoint registry search (EDR) Registry Inputs
Activity by account previously compromised by attackers Attacker may try to return to accounts they used in the past, thus revealing more about their activities Authentication and other system logs (SIEM or UEBA) Connections with Nonstandard ports, Hunt by Services, Scheduled Tasks and Processes
Unusual child processes When a process is exploited, it may be used to spawn processes useful for the attacker (like cmd.exe) that are not common in regular system use; especially if those processes initiate network activity Advanced endpoint process search (EDR) Hunt by Processes
Processes executing out of temporary directories An attacker may only have write access to some directories, so may run code from them Endpoint process search (EDR or other tools) Hunt by Services, Scheduled Tasks and Processes
Processes that normally do not initiate or receive network activity If a process with a familiar name starts connecting toasiteina remote country, it may indicate that it has been corrupted by the attacker Advanced endpoint process search (EDR) Hunt by Services, Scheduled Tasks and Processes

Conclusion

BluSapphire offers a Unified Platform that provides great coverage for many of the TTPs in the MITRE ATT&CKTM Framework, representing bulk coverage in each of the attack categories. Several capabilities, including full-stream reassembly of L7 transactions at scale, real-time Endpoint Inquiry and context retrieval,

Agentless On-Demand Live Threat Hunting, and guided investigations featuring direct links to the relevant MITRE TTP listings for some detections, make BluSapphire unique in the Cybersecurity Advance Defense space.

These capabilities enable BluSapphire to detect more MITRE ATT&CK TTPs with fewer false positives and more rapid, confident investigations using fast agentless response and remediation at your fingertips for each detection.

BluSapphire has been recognized as a Gartner Cool Vendor in 2018 for creating disruption in the Cybersecurity space. Looking to step up your Cybersecurity operations? Please schedule a platform demo here.