10 Tips for Effective Threat Hunting
Cyber-attacks are increasing in number every day, as well as in their frequency and sophistication; worse, they often circumvent organizations’ existing protective controls. Therefore, organizations must deploy a proactive threat-hunting campaign in addition to other layers of security such as antivirus programs and firewalls to detect and then remediate threats as early as possible in order to mitigate damage. Companies that begin a threat-hunting program have a success in mind, but are they able to achieve this?
Unfortunately, no organization can claim 100% security, and many have to bear the brunt of notorious data breaches and the loss of millions of dollars. According to the 2018 Threat-Hunting Report, 44% of respondents estimate that the financial impact of an undetected data breaches to be over half a million dollars.
In this article, we will teach you 10 tips for effective threat hunting that will help your organization better respond to pesky cyber-attacks and avoid compliance issues and financial damage.
1. Know Your Environment
Threat hunting is aimed at discovering abnormal activities that otherwise can result in grave damage to your company. Understanding of normal activities in your environment is a prerequisite to comprehending activities that are not normal. If you understand normal operational activities, then anything abnormal should stand out and be noticed.
Therefore, the hunters should spend a good deal of time to understand normal and routine events in their environment. In addition, analysts must understand a complete architecture including systems, applications and networks, so that they can discover weaknesses and vulnerabilities that might provide opportunities to adversaries.
Moreover, building a relationship with key personnel in and outside of IT is crucial. In fact, these people can help threat hunters differentiate between anomalous and normal activities. For example, each problem found by threat hunters is not always an attack. Instead, it may just be an unsafe practice. In order to improve an organization’s security posture, threat hunters must act as effective “change agents,” and that cannot be possible without a trusting relationship with others.
2. Imagine That You Are an Attacker
A good threat-hunting practice requires threat hunters think like an attacker. Normally, the task of threat hunters is to chase adversaries proactively and put an end to the chance of intrusions. If the attack has been taken place, however, they need to mitigate its impact in order to reduce damage. However, always looking for the signs of intrusion is not a very good approach. Rather, threat hunters should work to anticipate an attacker’s next move.
Once threat hunters have an idea of what an attacker may do, they should set up some triggers that should be fired as soon as the attacker executes this move. Tools like CB Response can be used to determine the attacker’s move.
Remember: no organization has always perfect and impenetrable security measures, and adversaries use very sophisticated techniques nowadays to get around companies’ monitoring tools and most security. Therefore, threat hunters should think above and beyond the expectations of adversaries in order to prevent attacks before they become a major nightmare.
3. Formulate the OODA Strategy
OODA is an abbreviation of Observe, Orient, Decide and Act. Military personnel apply OODA when they carry out combat operations. Likewise, threat hunters use OODA during cyberwarfare. In the context of threat hunting, OODA works as:
- Observe: A first phase that involves routine data collection from endpoints
- Orient: Understanding the collected data thoroughly and combining this information with other collected information to help understand its meaning. After that, analyzing whether the sign of Command & Control (C&C) over traffic occurs or any sign of attack is detected
- Decide: Once you have analyzed the information, then you need to identify the course of action. If the incident occurs, threat hunters will execute the incident response strategy
- Act: The last phase involves the execution of the plan to put an end to the intrusion and enhance the company’s security posture. Further measures are taken to prevent the same type of attack in the future
4. Use Sufficient Resources
Threat hunting is regarded as one of the best security solutions nowadays. However, devoting sufficient resources, including personnel, systems and tools is indispensable to performing threat hunting effectively.
Personnel means threat hunters, who must have the in-depth knowledge of operating systems (OSes) and subsystems such as application servers, Web servers, database servers, database management systems and, more importantly, the networks, Wi-Fi systems and the Internet altogether. An understanding of the CB Response tool is also helpful.
5. Protect All Endpoints
Endpoint security is the client/server information security methodology for safeguarding the company’s network by monitoring endpoints (network devices), their activities, software, authentication and authorization. Protecting all endpoints is crucial as negligence may leave empty spots for adversaries. Typically, endpoint security is ensured through security software installed on the centrally-managed server or gateway within a network, in addition to the client security software located on each of the endpoints.
Advanced Persistent Threats (APTs) cannot be prevented with antivirus programs alone. Therefore, organizations should deploy endpoint protection solutions as well, such as CB Response or Comodo endpoint protection software.
6. Network Visibility Is the Key
In addition to deploying threat-hunting tools across all endpoints, it is necessary to have an in-depth understanding of attack patterns and activities in your network environment. You can achieve this by utilizing additional tools that allow you to have network visibility.
As you worked to set up advanced endpoint tools, you should also use tools like Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), NetFlow, Web filters, firewalls and Data Loss Prevention systems (DLP). In this way, you are able to verify attacks and collect valuable intel about abnormal traffic patterns that could indicate a breach.
7. Mind the Human Side of Threat Hunting
A crucial part of threat hunting involves efficient and effective communication with the key IT personnel in the company. This mean threat hunters should work collaboratively with endpoint engineers, application developers, service desks and system engineers in different ways. Threat hunters actually need to communicate effectively with them in order to understand the operations of key systems and applications. When searching for adversaries, hunters will discover vulnerabilities in the design and implementation of networks, systems and applications.
Trusting relationship between threat hunters and key IT personnel is indispensable. Most importantly, you will need their collaboration when responding to incidents. Only by ensuring reciprocal trust will you be able to work together to correctly diagnose malicious activity and perform remediation in the face of weaknesses and vulnerabilities in your environment.
8. Keep a Record of Your Hunts
Good threat hunters not only attempt to contain or eliminate malicious intrusions but also document every single threat hunt they have performed in their IT environments. Not only do you need to detail the technical information on each case, but more importantly, you need to record business intel relevant to the company, e.g., the reason for the hunt.
But good documentation is not worth much without sound organization of the collected data. It is imperative to choose a tool that can help you organize your threat hunting activity in order to revisit your steps if you suspect repeated intrusions and share that knowledge with other parties. Tools that you may use to organize the data may include reporting tools, analytical tools or even Microsoft Excel.
9. Keep the Blade Sharp
Even the best weapon will rust unless it is cared for. To be effective in their jobs, threat hunters need to be prepared and always remain vigilant for the suspicious activity. As cybercriminals are finding dozens of new ways to penetrate security systems, threat hunters need to constantly learn and grow their skills in order to keep themselves up to the challenge.
It is essential that every professional threat hunter take time to undergo technical training. In addition, it is always useful to show up in local and international conferences and gatherings, such as RSA, Black Hat and DEFCON, where you can meet colleagues and explore opportunities for professional and educational development.
10. Keep Abreast of Modern Attack Trends
In the evolving world of technology, threat actors are developing new attacks every day. Cybercriminals are creative, and they are using that creativity to continuously invent new ways to commit crimes. Threat hunters need to keep up with the ever-changing cyber-attack landscape.
And there’s going to be a lot of work for them in the near future. According to a Threat Hunting Report 2018 by Alert Logic, security experts prioritize 55% detection of advanced threats as a top challenge for their Security Operation Center (SOC). In addition, 43% security staff lacks sufficient skills to mitigate these threats. Also, 36% of automation tools are seriously lacking in their threat-catching abilities. In order to prevent intrusions, threat hunters must themselves stay current with modern threat landscape and sophisticated techniques that criminals discover to carry out attacks.
- 2018 Threat Hunting Report, Alert Logic
- Threat Hunting for Dummies: Carbon Black Special Edition, Peter H. Gregory
- Endpoint Security, Techopedia
- Endpoint Security, Webopedia
- Visibility, Automation Defend Against Network Security Threats, HIT Infrastructure