Threat Hunting and SOC
“Threat hunting” refers to the process of proactively and repeatedly searching through networks to detect and isolate advanced threats that evade existing security solutions. Such solutions may include firewalls, intrusion detection systems (IDS), malware sandboxes and SIEMs. Normally, existing security solutions require investigation to be conducted after an incident or warning has occurred. However, with threat hunting, organizations hire skilled defenders who use advanced tools to find and mitigate hidden threats. In this article, we discuss how threat hunting can be consolidated with security operations center operations to yield maximum security for your organization.
An Overview of the Security Landscape
According to a 2018 Threat Hunting Report by Crowd Research Partners, threat frequency and severity is on the increase. The report compiles data from a survey that targeted security personnel within various organizations. Of the respondents, 52% say threats have at least doubled in the past year.
Based on this trend, we can see that the number of advanced and emerging threats will continue to outpace the capabilities of security personnel within organizations. In the same report, 76% of respondents reported feeling that not enough time is spent on searching for emerging threats within their organizations’ SOCs. When asked why they have not implemented a threat-hunting function, 45% cite lack of budget as being the main problem.
A third of the total respondents, however, feel more confident in their security team’s ability to quickly uncover advanced attacks. This compared to previous reports shows that threat hunting is gaining momentum.
Another 2017 threat-hunting survey of 306 IT and security professionals indicated that at many organizations, the process is still new and poorly-defined. Hunting programs are more often utilized in financial services, high tech, and military or government institutions, as well as companies that have been previously attacked.
The statistics above are a good reason why more and more organizations are developing threat-hunting functions within their organizations to consolidate existing SOC functions. But what really goes into building a SOC?
Threat Hunting and the Security Operations Center
Threats can be monitored more effectively and accurately once the relevant data and all the security experts are consolidated into a centralized area within the organization. The team must consist of skilled security experts. This is often done in three tiers:
SOC I Engineers
Tier I engineers are normally responsible for detecting, identifying and troubleshooting security events that come in. The affected party is often in communication with this tier, as their main functions include detection, classification and escalation of attacks. They also make suggestions on the most effective way of dealing with the attack.
SOC II Engineers
The main tasks of these engineers is to mitigate the attacks that are detected by the SOC I engineers.
SOC III Engineers
This elite group holds the most experienced technical security roles in a SOC. To improve the SOC I and II tiers, SOC III engineers build tools and processes to improve threat hunting or threat intelligence in an operation center.
While building a SOC, the most crucial and first priority is often threat modeling, which seeks to answer the following questions:
- What threats does my organization care about?
- What does a threat look like?
- How does the SOC block/detect the threat?
Once answers have been obtained for the questions above, playbooks are built in order to document the response, severity set and the process of escalating these threat types. Different processes should also be considered, such as shift time and models.
For example, “Follow the Sun” refers to the shifts the security engineers are operating according to their specific time zone, and must be considered when a company has multiple offices or has engineers working remotely. “Rotational” involves rotating shifts within one location of the organization. “Operational continuity,” on the other hand, focuses on shift handover, shift reports, and escalation to external teams like networks or infrastructure.
Finally, security departments complete SOC setups by:
Identifying a data source
The data source to use is determined by the playbooks that have been built. Common data sources may include:
- Network activity/security events. These may include firewalls, IDS/IPS and vulnerability scanners
- Threat intelligence. This may come from both internal and external feeds
- End-point activity. End points such as DNS, DHCP, AV, OS logs and ETDR may provide crucial information in how they are handled.
Setting up a security intelligence platform
Such platforms may include, for example, an SIEM. The security intelligence platform ensures that data is brought in from all the data sources listed above and also alerts the SOC engineer when a threat is detected.
Setting up a ticketing system
A ticketing system is used to track events throughout the system’s history and act as a communication point between the affected part and the SOC.
From the discussion above, it is clear that threat hunting should be a separate function within the security department due to the fact that it doesn’t rely on alerts. What then determines effective hunting? Let’s discuss some important tips.
Five Tips for Effective Threat Hunting
Bearing in mind that attackers are always determined to succeed in their attacks, it only makes sense that threat hunting programs also define success as their main objective for a hunting program. But do they achieve it? We will discuss some tips that will make your threat hunters effective and successful.
- Know your environment. Threat hunting has a main goal, and that is to discover whatever abnormal activities are taking place within the organization. It is thus important to become familiar with what is normal. This requires understanding the overall architecture and determining where vulnerabilities and weaknesses lie that could be targeted by attackers. A good understanding of the environment involves deep and wide exploration of the technical environment, including networks, systems and applications. Threat hunters must also build relationships with key personnel inside and outside of IT. Building relationships allows hunters to distinguish between normal and suspicious activities, since sometimes these activities may be as a result of unsafe practices within the organization and communication is important to help resolve that.
- Think like an attacker. A hunter’s mission is to find signs of intrusion and act quickly to stop attacks and minimize any damage. However, it is better to anticipate attackers’ next move rather than always be on the chase. Hunters may set up tripwires (using threat-hunting tools) that go off once attackers execute certain moves. This allows hunters to anticipate moves and be on the watch.
- Develop the OODA mindset. While in combat, military personnel Observe, Orient, Decide and Act. Threat hunters are soldiers in cyberspace, so it makes sense to employ these tactics. Acting before thinking can blur the threat hunter’s effectiveness, resulting in undesirable outcomes.
- Devote sufficient resources. Threat hunting can go sour if there aren’t enough resources to effectively carry it out. Resources include skilled personnel, tools, and systems to run them on. The personnel must be trained and experienced threat hunters that understand the inner working of various technologies for hunts. Proper research must be done on the tools to use for hunting and infrastructure to run them on.
- Deploy endpoint intel. Ensuring that all end-point devices at the organization are covered ensures that attackers do not get that one successful attack that they need. Remember: by compromising just a single host, the entire organization may be crippled. This is why it is important for all end points to be secured.
Is it enough to rely entirely on a SOC?
Investing in a SOC is a good start, but if it’s the only strategy your organization uses, it will probably not give you an accurate view of the security of your organization. This is due to the fact that some threats may not register at the SOC. Therefore, having to hunt for threats before they strike may mean the difference between a successful and unsuccessful attack.
Due to the evolving nature of malware, you should consider having a threat-hunting function defined within your organization. Your team has to always be on the hunt for zero-day and one-day vulnerabilities and new malware.
This article has covered threat hunting and the security operations center in brief. We have had an overview of the current security landscape and discussed what goes into developing SOC operations within organizations. We discussed some tips that are effective in effective threat hunting and saw the importance of coordinating threat hunting with SOC operations. Good luck on your next threat hunt!
Threat Hunting Takes Center Stage for SOCs, Infosecurity
Report: Threat hunting is more SOC than intel, TechTarget
2018 Threat Hunting Report, Cybersecurity Insiders