What is Threat Hunting?
Threat hunting is proactively searching for unknown threats on the network before being compromised or alerted of a known vulnerability. This is vastly different from responding to alerts, which is typically the responsibility of a SOC analyst or an incident responder.
When discussing threat hunters, security professionals tend to think of elite teams like Carnegie Mellon’s Computer Emergency Response Team (CERT), IBM’s X-Force, or the SecureWorks CTU. They share vulnerabilities with the rest of the community; protecting the population from a cyber pandemic as best they can. They are made up of the very best researchers, hackers, and crime fighters. Some larger corporations and agencies are also able to host dedicated threat hunting teams — but that’s the 1%. For most organizations, threat hunting is done occasionally, in a low maturity fashion by searching the SIEM for known IOCs, or not at all.
Why is threat hunting so rare?
Threat hunting involves taking a few limited clues or indicators of a potential attack and then searching your entire environment for them. Threat hunters need to understand all the systems in their environment; both security-focused (like SIEM and EDR) and non-security-focused (like S3, LDAP, or business systems like Workday). They need to understand attacker techniques and likely tangents for attacks, and the telemetry provided by each system. And then they need to be able to compose different queries (with different syntaxes) across those systems to do a threat hunt. The ability to do this comes with time and experience.
For example:
( df[['@timestamp','Hostname','SubjectUserName','ProcessName','ObjectName','AccessMask','EventID']] [(df['Channel'].str.lower() == 'security') & ((df['EventID'] == 4663) | (df['EventID'] == 4656)) & (df['ObjectName'].str.contains('.*lsass.exe', regex=True)) & (~df['SubjectUserName'].str.endswith('.*$', na=False)) ] .head() )
Source: Pandas Query for LSASS Memory Read Access
Effective threat hunters typically have more than five years of SOC analyst experience. Given the already short supply of skilled analysts, anyone with that experience is sought after to lead SOCs or become a level 2 or 3 analyst.
Four Steps of Threat Hunting
Threat hunting breaks down to these four functions:
- Form a hypothesis – Understand your threat model, what makes you vulnerable to attack, and what type of attackers are likely to target your organization.
- Search and Gather – Look across your environment and ask, “Where do I hunt for indicators of those attacks across my infrastructure?” Identify which tools you would need to gather data from to determine if you need to look for indicators inside of those tools.
- Investigate – Once you gather that intelligence and understand your tools and technologies, then you execute the hunt.
- Remediate – Finally, if you find indicators or susceptibility through those hunt metrics, then you implement defense controls.
Amazon purchased a company called Sqrrl in 2018, who wrote the first standard for maturity models for threat hunting. They indicated that one maturity level of threat hunting was simply taking an indicator of compromise, sticking it into a search bar, and *boom* you’re threat hunting. Maturity/skillset goes up from there.
But in that legacy model of threat hunting, you “threat hunt” inside of your SIEM. This method makes the assumption that all of the data you need to hunt for those indicators lives inside of your SIEM. More often than not, if you’re getting the indicators inside of the SIEM, you’re already identifying those through some other type of a detection mechanism, similar to a Splunk Notable Event. And with today’s abundance of data, there is about a zero percent chance all of your security relevant data is in your SIEM. It’s just too expensive.
Ultimately, if an operator is asked to look for an IP address, they typically will not look in every possible system because it takes too long. You will start with the most likely candidates and work your way down. The further you get down that list without incident, the more likely you are to abandon the search prematurely.
Query: Turning SOC analysts into threat hunters
With Query, you can search all of your data from a single search bar without the need to understand diverse and complicated search syntax. Your search-and-gather list can expand to all of your security-focused (like SIEM and EDR) and non-security-focused (like S3, LDAP, or business systems like Workday) sources because you don’t have to worry about figuring out how to search the IP address and data sources of your non-security/otherwise unsearched technologies.
Using Query, your mean time to respond (MTTR) will drop significantly, and you have the ability to search systems you otherwise may have neglected simply because it was too difficult to search.
Happy Querying!