Threat hunting on a budget -- it's not as hard as you think…
Global losses from cybercrime now total more than $1 trillion, recent figures indicate, meaning that every business now must implement an effective threat hunting program has to protect its data security -- and long-term future. Establishing a threat hunting program from scratch may seem daunting, but it doesn’t have to be. Like so many things in life, the hardest part is taking the first step.
Even on a tight budget, numerous tools -- with SIEM, logs, and analytics -- can help security professionals start a robust threat hunting program. Below are the three main steps involved:
- Step one: Data visibility
Data visibility, along with some necessary skills, represents the first requirement to establishing a threat hunting program. Data visibility typically means access to a security log (or set of logs), as these are what you will be hunting through. Each log source a particular set of event types or user behaviors for examination by the 'threat hunter'.
- Step two: Analysis
Analysis requires a centralized location of logs you feed into a Security Information and Event Management (SIEM) or other type of database. Although you could manually query each endpoint’s event logs one by one, that’s simply unviable from a time management perspective. It’s also better to have a lake of data to analyze rather than just a few small ponds.
- Step three: Research
Step three -- research -- involves determining the types of events you must hunt through. If the threat hunter has access to logs from every endpoint within the environment, start by creating a list of event IDs that may indicate malicious activity.
Always have a plan
Having a robust plan in place before getting started will save time and resources in the long run by precluding a search through millions of unnecessary events. Sorting and filtering can also help hunters quickly identify suspicious events. But remember: the existence of a particular event ID doesn’t always mean there's a threat lurking on a device. Determining the root cause may require additional forensics and interrogation of the data.
Upon establishing a baseline of normal end-user behavior, filter out any data that conforms to it. This will help minimize both distractions and data volumes, allowing the team to focus on the anomalies that are more likely to indicate the presence of an actual threat.
Maturity brings efficiency (and results)
While the above steps will help get a solid threat hunting program off the ground, they are really only the beginning of the process. The more mature and well-staffed a program gets, the better the results will ultimately be, so that should always be the goal.
As the program matures, think about what additional tools might yield the best return. Collecting process execution events, network connections, file movement, and registry activity, for example, can all help optimise threat hunting engagements. Elsewhere, an endpoint detection and response (EDR) tool can uncover a wealth of valuable data. These don’t have to be expensive investments either -- there are numerous free utilities available -- such as Microsoft’s Sysmon -- that are really good and offer the visibility needed.
Once the pieces of the data puzzle are in place, think about how detection signatures and alarms can help minimize response times to severe threats. These will enable the build-out of lower severity events for threat hunting purposes. Lower severity events may generate more false positives, to begin with, but these can also be tuned for better accuracy over time.
While building out these detections, it’s also smart to align them to an established attack matrix such as the MITRE ATT&CK framework -- a publicly available, regularly updated framework based on real-world adversarial tactics and techniques. It’s not necessary to immediately create alerts for every technique, but the more you build out over time, the more effective the program will be.
It’s a good idea for the initial focus to be on areas that could generate a high severity event. For instance, detections for things like Abuse Elevation Control Mechanism, Exploitation of Remote Services and Masquerading will all lead to events that senior analysts can quickly respond to. Next, developing signatures for the threat hunting team to pivot off, such as Lateral Movement, Creation of Accounts or Scheduled Task Jobs, helps them seek out adversary activity more effectively as/when needed.
Remember, the past can be just as important as the present
When hunting for attack activity, past user behavior can be just as important as the present. While free tools like Sysmon are great, they only offer a view of current user activity. As such, once a team is comfortable with detections for endpoint logs, it’s a good idea to expand engagements to include more proactive techniques that collect existing data from enterprise devices, such as specific registry keys. Teams can even perform targeted scans using free utilities such as YARA for a historical view. Doing so provides better insight into attacks that have already taken place but may have gone undetected. YARA is an open-source, multi-platform tool used by security professionals around the world to detect malware based on certain characteristics or rules.
The idea of a dedicated threat hunting program can seem both complicated and intimidating to organizations that don’t already have one, but it shouldn’t be. With just a modest budget and the right knowledge, it can be remarkably simple to launch an effective program. Once established, like so many things in life, the more organizations put into it, the more benefits they will get out of it.
Tim Bandos, CISSP, CISA, CEH is CISO and VP Managed Security Services at Digital Guardian and an expert in incident response and threat hunting. He has over 15 years of experience in the cybersecurity world and has a wealth of practical knowledge gained from tracking and hunting advanced threats that target stealing highly sensitive data. A majority of his career was spent working at a Fortune 100 company where he built an Incident Response organization and he now runs Digital Guardian’s global Security Operation Center for Managed Detection & Response.