What we’ll be learning
In this lesson, we’ll be learning about Threat Hunting: What it is, how it works, and when it’s used. We’ll also touch on the basics of threat intelligence, and some of the ways organizations use it to defend themselves.
What is threat hunting?
Threat Hunting is a proactive security technique, where defenders will actively search for threats in their systems, guided by threat intelligence. A good analogy for this would be museum security: Passive security measures might be locked doors or alarms on display cases, while threat hunters would be guards actively patrolling and searching for any intruders that might be present.
The longer a threat goes undetected in a system, the more damage it can do. By proactively searching for threats, they can be detected before reactive security measures are triggered, limiting the damage done.
When to threat hunt
Threat Hunting is relatively costly in terms of resources when compared with many reactive security measures. It requires trained security personnel to dedicate their time, and it’s important to use that time effectively. For this reason, threat hunting isn’t usually done without a particular threat in mind.
Threat Intelligence is information about threats that are targeting or are likely to target an organization, and it is used to determine when threat hunting should be carried out. Sources such as advisories or security bulletins are usually good sources for threat intelligence. Threat intelligence can be both that there is a threat (for example, a new type of malware), and specific information about threats (indicators of compromise that the malware creates).
For example, if there is a security advisory that an attacker is using a software vulnerability to gain remote access to systems, and your organization uses that software, it might be time for a threat hunt to see if your systems have been compromised in the same way.
How threat hunting works
Good security environments will log a lot of data, and that data can be used to search for threats. However, searching this data manually is not practical. Instead, a piece of software called SIEM (Security Information and Event Management) collects this data and allows that data to be easily searched and queried. Intelligence Fusion is the process of searching and correlating data from many sources, in order to look for indicators that a threat is present.
For example, if you know that the malware from before reaches out to a list of IP addresses using a certain protocol, you can use intelligence fusion with a SIEM to search all the network logs for traffic that matches those parameters.
Threat Feeds are feeds of threat intelligence that can be used for this type of threat hunting. Often, threat feeds contain information about Indicators of Compromise (IOC) that indicate a threat is present. The process of intelligence fusion can be automated by combining data logged from the security environment with data from threat feeds.
Threat hunting often involves hacking, and hacking is adversarial. Most threats would like to avoid detection, and threat actors who are people (as opposed to say, malware) are likely to be skilled hackers who will actively attempt to avoid detection. While Hollywood may depict conflicts between hackers as a contest of typing speed, the reality is that such conflicts are often more akin to a game of hide-and-seek in a darkened warehouse.
In cybersecurity, a maneuver is a strategy employed by hackers (both attacking and defending) to gain an advantage over the other side. An important maneuver for defensive hackers is stealth: While it may be relatively easy to kick an attacker out of a network temporarily, they can get right back in if the vulnerability they used isn’t fixed. What’s more, they may have obtained persistence using backdoors, providing even more ways for them to reenter. Until the security team has developed a remediation plan, it may be best to stay undetected and observe the attacker’s actions.
We don’t have to rely on reactive systems for security. By combining techniques such as intelligence fusion and defensive hacking, we can proactively search for and react to threats. This allows for threats to be detected and eradicated sooner, and limits the damage they can cause. However, it’s not always a good idea to immediately attempt to remediate an intrusion: Acting prematurely can be counterproductive, tipping an attacker off that they have been detected and not fully removing the attacker’s persistence.