If you’ve ever played the game, “Where’s Waldo?” you may already understand how this section relates to threat hunting. For those who have not heard of the game, the object is to find a picture of Waldo within a picture filled with other graphics and people. Spotting Waldo is difficult, and identifying him from the crowd is downright frustrating in some of the illustrations and illusions intentionally created by the artist. It is a game of patience, visual acuity, and a methodical review of graphics. To that end, a modern spoof on the game has graphics with nearly every person being Waldo. The objective is to find everyone that is not Waldo. This is a common analogy for false positives when performing threat hunting and the reason why this analogy is so important.
The simple solution for most companies is to provide better inspection of the data already being collected. That includes diving deeper into log files, looking at denied logon access, and processing application events correlated from application control solutions. But that is not really what threat hunting is. Those steps are merely security best practices and adhering to the guidelines in many regulatory standards from PCI to NIST for log management and review.
Analytics-Driven: Patterns in behavior (or outlier events) can be assigned risk ratings and used to determine if a high-risk pattern is occurring.
Situational: High-value targets are analyzed, including data, assets, and employees, for abnormalities and unusual requests.
Intelligence: Correlation of threat patterns, intelligence, malware, sessions, and vulnerability information to draw a conclusion.
Crown jewels and sensitive (privileged) accounts are properly identified for data modeling. This includes monitoring of when they are used, who is using them, and what actions are being performed.
Sources of information can be reliably correlated by CVE, IP address, and hostname. Changes due to DHCP, and even time synchronization (poor NTP implementation), can jade threat hunters. We need to trust the data almost implicitly.
Consolidation tools, like an SIEM, are collecting all relevant data sources for pattern recognition. As a general rule of thumb, the more security data, the better. Extra data can always be filtered out, purged, or suppressed.
Threats to the business, like a game-over breach event, are established and used to build a hypothesis. If a threat actor did “this,” could my business ever recover, and what would be the cost?
Tools for risk assessments, intrusion detection, and attack prevention are up-to-date and operating correctly. If these systems are faulty, your first lines of defense are in jeopardy.
Documentation, such as network maps, descriptions of business processes, asset management, and so on, are critical. Threat hunting relies on the human element to correlate information to the business. Without being able to map a transaction to its electronic workflow, a hypothesis is blind as to how the threat occurred and is remaining persistent.
Threat hunting is much like “Where’s Waldo?”. You know the threat actor exists, you kind of know what he looks like, but it may be very difficult to find him.
While a threat hunter may not know what the threat actually is, it is a safe assumption that the threat actor(s) exist and is doing something wrong, or staging to do something malicious, in the future. If you can find that hidden threat, you can find Waldo. Think of the problem, puzzle, and game with clear objectives and leverage the tools you have to go beyond just a correlated black box report or an alert of an unauthorized login. Threat hunting requires you to dig in deep, use a magnifying glass, and rely on your senses to help find the threat. Having security best practices to begin with is an absolute requirement for success since everything you do for threat hunting depends on it. Also, skilled threat actors will leverage your existing security tools against you to remain hidden. This is yet another reason why best practices must be rock-solid before you embark on threat hunting. After all, if a threat actor is in your environment, and current solutions cannot find him, you need to question the privileges they are executing with in order to remain hidden. Those are definitely the privileges you should be actively monitoring every single day.