As a child, or even as an adult, have you ever played the game, “Where’s Waldo?” If you have, you may already understand how this section relates to Threat Hunting. For those who have not heard of the game, the object is to find a picture of Waldo
in a picture filled with other graphics and people. Spotting Waldo is difficult and identifying him from the crowd is downright frustrating in some of the illustrations. It is a game of patience, visual acuity, and methodical review of graphics. To that end, a modern spoof on the game has graphics with nearly every person being Waldo. The objective is to find everyone that is not Waldo. This is a common analogy for false positives when performing Threat Hunting and the reason the analogy is so important.
So, for new security professionals, what is Threat Hunting? Threat Hunting is the cybersecurity
act of processing information and process-oriented searching through networks, assets, and infrastructure for advanced threats that are evading existing security solutions and defenses. Firewalls, Intrusion Prevention Solutions, and Log Management are all designed to detect and protect against threats – even if they are zero-day threats and never seen before. Threat Hunting is the layer below this. What threats are actively running in my network that I am missing and how I can find them? It assumes the basic premise that a threat is there and have already been compromised.
The simple solution for most companies is to provide better inspection of the data already being collected. That includes diving deeper into log files, looking at denied logon access, and processing application events correlated from denied application control solutions
. But that is not really what Threat Hunting is. Those steps are merely security best practices and adhering to the guidelines in many regulatory standards from PCI to NIST for log management and review.
Threat hunting can be an automated or manual process to find hidden threats. It assumes the threat is already there; you just need to find it. The process involves processing multiple sources of data simultaneously and correlating information with an inherent knowledge of the systems, mission, and infrastructure producing the information. While this may sound like a canned answer, it is not. Security Information Enterprise Managers (SIEM)
are designed to ingest this information but only allow limited tagging of data by source and type to apply a business element. They fail, like many technologies, to apply the human element. To aid with this and provide data intuition, this process can be automated using behavioral analytics or machine learning. It raises the bar for identifying patterns as a repetitive process, but that is all that it does; it has no knowledge of what the meaning is for detected patterns. For Threat Hunting to succeed, security professionals need to start with a hypothesis. This hypothesis
assumes a threat and maps the patterns and manual review of data to the conclusion (a threat is actively occurring). Common hypotheses include the following:
- Analytics Driven: Patterns in analytics automation can be assigned risk ratings and used to determine if a high-risk pattern is occurring.
- Situational: High-value targets are analyzed including data, assets, and employees for abnormalities.
- Intelligence: Correlation of threat patterns, intelligence, malware, and vulnerability information to draw a conclusion.
Therefore, for Threat Hunting to succeed, we need to meet the following requirements
or our data and hunt will be flawed:
- Crown Jewels and Sensitive (Privileged) Accounts are properly identified for data modeling.
- Sources of information can be correlated by CVE, IP address, and hostname reliably. Changes due to DHCP and even time synchronization (poor NTP implementation) can jade Threat Hunting results. We need to trust the data nearly implicitly.
- Consolidation tools like an SIEM are collecting all applicable data sources for pattern recognition.
- Threats to the business , like a game-over breach event, are established and used to build a hypothesis.
- Tools for risk assessments, intrusion detection, and attack prevention are up to date and operating correctly. If these systems are faulty, your first lines of defense are in jeopardy.
- Documentation such as network maps, descriptions of business processes, asset management, etc., are critical. Threat Hunting relies on the human element to correlate information to the business. Without being able to map a transaction to its electronic workflow, a hypothesis is blind as to how the threat occurred and is remaining persistent.
Threat Hunting is much like “Where’s Waldo?” You know the threat actor exists, you kind of know what he looks like, but you cannot find him. While Threat Hunting may not know what the threat actually is, it is a safe assumption they are doing something wrong or staging to do something malicious in the future. If you can find that hidden threat, you can find Waldo. Think of the problem, puzzle, and game with clear objectives and leverage the tools you have and not just a correlated black box report or an alert. Threat Hunting requires you to dig in deep, use a magnifying glass, and rely on your senses to help find the threat. Having security best practices, to begin with, is an absolute requirement for success since everything you do for Threat Hunting depends on it. Also, good threat actors will leverage your existing security tools against you to remain hidden. This is yet another reason why best practices must be rock solid before you embark on Threat Hunting. After all, if a threat actor is in your environment, and current solutions cannot find him, you need to question the privileges they are executing with in order to remain hidden.