A buzz term of today’s cybersecurity is ‘threat hunting’. It gives you images of clandestine agents hiding in the shadows, ready to spring into action to neutralize a threat. Well that’s not exactly what cyber threat hunting is, but it’s also not necessarily what many of today’s vendors of cybersecurity products make it out to be – a totally automated process using artificial intelligence to root out cyber criminals before they can act on their objective.
Understanding threat hunting means understanding incident response and digital forensics, because essentially threat hunting is just incident response on a yet unknown incident. When you think about responding to an incident, you know something is going on and you use forensic techniques to investigate, contain and eradicate it. With threat hunting, you are looking to uncover the unknown incident by employing forensic techniques; such as packet capture, memory dumps, server and workstation images and reviewing the data for something that your end point protection, or your network protection may not have alerted on. It’s really needle in a haystack and involves many hours of searching to find a potential threat.
To be successful in your hunt you will need to have tools in place to hunt, often a major flaw of incident response plans are the failing to put the proper tools in place. We need logs and event alerts from a SIEM tool, we need to be able to capture packets on demand, we need to be able to dump memory and images of .exe and DLLs. Then we need the ability to analyze all these things. So have you prepared your organization with these tools? Have you trained people to use them and given them the time to practice with the tools? These things will lead to a successful hunt, and or, response.
Also, do you know the critical areas to look. This goes back to understanding your company or organizations valuables, who would have interest in those valuables, and what the adversaries usual modus operandi. Where should we look? Well usually you will want to understand your network and where the ‘crown jewels’ reside, this way you are narrowing your focus area. For example, if you wanted to duck hunt you wouldn’t go to the desert. If you have credit card numbers or health records, or DOD information, the places where that data lives is where you should focus. If you have DOD data you are more likely to be targeted by nation states, so learn their tactics, if credit card data then organized crime is more likely to be your adversary what has been documented about their approach?
While machine learning has made threat hunting a lot better, the idea of AI to perform this is overblown. The reason is that the nature of analyzing the collected information is still very human. Rob Lee at SANS uses the analogy of spell check, no one allows spellcheck to just make corrections without review because their document would be a mess. It’s even more complex to determine for example a good DLL versus a malicious DLL. While machine learning will help us to need less hunters and therefore leave us with only the best threat hunters, it’s hard to imagine a time when we would get to a fully AI threat hunting capability.
If we prepare well, get the right tools and processes in place, train our people and give them practice. We can have very effective, threat hunting and incident response. Remember threat hunting, incident response and digital forensics are all teeth of the same gear. All need to work together for each part to be effective.