First – What Is Proactive Threat Hunting?
Proactive threat hunting is a cyclical, proactive and hypothesis-driven process that assumes an undiscovered breach of an unknown type has already occurred. There is no precipitating incident or roadmap; no high-fidelity detection rules have been triggered. As noted in NIST Special Publication 800-53, “The objective [of threat hunting] is to track and disrupt cyber adversaries as early as possible in the attack sequence and to measurably improve the speed and accuracy of organizational responses.” Public and private sector organizations should view proactive threat hunting as an “enhanced security requirement.”
“If you can simply write a rule, write a rule. But then you don’t need to hunt,” – Anton Chuvakin, Former Vice President and Distinguished Analyst at Gartner, now senior security advisor for the office of the CISO at Google Cloud.
Reactive Vs. Proactive Threat Hunting
In contrast, reactive threat hunts focus on known threats. Hunts are typically triggered by a security incident or set of high-risk alerts. Investigators are often mid-tier Security Operation Center (SOC) analysts responsible for triaging and investigating alerts, root cause analysis, incident response, and consolidating logs in a security information and event management (SIEM) system. This essential work can be highly stressful due to the large daily volume of false positive alerts. Chronic alert fatigue is widespread, leading analysts to start ignoring many of the alerts.
Profiles of Successful Proactive Threat Hunters
Expert threat hunters possess elite skills in surfacing anomalous cyber activity, detecting gaps in the security infrastructure and identifying ways attackers can exploit these gaps to compromise an organization’s operational integrity. Their extensive red team experience enables them to think like adversaries, intuit their objectives and see through their attempts to evade detection. Thanks to their intimate familiarity with their organizations’ digital estate and business processes, they excel at leveraging the latest threat intel and crowdsourced attack data to efficiently sift through vast stores of network, endpoint and cloud security data for artifacts of an ongoing attack. Overall, they excel at deductive reasoning, malware analysis, data science and communicating their findings in actionable terms meaningful to business and IT leaders alike.
Key Tools for Cyber Threat Hunting
Threat hunters utilize a variety of data sources, tools and techniques to uncover threats.
Security Data and Telemetry
SIEM platforms help hunters shortcut data navigation and forensic analysis by collecting and correlating data from Endpoint Protection Platforms (EPP), Endpoint Detection and Response Platforms (EDR), Cloud Security Platforms, Intrusion Detection and Prevention Systems (IDS/IPS) and network monitoring tools.
- Digital Risk Monitoring (DRM)
DRM tools crawl the dark web, social media, and other digital channels to give hunters an external view of the organization’s current threat exposure. For example, hunters may learn that stolen credentials to internal systems are being offered on a dark web marketplace or sensitive data exposed in a cloud repository.
- Security Analytics
These platforms utilize artificial intelligence (AI), machine learning (ML), and behavioral analysis of network data to flag anomalous and potentially malicious activity. Hunters can leverage these detections for clues to an ongoing breach.
- MITRE ATT&CK Framework
Hunters can draw from the documented Indicators of Attack (IoA) and tactics, techniques, and procedures (TTP) to inform and test their hypotheses.
- Threat Models
Mature organizations document detailed cyber risk scenarios and countermeasures to protect their most critical data and business systems. Hunters can draw on these to target and prioritize investigations.
Threat Hunting + Threat Intelligence
Threat intelligence, also known as cyber threat intelligence (CTI), is a formal process for collecting and correlating data about attempted or successful intrusions from multiple internal and external sources. SIEMs often incorporate data from threat intelligence feeds to help automate rule creation. While inherently a reactive medium, threat intelligence furnishes hunters with a rich repository of TTPs and IoAs for proactive investigations.
Security and Risk Leader Perspectives
Kroll’s 2021 State of Incident Response report surveyed 500 security and risk leaders at large organizations—those with more than $500 million in revenue—on matters related to their cyber security programs, specifically threat detection and incident response, and respondents are keenly aware of the risks:
- Two-thirds (66%) acknowledge they’re vulnerable to a cyberattack that could disrupt business or lead to a data breach.
- Nearly half (49%) lack adequate tools (including staff and expertise) to detect or respond to cyber threats. Another 46% say they cannot acquire cloud-based services logs and other relevant data needed to investigate incidents.
- Only 8% of security leaders are fully confident their organization can identify the root cause of an attack.
Seasoned Threat Hunter Perspectives
How does one hunt for an unknown unknown? What tools and data are needed? How is success gauged? We asked members of our threat hunting leadership team to share their experiences in the field. Here are some highlights.
Thwarting Actor Attempts to Evade Detection
Actors utilize many techniques in their attempts to evade detection. One method is to rename their tools and malware. Consequently, it’s customary to search for executable files with odd names or in odd locations running on endpoints. For example, on one assignment, the threat hunting team found a file named s.exe. That violates normal file naming conventions, so a term frequency search was run to determine the prevalence of the file in the client’s environment. Multiple instances were found on finance department systems. Next, a sample of the file was detonated in a sandbox. The file turned out to be an instance of Rclone, a legitimate file management tool used in ransomware attacks to exfiltrate data. Ultimately, the initial compromise was traced to the system of a finance clerk who had succumbed to phishing exploit. The threat hunting team succeeded in locating and helping neutralize the ransomware before it could spread and detonate.
Anonymized Real-World Case Study
During one monthly assignment, Kroll threat hunters discovered an employee in the IT department using work assets to mine cryptocurrency. Here’s a condensed account of the hunt and its aftermath.
The client asked the team to focus on potential threats of loss or damage to its proprietary design and engineering data. Employees in several departments were allowed to use USB drives, which can be infected with malware or used to exfiltrate data. Therefore, the team hypothesized that a USB exploit could be underway. They began by analyzing EDR data collected in the SIEM for evidence of unusual USB activity or strains of USB-related malware. As it happened, this didn’t yield results because the compromised system was on a network segment without EDR installed.
Instead, the team located a suspect machine in the IT department by ingesting and analyzing NetFlow logs. These showed an employee’s system communicating with several cryptocurrency hauling services. Further analysis found the employee was running cryptojacking executables from an lnk file in the thumb drive storage volume. Also found were links in his search history to sites on the dark web showing how to cryptojack without being detected.
The team carefully assembled and preserved the necessary forensic data to provide the client with evidence for possible prosecution. The hunt team concluded its assignment by creating a detection rule flagging the cryptocurrency mining pools the employee had been using. That would help reduce the possibility of a similar attack in the future.
If a significant ongoing breach had been discovered, the team would have immediately notified the client and activated an incident response team. In this case, the client’s general counsel handled the matter in the normal course of doing business.
First and foremost, it’s essential to distinguish proactive threat hunting from other investigative methods. With the elite skills required in short supply, it’s no surprise that most threat hunts today are reactive. That’s a problem because bad actors constantly introduce new TTPs explicitly designed to evade detection.
The survey responses and case study demonstrate the critical importance of collecting and preserving log and telemetry data for root cause analysis and threat hunting. Yet, this continues to be a significant problem for many organizations. One cause is the sheer volume of data that must be ingested, correlated, and analyzed daily. Another is that actors often attempt to cover their tracks with Indicator Blocking and other techniques that impair or prevent access to investigative data. To reduce risks, organizations must do everything possible to preserve and make this data available at scale.
SIEM and Security Orchestrations and Response (SOAR) solutions are helpful in partially automating data management, alert triage, and incident response playbooks. However, these tools still rely on detection rules that sophisticated actors routinely circumvent due to their intrinsic limitations. If rules are overly specific, they can miss crucial clues of a cyberattack. If overly broad, they can impair routine business processes and deluge SOC teams with spurious alerts. Most importantly, they cannot detect evidence of attacks that have never been seen before. That goal can only be achieved with proactive threat hunting.
Learn more about Kroll’s end-to-end cyber security services or call our Cyber Incident Response Hotline to request immediate assistance.