10 Common Questions About Threat Hunting
New to Threat Hunting? Have lots of questions and don’t know where to start? Chris Brenton answers 10 frequently asked questions related to Threat Hunting.
1) Is Threat Hunting a Real Stand-Alone Product Category in Cybersecurity?
Absolutely. Historically we’ve taken a passive approach to security. We deploy security solutions and assume they are keeping out the bad guys unless we hear otherwise. Sure there’s log review, but this has typically been cursory at best, checking for blatantly obvious entries such as failed logins.
Threat Hunting, on the other hand, is an active process. We assume the worst has already occurred and assume one or more hosts are probably owned. We then search the network for telltale signs of Command and Control (C2) traffic. Some products sort of do this (Bro, Wireshark, etc.). The catch is you need a skilled analyst behind the keyboard that knows exactly what to look for. We are just starting to see products hit the market that builds in the intelligence needed to make threat hunting possible for more junior security personnel.
2) Is Cyber Threat Hunting a Realistic Practice With IOT Devices?
It depends on how you do your hunts. If you are trying to review system logs, IoT devices typically log very little and provide poor documentation on the log entries they do generate. If you are hunting on the network, then absolutely you can include IoT devices. TCP/IP is TCP/IP, it does not matter if the endpoint is a Windows desktop, network gear, a thermal sensor or an HVAC system.
As an example, check out the 2019 Verizon Breach Report. Specifically, the section that talks about Point Of Sale (POS) device breaches. Despite the fact that PCI requires organizations to review the logs for these devices, in Verizon’s report 100% of them were detected through external means. In other words, not one of the organizations in the report detected the POS device compromise through log review! However, a C2 channel would have been used to control the POS device and that C2 session could have been detected via a network threat hunt.
3) What is the Primary Difference Between Threat Hunting and Threat Detection?
Cyber threat hunting is a relatively new security vertical. With this in mind, it’s not uncommon to hear multiple phrases that mean the same thing before one actually “sticks”. There does not appear to be a difference between the terms “threat hunting” and “threat detection”.
4) What Are the Key Benefits of Threat Hunting?
The primary deliverable of a threat hunt is a compromise assessment. We effectively check every IP address connected to the network to see if there are any Indicators of Compromise (IoC). Think of this as an active check of the system’s security integrity. While this statement sounds relatively straight forward, in large environments it can take a lot of work to verify every system. However, it’s the only way to know for sure if bad actors are already on the network.
5) What’s Required to Start Threat Hunting?
The first step is to identify what checks you wish to perform, and what data is needed to perform that check. For example, if you want to hunt for C2 communications you need a way to analyze all traffic passing between the internal network and the Internet. This is usually accomplished by capturing traffic at the internal interface of the firewall. This may be done with a network tap or by leveraging a switch span port. Once the data is collected, you now need tools and processes that will distinguish between C2 communications and normal traffic patterns. C2 can be pretty stealthy, so you may need the ability to analyze the traffic in 4 hour, 12 hour or more “chunks” of time.
6) Is There a Difference Between Cyber Threat Hunting and Network Threat Hunting?
Cyber threat hunting is a generic term that covers all types of adversary detection. This could be on the network or on each individual host itself. Network threat hunting, as the name implies, is specifically looking for adversaries by analyzing network traffic.
7) Are There Any Prerequisites Before Learning About Threat Hunting, Like Programming or Operating System Knowledge?
It depends on how you plan to perform your hunts. If you will be performing network threat hunting, it’s extremely helpful to have a good working knowledge of networking and protocol communications. For example, HTTPS communications typically use the SSL/TLS protocols over TCP port 443. Many C2 tools pass their traffic over TCP/443, but simply obfuscate it (they don’t use SSL/TLS). So if you are network savvy, and see traffic using TCP/443 that does not include the SSL/TLS handshake, you know that’s something that needs to be investigated further.
If you plan to do your hunts on the endpoints, then yes you need to have a strong working knowledge of every operating system and the applications they are using. For example, PowerShell is a powerful scripting language built into the Windows operating system. It is extremely rare that anyone outside of the IT or security teams would have a legitimate reason for using it. So as a threat hunter, you would need to know that Nancy in accounting running PowerShell is probably an indication that her system has been compromised.
8) Can I Use What’s Detected in My Hunt to Improve My Organization’s Security?
Absolutely! Even when adversaries are not detected, you may still find patterns that increase business risk. As an example, many organizations have hardware or software that is managed by outside third parties. These third parties will typically leverage some form of remote desktop software (RDP, TeamViewer, etc.) to manage the system. These connections usually get detected when hunting for C2 traffic, as the communication patterns are quite similar. The process of identifying these connections should raise some obvious questions. Do we still have a contract with that third party? Can anyone on the Internet attempt to access that desktop? Can I tell when the remote session is being actively used? So even if there is a legitimate business need for the remote desktop session, having it get flagged during a threat hunt can help to ensure it has been properly secured.
9) Should You Learn to Test in Multiple Environments Like Regular Systems, Virtual Machine Systems, and Servers, Albeit in Restricted Systems That Do Not Impact Production?
This depends on how the threat hunts will be performed. If you will be reviewing packet captures of traffic, then no, as this will not have any impact on production communications. Besides making copies of the traffic, it is completely a passive function. If hunting will require that certain agent software be deployed to every end point, then you should absolutely test this thoroughly prior to impacting production systems.
10) Is Threat Hunting Just Devoted to Finding Internal Cyber Threats, or Does it Involve More Than That?
As mentioned, a threat hunt is effectively a compromise assessment. While the core focus is on finding adversaries, it has many secondary benefits as well. For example, a threat hunt is also vetting your security processes. Is an adversary is found, we can perform an analysis to identify the initial point of compromise. This will identify where our protection solutions were insufficient at keeping adversaries off of the network. We now have solid data that identifies a weak link in our security that needs further attention. If we want to invest in cyber insurance, having a compromise assessment that identifies that each system on our network was checked and validated to be clean may help us negotiate lower insurance rates.
Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.