How to Threat Hunt – Video Blog
Video – How to Threat Hunt
Hey folks. I’m Chris Brenton. In a previous video, I talked about what is threat hunting. In this video, I’d like to talk about the process of threat hunting. In other words, you know, now that I understand what threat hunting is, if I wanted to do threat hunting on my network, what does that process actually look like? So threat hunting is an integrity check of all of our systems on our network needs to be our desktops, our servers printers, you name it. If it’s plugged into the network, we need to go through and check it. We’re checking these systems with the goal of coming up with one of two dispositions. I know this says three, but really this two and the two dispositions are, I’m pretty certain the system’s safe or I’m pretty certain the system’s compromised. And we’re gonna have a bad day slash week slash possibly months, depending upon how, how extensive this is.
The third one is I’m not sure. Well, I’m not sure simply means I need to create new ways to collect data or get additional data, to be able to come back to one of those first two dispositions. So what we’re really trying to do is identify, we’re trying to do a compromise assessment. We’re trying to identify what is the current integrity state on each of our systems. So where do we start? The best place to start us on the network. Why? Well, we’ve historically done centralized, logging, right? Try to get everything the centralized log, try to write some signatures, try to respond to alerts. And we’ve seen, we have plenty of data to show that doesn’t work. You know, it takes months if at all, to detect an attacker using those types of conditions. So start with the network because everything we want to validate is plugged into the network.
The other nice thing about the network is if I want to check host logs from a window systems, I need a different set of skills than if I want to check. Let’s say the host logs that are associated with like a Cisco router or a Lennox box or a video camera, or you know, or, or whatever, with the network packets or packets. So the same way I would validate a window system is the same way I’d validate a Lennox system. I don’t even have to know they’re different. Doesn’t matter. I’m gonna go through and check them out the same way. So what’s nice about this is I have one consistent process I can use to validate everything that’s on my network. What’s that process look like. Typically what we want to do is we wanna monitor what traffic is, leaving our protected environment and headed out towards the internet. And within that data, we’re gonna look for certain things. The first thing we’re gonna look for is patterns of persistency. What’s persistency. Persistency means my internal system is in constant communication with that host out on the internet. So it may hold the connection open all the time. It may be calling out to that host once per minute, every 10 minutes, whatever the case may be. If I’m seeing a pattern of persistency, that’s something that needs to be investigated
Because there needs to be a business reason for that. For example, if my system is calling out to the, a system on the internet on a regular basis, and it’s to check what time it is, that’s fine. If it’s calling out on the internet to see, are there any new security patches that need to be installed? That’s fine. But if my system’s calling out to an IP address in KSU, China, and I don’t have a field office, business partner or vendor in KSU, China, that suspect that’s something I need to pay attention to and dig into a little bit deeper. So once we identify connection persistency, we then wanna look and say, is the real legitimate business need, uh, pro tip get to know your purchasing department because your purchasing department is going to be able to help you figure out what services is is your organization paying for.
So if I see a connection going to Acmecorp, they may be able to answer to me, oh yeah. The marketing company is buying products from Acmecorp. You know, that may help me run down business need. If I can’t identify a business need. Now I wanna look for abnormal protocol behavior, things like, uh, Hey, it’s going to TCP 4 43, which is normally HTTPS traffic, but it’s not HTTPS traffic. It’s something, you know, encrypted or obviscated, but it’s not actually using a real SSL TLS handshake. That would be abnormal protocol behavior. We wanna look for things like that. That may help make us privy that yeah, this may be something we need to be concerned about numbers four and five, which order to do these in really depends on your internal environment. If I collect a lot of data from my host, let’s say I record every process that runs on every internal system.
I may want to do step five before step four. What we’re trying to do is do some validation to identify is this system trustworthy? Do I understand why this connection’s taking place for most environments that just let people connect, get a DHCP address and then connect to the internet. And they, they there’s no controls really in place for those endpoints. You better off going after that external IP to figure out if it’s something trustworthy or not. If you do collect that internal data, it may be makes sense to go after the internal system first. So steps four and five could be interchangeable. It really depends upon which one is easiest for you, because we want to go through the steps that are gonna help clear a system as quickly as possible. You know, assuming it’s not in a compromised state, once I go through those five steps, my final step is to disposition that system.
Is it a threat or not? Yes or no, if it’s not okay, whatever it was. I saw that look interesting to me that made me go through these steps that needs to get added to a safe list. Hey, my system is checking what time it is on this particular source out on the internet. That persistency is something we can ignore going forward in the future. What’s nice about that is tomorrow or next week when I do a threat hunt that doesn’t show up anymore because that’s one of my safe, listed connections system, checking for patching. Don’t have to look at that anymore. That doesn’t show up in future threat hunts. So when you do this right, your first threat hunt might take, just throw out a round number. Let’s say it takes 12 hours. Your second one may take five hours. Your third one may take two hours.
And then after that, these start taking maybe 20 minutes each time. And that said by adding things to your safe list and, and eliminating them from having to be reevaluated over and over again, threat hunts can go faster and faster for you. If we think the system is compromised, we need to trigger incident response. Don’t go mucking around with the box. Don’t go in and immediately go into forensics or isolating it or anything else go into incident Response mode, have a good incident response plan in place in order to be able to deal with something like this. So that’s a rundown of the steps that take place as part of a threat hunt. Hope you found this helpful.
Interested in threat hunting tools? Check out AC-Hunter
Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!
Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.