What is Cyber Threat Hunting – Video Blog
Video – What is Cyber Threat Hunting
Video Transcript
Chris: (00:00)
Hey folks, I’m Chris Brenton. And in this video, I’m gonna walk you through what is cyber threat hunting or typically referred to as just threat hunting for short. And what does that process look like? So cyber threat hunting is a proactive validation of the integrity state of all the systems on our network. Historically, what we’ve done is we’ve said, Hey, if I don’t send any alerts, I must be okay. Right. That’s kind of how it’s worked with your boss. If your boss says, Hey, if any of our systems compromised, you say, well, I don’t think so because we haven’t seen any alerts, but that’s not a positive validation, right? We’re just saying, well, we haven’t seen anything negative. So I’m gonna assume the best, well, threat hunting takes that and spins it around and says, no, we’re gonna actively test all of our systems to make sure the integrity state is still high.
Chris: (00:49)
A threat hunt needs to include everything connected to the network. And this is what can make it a challenge. You may have windows systems, Lennox systems, you know, switches, routers, internet of things, devices, printers, et cetera. All of that needs to be validated across the board. The output of a threat hunt is what’s referred to as a compromise assessment. In other words, are we currently compromised? Yes or no threat hunting goes through and tries to assess the possibility of that. So where does this fit in our model? You know, in other words, does threat hunting, replace anything we’ve done historically? And yet it does. Historically what we’ve done is we’ve said, well, we’ll send all of our logs to a central location. We’ll write some signatures. And if we get an alert, we know we need to respond to that. And of course, that doesn’t work we never get logs from everything.
Chris: (01:37)
Signatures only catch things that we’ve known about in the past. Attackers are constantly changing what they’re doing, thus, why we’re doing threat hunting. Now, thus, why we’re doing that positive validation is to check our integrity state. When you look at the tools we have for security, they tend to fall into one or two buckets. They’re protection based; These are the things we do to try and keep the bad people out. Or they’re response based; This is what we do once we know the attackers in the gap we’ve had. And it’s typically a six-month gap is how do I figure out when my protections have failed and I need to go into incident response mode. And I said, typically that is gap of about six months for six months. They’ve been on our network before we figure it out, threat hunting attempts to reduce that time as much as possible.
Chris: (02:26)
So rather than six months, maybe we’re responding in days or even better possibly within hours. One of the traits of threat hunting is that it should be undetectable by that. I mean, you know, don’t cross the passive active line. What does that mean while that means that if I’m reviewing logs in my centralized logging system, or if I’m looking at traffic on the network, those are passive functions. If I have an attacker on a system, they’re not going to be privy to the fact that I’m doing any of that type of an evaluation. Now imagine I’m looking at a system
Chris: (02:59)
And I say, Hmm, it looks a little suspicious. I need to identify the processes running on it. And I want to do a, you know, dump a Ram and all these other things. In other words, I want to go hands on keyboard. Well, as soon as we go hands-on keyboard, if an attacker owns that system, they may detect that activity. They may identify we’re onto them. They may change what they’re doing on our network. So we need to be very careful in crossing that line into doing something that could be detected by the attacker. Even if it’s something that we think is benign as isolating the system. As soon as we isolate that system, if the attacker is on other systems in our network, they may detect that they may see that and they may do something different. And I’ve seen situations where once an attacker knows that jigs up, they start going scorched earth. They start doing as much damage as they can on the way out. What if I need to go hands-on keyboard? Well, if I need to go hands-on keyboard or do something that could be detected, we need to be in incident response mode. We need to have a lot of smart people together that have their verticals that they’re really good at. So we can collaborate and make sure that what we’re doing next is the best path forward. So that’s threat hunting in a nutshell, hopefully, you found that useful.
More Threat Hunting Shorts
Malware Command and Control – How it Works
Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.