Today's attackers are continually bypassing even the most advanced security programs. Mid-tier penetration testers can evade top Endpoint Detection & Response (EDR) solutions, while bad actors are bypassing even the strongest forms of Multi-Factor Authentication, including FIDO authentication. The increasing sophistication of threats is causing more organizations to level up their security programs by starting threat hunting exercises. If your teams have a strong grasp of cybersecurity fundamentals, now is potentially the perfect time to start integrating threat hunting into your cybersecurity strategy.

Why Threat Hunting? 

Fundamental cybersecurity controls are no longer sufficient. Off-the-shelf hacking software can compromise many foundational elements of your cybersecurity infrastructure. Implementing a threat hunting program allows you to proactively detect and mitigate advanced threats, ensuring a stronger security posture for your organization.

Build a Threat Hunting Program

1. Preparation and Strategy To kickstart your threat hunting program, begin by clearly defining your objectives and scope. Identify your goals, such as detecting advanced persistent threats, improving incident response times, or uncovering security gaps. Narrow down the scope by focusing on specific systems, networks, environments or applications within your organization.
   
   

Understanding and documenting normal network and system activity is crucial for spotting anomalies. Setting baseline metrics for typical behavior, such as login times and data transfer volumes also help. Some of the most valuable logs for threat hunts include:

• Domain Name Service (DNS): DNS logs are critical for reviewing network traffic, whether it’s from the endpoint or the network.
• Browser: As many interactions now occur at the browser level, having browser logs can be very useful for reviewing actions taken within target apps.
• EDR: EDR logs are helpful for reviewing interactions on local devices from potentially malicious processes running

When building the team to execute threat hunts, it is always a great idea to use a blend of senior and junior team members not only from the Security Operations Center (SOC) but also from Security Engineering teams. It is important for them to understand how security solutions can fail, so they can take lessons learned to incorporate into future projects.

2. Executing Threat Hunts Developing hypotheses is the next step, where you create potential threat scenarios. Use Indicators of Compromise (IoCs), such as known malicious IP addresses and file hashes, to guide your hypothesis development. Comprehensive log collection from all relevant sources, like firewalls, servers, and endpoints, can be crucial depending on your environment. Utilize advanced analytics and machine learning to analyze this data for patterns indicative of threats.

Also, it maybe helpful to use a blend of both manual and automated hunts:

• Manual Hunts: Analyze data and logs based on your hypotheses, typically leveraging your SIEM to review logs and piece together your hypotheses.
• Automated Hunts: There are numerous tools available on the market today to help teams continuously monitor and detect suspicious activities, including those based on the MITRE ATT&CK framework, which may map to your internal processes for tracking security incidents.

3. Integration & Automation For better efficiency, coordinate threat hunting activities with your Security Operations Center (SOC) if appropriate, and ensure that you incorporate findings from threat hunting into your incident response plan and playbooks to enhance future responses. Also, automate repetitive tasks such as:

• Log Analysis: Although the promised value of User and Entity Behavior Analytics (UEBA) solutions has largely failed, your teams can implement automation to enhance log analysis.some text
  • For example, if your EDR triggers an alert that feeds into your ticketing system, you can also build in automation that pulls telemetry such as DNS logs from the target device or even detonates malware in a sandbox environment and provides the results in the same ticket.
• Alert Triaging: Based on the severity of an event, your teams can automate triaging. For example, if your EDR triggers a high-severity event, you may choose to automatically contain the endpoint until the event is investigated.

Be aware that based on the sensitivity of threat hunts, you may or may not leverage existing workflows to report findings and remediation efforts, as the results from threat hunting might be more sensitive than typical events that find themselves into incident response workflows. For example, a threat hunt based on an insider threat hypothesis may not be the best fit to have its results captured for a wider audience than those who directly need to know.

4. Review & Feedback Continuous improvement is key to a successful threat hunting program. Regularly review and refine your techniques and processes based on lessons learned from previous hunts. Collect feedback from your team and stakeholders to continuously enhance your program. Evaluate the effectiveness of your threat hunting efforts using metrics like:

• Controls Improved: Tracking gaps found during threat hunts that lead to improved controls can be a great way to show the value of threat hunts to senior leadership
• Response Times: Crowdstrike has popularized the 1/10/60 (detect/respond/remediate) rule, which sets a good target for incident response programs to ensure that attackers are contained before they can gain lateral movement.

Choosing the right tools that align with your program's objectives, scope, and your organization's specific needs is crucial.

Conclusion 

Building a threat hunting program involves meticulous planning, effective execution, and a commitment to continuous improvement. By following these steps and integrating the right tools, you can proactively detect and respond to threats, significantly enhancing your organization's cybersecurity posture.

For more detailed advice and personalized recommendations, reach out to our sales team at sales@kustos.com.