FAQ Cyber Threat Hunting: 10 most frequently asked questions about proactively hunting cyber threats!
by Svenja Koch
You are still new to the topic of Cyber Threat Hunting and have many questions that you would like to have answered by a real expert? No one can do this better than a long-standing expert from the Cyber Threat Hunting scene, which originated in the USA: Chris Brenton from Active Countermeasures INC, our partner for Active Cyber Defense, answers the 10 most frequently asked questions about threat hunting in today's blog post. Join us now to become a Threat Hunting Insider - enjoy reading!
1) Is threat hunting a "real" independent product category in cybersecurity?
Absolutely. In the past, only passive solutions were widely chosen to ensure the cyber security of companies. Only or mainly traditional IT security solutions were (and still are) deployed and then assumed to keep cybercriminals out - until we were proven wrong and it was too late. Certainly, log scanning is useful, but it is usually superficial at best, checking for obvious entries such as failed logins. Threat hunting, on the other hand, is an active process. We assume that the worst has already happened - that the network has been compromised - and assume that one or more hosts are likely to be affected. We then scan the network for telltale signs of command and control (C2) traffic. Some solutions do this to some extent, but the catch is that you need an experienced analyst behind the keyboard who knows exactly what to look for. To make threat hunting successful, there needs to be products on the market that have the intelligence to make threat hunting possible for less experienced security personnel.
2) What are the key benefits of threat hunting?
The primary outcome of a threat hunt is a correct classification and assessment of the detected compromises. We effectively check every IP address connected to the network to see if there are any Indicators of Compromise (IoC). Think of this as actively checking the security integrity of the system. While this statement sounds relatively simple, in sprawling network environments it can take a lot of work to check every system. However, it is the only way to know for sure if criminal actors are already on the network.
3) What is required to start threat hunting?
The first step is to figure out what checks you want to do and what data is needed to do them. For example, if you want to look for C2 communications, you need a way to analyse all traffic between the internal network and the Internet. This is usually achieved by recording the traffic at the internal interface of the firewall. This can be done with a network tap or by exploiting a switch span port. Once the data is collected, you now need tools and processes that can distinguish between C2 communications and normal traffic patterns. C2 can be quite inconspicuous, so you need the ability to analyse traffic in time slices of 4 hours, 12 hours or more.
4) Is Cyber Threat Hunting with IOT devices a realistic practice?
It depends on how you conduct your threat hunting. If you are trying to audit system logs, IoT devices typically log very little and provide poor documentation of the log entries they generate. If you are hunting on the network, you can certainly include IoT devices. TCP/IP is TCP/IP and it doesn't matter if the endpoint is a Windows desktop, a network device, a heat sensor or an HVAC system. Take a look at the 2019 Verizon Breach Report as an example. In particular, the section that talks about point-of-sale (POS) device breaches. Despite the fact that PCI requires organisations to review protocols for these devices, 100% of breaches in Verizon's report were discovered through external means. In other words, none of the organisations in the report discovered POS device compromise through protocol review! However, a C2 channel was used to control the POS device, and this C2 session could have been discovered through a network threat hunt.
5) What is the main difference between Threat Hunting and Threat Detection?
Cyber threat hunting is a relatively new area of security. With this in mind, it is not uncommon to hear several terms meaning the same thing before one really "sticks". There seems to be no difference between the terms "threat hunting" and "threat detection".
6) Is there a difference between Cyber Threat Hunting and Network Threat Hunting?
Cyber threat hunting is a general term that covers all types of attacker detection. This can be on the network or on each individual host itself. Network Threat Hunting, as the name suggests, specifically looks for attackers by analysing network traffic.
7) Are there any prerequisites for learning Threat Hunting, such as programming or operating system knowledge?
It depends on how you want to do your threat hunting. If you want to perform threat hunting over the network, it is extremely helpful if you have a good knowledge of network and protocol communication. For example, HTTPS communications typically use the SSL/TLS protocols over TCP port 443, and many C2 tools route their traffic over TCP/443 but simply obfuscate it (they don't use SSL/TLS). So if you know your way around the network and see traffic over TCP/443 that doesn't include an SSL/TLS handshake, you know this is something that needs to be investigated further. If you plan to do your search on the endpoints, then you need to be familiar with each operating system and the applications they use. For example, PowerShell is a powerful scripting language built into the Windows operating system. It is extremely rare for anyone outside of the IT or security teams to have a legitimate reason to use it. So, as a threat hunter, you would need to know that Ms. Miller in Accounting running PowerShell is probably an indication that your system has been compromised.
8) Can I use the information discovered during Threat Hunting to improve the security of my organisation?
Absolutely! Even if attackers are not detected, you can find patterns that increase business risk. For example, many organisations have hardware or software that is managed by external third parties. These third parties typically use some form of remote desktop software (RDP, TeamViewer, etc.) to manage the system. These connections are usually discovered when searching for C2 traffic, as the communication patterns are quite similar. The process of identifying these connections should raise some obvious questions. Do we still have a contract with this third party? Could potentially anyone on the Internet try to access this desktop? Can I tell when the remote session is being actively used? So even if there is a legitimate business need for the remote desktop session, it may be helpful to flag it in a threat scan to ensure it has been properly secured.
9) Should I usefully learn to test threat hunting in different environments that do not affect production (e.g. regular systems, virtual machines, servers as well as restricted systems)?
This depends on how the threat hunting is done. If you are checking packet captures of traffic, then no, as this has no impact on production communications. Apart from making copies of the traffic, it is a completely passive function. However, if threat hunting requires specific agent software to be installed on each endpoint, be sure to test this thoroughly before risking impacting production systems.
10) Is threat hunting only dedicated to detecting internal cyber threats or does it encompass more than that?
As mentioned earlier, threat hunting is essentially a trade-off assessment. While the main focus is on finding adversaries, it also has many secondary benefits. For example, a threat hunt also checks your security processes. If an attacker is found, we can immediately perform an analysis to identify the point of compromise. This allows us to identify where our protection solutions were not sufficient to keep attackers off the network. We thus have solid data that identifies a vulnerability in our IT security that requires further attention. For example, if we want to invest in cyber insurance, a compromise assessment proving that every system on our network has been checked and found to be clean can help us negotiate lower insurance rates.