CDC Cyber Defence Center Detect Threat Hunting
Home Cyber Threat Detection Threat Hunting Honeypots
Cyber threat hunting is an active cyber defence activity. It is "the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions." This is in contrast to traditional threat management measures, such as firewalls, intrusion detection systems (IDS), malware sandbox (computer security) and SIEM systems, which typically involve an investigation of evidence-based data after there has been a warning of a potential threat.
Methodologies
Threat hunting has traditionally been a manual process, in which a security
analyst sifts through various data information using their own knowledge and
familiarity with the network to create hypotheses about potential threats, such
as, but not limited to, Lateral Movement by Threat Actors. To be even more
effective and efficient, however, threat hunting can be partially automated, or
machine-assisted, as well. In this case, the analyst uses software that
leverages machine learning and user and entity behavior analytics (UEBA) to
inform the analyst of potential risks. The analyst then investigates these
potential risks, tracking suspicious behavior in the network. Thus hunting is an
iterative process, meaning that it must be continuously carried out in a loop,
beginning with a hypothesis. The hypothesis can focus efforts on known exploits,
potential bad actors or assets and data of value. Using security data, industry
reports and other intelligence, the hypothesis is formed, and the hunt team sets
out to prove or disprove its validity. Cyber threat hunts often employ both
automated and manual tools and techniques to identify a compromise before it is
detected. There are three types of hypotheses:
Analytics-Driven: "Machine-learning and UEBA, used to develop aggregated risk
scores that can also serve as hunting hypotheses"
Situational-Awareness
Driven: "Crown Jewel analysis, enterprise risk assessments, company- or
employee-level trends"
Intelligence-Driven: "Threat intelligence reports,
threat intelligence feeds, malware analysis, vulnerability scans"
The analyst
researches their hypothesis by going through vast amounts of data about the
network. The results are then stored so that they can be used to improve the
automated portion of the detection system and to serve as a foundation for
future hypotheses.
The Detection Maturity Level (DML) model expresses threat indicators can be detected at different semantic levels. High semantic indicators such as goal and strategy, or tactics, techniques and procedure (TTP) are more valuable to identify than low semantic indicators such as network artifacts and atomic indicators such as IP addresses. SIEM tools typically only provide indicators at relatively low semantic levels. There is therefore a need to develop SIEM tools that can provide threat indicators at higher semantic levels.
Cyber threat
hunting providers
Representative notable vendors of threat hunting software
and services include:
Hunters
Mantix4
Anomali
Match
Cylance
Carbon Black
CrowdStrike
Cybereason
Darktrace
EclecticIQ Platform
Elastic
Endace
Endgame, Inc.
ExtraHop Networks
Fidelis CyberSecurity
One eSecurity
Sqrrl
Securonix SNYPR
Nucleon.sh
Senseon
Symantec DeepSight
Vectra AI
SentinelOne
The SANS Institute
has conducted research and surveys on the effectiveness of threat hunting to
track and disrupt cyber adversaries as early in their process as possible.
According to a survey released in 2017, "60% of those who hunt for threats
reported measurable improvements in their InfoSec programs based on their
hunting efforts, and 91% report improvements in speed and accuracy of response."
Indicators
There are two types of indicators:
Indicator of compromise - An indicator of compromise (IOC) tells you that an
action has happened and you are in a reactive mode. This type of IOC is could by
looking inward at your own data from transaction logs and or SIEM data. Examples
of IOC include unusual network traffic, unusual privileged user account
activity, login anomalies, increases in database read volumes, suspicious
registry or system file changes, unusual DNS requests and Web traffic showing
non-human behavior. These types of unusual activities allow security
administration teams to spot malicious actors earlier in the cyberattack
process.
Indicator of Concern - Using Open-source intelligence (OSINT), data
can be collected from publicly available sources to be used for cyberattack
detection and threat hunting.
Tactics, Techniques and Procedures (TTPs)
The SANS Institute identifies a threat hunting maturity model as follows:
Initial - At Level 0 maturity, an organization relies primarily on automated
reporting and does little or no routine data collection.
Minimal - At Level 1
maturity, an organization incorporates threat intelligence indicator searches.
It has a moderate or high level of routine data collection.
Procedural - At
Level 2 maturity, an organization follows analysis procedures created by others.
It has a high or very high level of routine data collection.
Innovative - At
Level 3 maturity, an organization creates new data analysis procedures. It has a
high or very high level of routine data collection.
Leading - At Level 4
maturity, automates the majority of successful data analysis procedures. It has
a high or very high level of routine data collection.
Dwell Time
Cyberattackers operate undetected for an average of 99 days, but obtain
administrator credentials in less than three days, according to the Mandiant
M-Trends Report. The study also showed that 53% of attacks are discovered only
after notification from an external party.
Mean
Time to Detection
In 2016, it took the average company 170 days to detect an
advanced threat, 39 days to mitigate, and 43 days to recover, according to the
Ponemon Institute.