Threat hunting is the process of actively searching for malware and intruders within your network. The widely accepted method of performing threat hunting is to use a SIEM solution. This provides visibility of the network, endpoints, and applications of an organization. All of these could indicate an attack.
SIEM solutions collect logs centrally from a variety of sources, such as servers, firewalls, and security solutions. They also collect antivirus. Assuming compromise helps security organizations to mature and respond effectively to the increased number of security threats.
As cybercriminals continue to evolve, the importance of threat hunting will only increase, and finding new ways to penetrate IT systems.
Even though most security tools can thwart 80% of threats with ease, another 20% remain undetected. These threats will likely be more dangerous and capable of causing greater harm. This issue highlights the need for automated threat hunting which reduces the time between intrusions and detection.
Each threat hunt should begin with a hypothesis for threat hunting — a statement that describes a tactic, technique, or other aspects of your organization. The hypothesis must be something that is testable and can result in a true or false outcome. Once the threat-hunting hypothesis has been developed, Use these seven types to hunt for suspicious anomalies that may indicate a threat:
1. Recognizing Suspicious Software
Locally installed malware is used by attackers for many purposes, including data exfiltration, automation, and persistence. Malware must be running as a process in order to be used by an attacker. You can spot possible attacks by looking for software that is not in the right place.
Two ways are available to identify suspicious software: either by the process name or by hashing. You may be in a position to send log data from your EDR solution to your SIEM, which will give you more chances to identify suspicious software.
When processes or hashes of a given endpoint are monitored, IT gets a flat picture of what’s happening. Monitoring becomes more focused on endpoint behavior or user behavior when other factors are added, such as whether a particular process is normal for a certain user, or what parent process led to the potentially suspicious process.
You can use the same sources to find out which parent or user process started a new process. This will allow you to pinpoint its source. These combinations provide the necessary background information to determine if an investigation should be conducted.
Also read: 10 Best Cyber Threat Intelligence Tools
2. Scripting Abuse
In order to avoid detection, attackers tend to avoid implementing procedures that could alert IT. The scripting language is used by PowerShell or Windows Scripting Host, both of which are already installed on the endpoints.
The easiest way to hunt for threats is by keeping an eye on scripting engines. CScript, WScript, and PowerShell are processes that indicate the launch of a script. This visibility will probably require additional logging of Sysmon logs, PowerShell operation logs, and command line parameters.
3. Antivirus Follow-Up
The use of antivirus data across your entire enterprise can help you identify whether and where malware is spreading in your environment. Antivirus log data can be used as a source of intelligence to help identify elevated privileges or network segmentation problems in your environment.
After an attacker gains control of an endpoint they will want to maintain that control, even if it is rebooted or the malicious process terminated. By using common techniques to launch apps, attackers ensure that malicious code is launched every time a system starts up or a user logs in.
Monitoring can be based on a baseline of frequently changing users, processes, and registry keys. However, it is important to monitor the keys, while also providing as much detail as possible about the changes.
5. Lateral Movement
Hackers will then hop from one endpoint to another across the network until they find the system that contains important data.
Odd user or endpoint combinations and abnormal network connections between computers are early warning signs that a threat actor may be trying to migrate laterally within a network. It is important to keep an eye out for any abnormal use of privileged accounts, or indications that they have been compromised.
6. DNS Abuse
Endpoints must only use DNS requests that are the right size to communicate with configured DNS servers. There are several ways to keep an eye on DNS abuse, including monitoring changes in the host’s file and the DNS configuration. DNS rebinding requests and huge amounts of DNS traffic from a single source (which indicate data is being smuggled via port 53).
7. Bait the Bad Guy
Baiting an attacker widens the idea of a honeypot to include accounts, files and shares, systems, networks, etc., as a way of detecting an attack without putting the production environment at risk.
Theoretically, you can pick out the elements you want to mimic, create a virtual honeypot, and then make it accessible to attackers by opening ports that are susceptible to attack, utilizing weak passwords, and making the overall environment more attractive.
Not every company can afford a layered security plan that includes multiple technologies to provide cutting-edge defense against attacks. Log data combined with a cybersecurity solution will allow organizations to identify risks faster than waiting for automatic detection.
Security teams can identify threats faster by using threat hunting. They are able to view both active and leading indicators of an attack. By reducing their threat surface, organizations can better understand where their defenses and security flaws are, as well as how attacks work.