To build a threat hunting team, one needs threat intelligence mindset, excellent technology engineers and pro-active tools which can give threat feed of an exploit/attack vector being seen in world space
Threat Intelligence - It is the one word we all have heard various times recently. The subject has been under constant scrutiny for a while now, but do we understand it? Moreover, since it has been viewed very differently from different viewpoints of various security professionals, to start with let’s get to the crux of it. The ultimate goal is to provide a binary answer to the question, “Do I have a compromised system in my Infrastructure?” This system can be a server or an EUD (End user device).
To understand about compromised system, there is a wonderful saying by John Strands, “Beaconing + Blacklisting=OMG! We are in trouble”. This means that any system that makes a continuous connection to a blacklisted IP is a compromised system.
In simple words, threat hunting is the black box that takes input and gives output. What are all the things it encompasses? Well, we need some way to collect info and figure out whether we are already compromised or not. We also need to understand that those outputs may be a formalized incident handling process put in place, or a team that does forensic investigation of subject, or it might be just a simple policy which says, “Hey, when a system gets compromised, throw it away and put a new system on the wire.” Even though that may sound silly but that is a possible answer for most of the organizations.
The process of threat hunting spans throughout various technology teams. For example: ‘I just found a system which is beaconing to unknown/blacklisted IP?’ Now to reach that point, we need a lot of work before and after identifying the system. We require complete scanning of the system, leading to putting in incident response plans in place and after that we turn to forensics mode to get to deeper end of the cause. To resolve this chaos, it is beneficial to implement Pro-active Threat Intel rather than reactive mode monitoring.
All in all, global threats can be listed as the following 5 types:
- Remote Exploits (Public àPrivate)
- Local Exploits/ Insider Threats
- Browser-based attacks (Malicious advertising campaigns)
- Document based attacks (Malicious attachments like excel files, PPT , Word docs delivered through Phishing campaigns)
- DOS/DDOS (Volumetric/Computational and Asymmetric attack vectors)
Then the next Question that arises is, “We have a lot of tools which gives a lot of feeds and so what is different in threat hunting which makes it difficult to implement?" In a typical security tool, the process is to collect a lot (I mean tons) of data because it is satisfying to see whole network on a single dashboard, ‘it will give data to the management team’ and then ‘the team will educate itself and find threats out of it’. And this last part is the distinguishing element of the threat hunting process, in comparison to other mainstream tools.
So going further, “What are the basic frameworks that could to be used as the helping hand for the threat hunting process?” One of the most common frameworks that is taken into consideration when talking about the tool is - MITRE ATT&CK framework. It is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s life cycle and the platforms they are known to target. Secondly, while rating vulnerability, always do a manual assessment basis NIST/NVD calculation with an automated scan using tools like Qualysguard, Nessus, etc.
In the end we should understand that - The process of threat hunting may seem to be a great alternative to proactively monitor assets but a threat hunting program cannot be implemented by every organization.
To build a threat hunting team, one needs threat intelligence mindset, excellent technology engineers and pro-active tools which can give threat feed of an exploit/attack vector being seen in world space.
The author is Tech Security Leader at Paytm