There’s a hunt where you don’t need a license, it is never out of season and permits the use of every weapon at your disposal to bag your prey. It’s the threat hunt.
Threat Hunting on the Rise
The SANS Institute found in 2016 that 86% of IT departments utilized threat hunting after experiencing or suspecting an attack, realizing benefits that go beyond just better security.
The 2017 SANS study, to be released in its entirety at the end of April, notes 60% of threat hunters achieved measurable improvements in InfoSec programs based on their efforts, with 91% reporting improvements in speed and accuracy of response.
Threat Hunting Goals and Assumptions
To be a threat hunter, you have to presume your system has already been breached. Somewhere in the network, the bad actor has left clues that he’s been there and is siphoning off data.
The hacker’s goal is to be unnoticed. All too often, the hacker succeeds until an atypical event raises red flags indicating the possibility of an attack. Or, a careful IT staffer follows up on a hunch and now has evidence something’s wrong.
Open Season on Hackers
Even it it’s open season, finding a phantom can be hard, unless you know how and where to look.
Data is where you start. You can get it from a cyber threat assessment, which provides a snapshot of key assets, threats and vulnerabilities. This serves as the baseline to which you compare anomalies.
Next, you need to seek out the anomalies. Here are questions to help guide the hunt:
Is there a port where the exact amount of data comes in and goes out, every day? Down to the byte?
Is part of the network sending out data through a proxy server or firewall?
Where are the outliers? What suspicious sites are being accessed via network endpoints?
Are there unusual numbers of failed login attempts?
Do your logs show sudden privilege changes?
Is there evidence of credential dumping? Access of account logins and passwords make hackers’ lateral moves hard to trace until sensitive information is found and/or stolen.
Lastly, you need a coordinated response to wipe the phantom out of your machine. A SIEM (Security Information and Event Management) helps automate the collection and correlation of real-time threat data from multiple security systems to simplify the process.
Arm Yourself with Knowledge
Understanding the threat hunting process is the first step to flushing out existing and potential problems from your network. Making sure you have the right tools is the next.
We recommend looking at solutions from our partner Fortinet, starting with its free, online Cyber Threat Assessment Program to evaluate your network end-to-end and dig up IoCs (indicators of compromise).