Know Your Data and Your Enemies: Establishing a Baseline for Proactive Threat Hunting
The purveyors of modern threats are not trying to simply deface your website or own your web server. These advanced attackers are attempting to siphon critical and sensitive data from your network over long periods of time, and do so undetected.
Where Is Your Data?
When threat hunting, at a minimum, you should know where your critical data is stored and how an attacker might try to compromise those systems. Taking it a step further, you should identify which systems, users and devices are connected to those critical assets. These are your attack vectors, which could be under threat by external and internal sources.
Insiders are responsible for the vast majority of damage caused by breaches. While the source of most attacks is external, the cause of damage is internal. Insiders who purposefully perform malicious activity should be identified immediately. But there are also those who, through negligence or lack of awareness, compromise the network’s security unintentionally. These individuals must be properly secured. It is far more common to come across a user who falls victim to phishing or social engineering than a user with the skills and intent to damage your network.
A Baseline for Proactive Security
If you haven’t detected any attacks against your network recently, then your organization either isn’t worth anything or you are doing something wrong. But if you have either prevented or detected a breach, then you have effectively performed proactive security.
Proper security does not mean that your organization is impervious to compromise, however. Security teams must take the necessary actions before, during and after a breach. With both host- and network-based threat hunting, it’s important to work from a baseline. You should have an idea of the typical performance of your network as well as the usual activity of the assets within it.
Host-Based Threat Hunting
From a host-based perspective, threat hunting can be performed with an emphasis on several different metrics. A big indicator of compromise (IoC) for client systems is access attempts, both failed and successful. Most users access 30 to 50 files per day, with maybe a couple of them showing failed access. That failed access would likely be a result of clicking the wrong folder or file several times before the user realizes the error. However, if you see a client on your network accessing 20,000 different files with 100,000 failed attempts, that should raise more than a few red flags.
Another indicator of a breach is unusual ports, protocols or services being run on a user’s machine, specifically if they are not included in the secure baseline. A user transferring data in bulk to a USB drive can also point to an insider threat that should be investigated.
The good news is that many of the pieces of information required to perform host-based threat hunting might be available from existing tools. For example, network monitoring tools can be used to identify anomalies in central processing unit (CPU), memory and disk utilization. Similarly, configuration management tools can identify processes and programs that run when the system starts. Logs correlated with a security information and event management (SIEM) tool can also identify failed and successful access attempts.
Network-Based Threat Hunting
There are many ways to perform threat hunting from a network perspective. One IoC is connection length. A typical client in your network will most likely have short outbound connections.
Another IoC is the amount of data being transferred. A normal connection will not transfer data in bulk over the public internet. The destination IP can also be a breach indicator. Other clues include outbound connections to anomalous or foreign IP addresses.
Similar to host-based threat hunting, network-based hunting can also utilize existing tools to proactively identify an adversary. Network intrusion detection systems, for example, can track the number of connections and other details about traffic. SIEM tools can also correlate and identify unusual traffic patterns. In addition, network forensics tools can provide better details into the payload and distinguish between malicious and normal activity.
Improving Incident Response Speed and Accuracy
A proper threat hunting program can provide a more secure baseline throughout the organization, offering immediate benefits such as reduction in breaches and attempts to compromise your network. Security teams can also reduce the organization’s threat surface and minimize attack vectors by identifying threats and locking down the network environment accordingly.
Threat hunting can increase the incident response team’s speed and accuracy. With more visibility into the network, security professionals can pinpoint areas of potential compromise quickly and efficiently. As a collective effort, threat hunting and threat intelligence can improve the organization’s security posture, which will produce tangible financial benefits.
While security teams cannot eliminate all risks to the IT environment, proper threat hunting allows them to read the news in peace without worrying about the organization becoming a headline.