If you’ve been around the information security community, you’ve probably heard the term “Threat Hunting” and considered how you can apply these techniques to enhancing the security of your organization’s network and computer systems. In this blog post, we’re going to describe what threat hunting means, how you can get started, and what you’re going to need along the way. The assumption in this blog post is that you are an IT professional, and have some familiarity with the basics of security.
The threat hunting that we’ll be discussing is a proactive, regularly-repeated security exercise to find attacks and computer intrusions that have been evading detection on your company’s computer systems. This is done by searching across many sources of event data (network traffic, server logs, process trees and behaviors from endpoints, etc.) looking for patterns of unusual behavior or looking for uses of attacker techniques. This is different from searching for specific IP addresses, domain names or file hashes that are known to be used for attacks. That type of searching should be automated, freeing you to focus on finding the patterns that uncover attackers hiding on your systems.
Get Ready: This is Going to Be Fun!
It is helpful when learning any complex new skill to take it one step at a time and focus on having fun implementing each small piece before moving on to the next. To get started in threat hunting, it isn’t necessary to set up a complex system of database servers or implement an expensive system right away. You don’t need to handle all the possible sources of event data and tackle everything at once. Instead of being overwhelmed or frustrated by too much data, start with just one or two inputs and treat each new source of data as a challenge and opportunity to learn and explore what really happens on your network. There are sure to be surprises along the way, but if you treat each one as an adventure, it can be fun to learn!
Threat Hunting in Context
When you’re designing a security program for your company, it’s helpful to start with an attacker’s mindset: how would you go about breaking in if you were going to attack your company’s computer systems without being caught? This should quickly lead you to realize that any defensive system you put in place is simply an obstacle to be overcome. As a defender, your job is to make it as hard as possible for anyone to break in, force them to slow down to confront multiple layers of security obstacles, and set up sensors and traps (honeypots, honeytokens and other deception technologies) all along the way so that you can detect attacks as early as possible in the cyber kill-chain and stop them before they get very far. It is important to focus on some basic and critical security controls as a first priority. Threat hunting is most effective when you are already blocking the most common and pervasive threats automatically, because you’ll be able to focus on detecting targeted attacks.
Cover the Basics
An in-depth discussion of the other layers of defense you should have in place is too broad of a topic for this blog post, but you should definitely consider the following suggestions.
- Because attackers often abuse passwords, implement Multi-Factor Authentication (MFA) everywhere that you can.
- Design your network to be segmented, with critical servers and databases separated from employee workstations, different departments segmented from each other, and everything protected from public Internet-facing servers.
- Keep in mind that the most likely point of initial intrusion will be from an employee workstation or a server responding to requests from the Internet, so treat those as potential threats at all times.
- Strong email scanning and threat filtering is a must, because so many threats arrive via email.
- Forcing all internal computers to use the company’s DNS server and go through a web proxy that checks domain reputations for all HTTP requests is also critical to success. This is important once you realize how many malicious backdoor RATs rely on DNS and HTTP requests to communicate with their command and control server.
- You should identify special requirements for the few employees who need to use SSH or SFTP to connect to outside servers and block all others from doing so. Block all other outbound or inbound network connections that aren’t required.
- Never assume that the ports will always be used by the protocol that is “supposed to” be on that port—malware often tries to send HTTP or a custom protocol over ports 53, 80 or 443.
- Keep antivirus updated on all endpoints but accept the fact that its purpose is just to detect well-known threats—it is trivial for any targeted attack to be completely undetected by antivirus solutions.
- Do your best to keep all software up to date with security patches, with higher priority on patching critical-severity vulnerabilities that allow remote code execution or authentication bypass on Internet-facing computers.
- Turn on Windows Firewall for all workstations to make it more difficult for an attacker who lands on one workstation to be able to move laterally to others.
Now that we’ve covered the basics, it’s time for a deeper dive. Download our whitepaper which goes into much more detail on how to get started with threat hunting.