Cyber threats just won’t stop. Consultant Mckinsey characterises the cyber threat landscape as having "still widespread uncertainty about what to do." Their report cites the federal government as declaring it “one of the most serious economic and national security challenges we face as a nation.” What’s a CSO, CIO—or for that matter, any digital enterprise—to do, given the grave outlook from none other than our own government?
This prevailing risk of cybersecurity has prompted the need for a new genre of IT professionals: threat hunters. These professionals actively seek threats to an enterprise network and framework and rids them from your IT operations. That’s the modus operandi of a threat hunter. It’s a unique approach for information security, a discipline that never stops working to find these technical vulnerabilities and compromises and deter their effects.
Cyber risk is patently overwhelming. In spite of complex and often expensive automated tools that detect and identify malware and other threats, there’s still a cloud of uncertainty as to where threats lurk. They enter in Internet of Things (IoT) networks, via bots, phishing emails, and so many other disguised pathways. It’s a top-of-the-list priority for network security professionals, paving the way for every enterprise to learn and engage in threat hunting.
The Genesis of Threat Hunting
In their report, “Digital and Risk: A New Posture for Cyber Risk in a Networked World,” Mckinsey cites their own research from a survey that found "75 percent of experts consider cybersecurity to be a top priority for their businesses. The bad news is that executives are overwhelmed by the challenge. Only 16 percent say their companies are well prepared to deal with cyber risk." Threat hunting is, purportedly, an attempt to reverse such a condition.
Rob Lee is a full-fledged threat hunter. Based in the Boston, Massachusetts area, the author, consultant, and SANS Faculty Fellow has chalked up more than 18 years of experience in disciplines related to this vocation. Lee provided insight into this profession in an interview with CSO magazine. He told CSO columnist Roger Grimes that threat hunting is a critical skill that requires prerequisite skills in other areas such as basic security analysis, knowledge of security operations, and other intelligence capabilities.
Said Lee, "To become a threat hunter, one must first work as a security analyst and likely graduate into IR and cyber threat intelligence fields. Combined with a bit of knowledge of attacker methodology and tactics, threat hunting becomes a very coveted skill. Threat hunting is one of the most advanced skillsets one could obtain in information security today. The core skills of a threat hunter include security operations and analytics, IR and remediation, attacker methodology, and cyber threat intelligence capabilities. Combined, a hunter is the special operations team of an organisation’s defensive and detection capabilities.”
The Threat Hunter's Toolbox
While there are many threat-hunting tools, the InfoSec Institute outlined some notable ones:
- Maltego CE. This data-mining tool visually depicts interactive graphs for link analysis. It is designed to automate queries and show a snapshot visual picture of threat data. The Institute rates it as easy to use and integrate, and may be customised to very specific hunts in an effort to perform threat analyses.
- Cuckoo Sandbox. This open-source tool automates malware analysis, allowing threat hunters to receive real-time query results about suspicious or questionable files. Analysts can then dispose of them immediately. More importantly, Cuckoo provides analytics related to the malware as well as an accounting of the damage done by it.
- This tool from TekDefense streamlines the analysis of URLs, but has a different tact. You choose a target and the tool will retrieve threat results from poplar sources and select or deselect the ones you'd like. The user may modify the sources using Python. The InfoSec Institute calls it "very user-friendly, even for a beginner."
- As a threat-hunting tool, CrowdFMS utilises VirusTotal, a site that reports known phishing emails. It uses another tool, YARA (a multipurpose tool used to classify malware with descriptors), to notify users and provide vigilant data for the threat hunter to take swift action.
- Yet another useful threat-hunting tool, this one combats bots, disallowing them to ever register on forums where they lurk. It will actually track the IP and identify its origin, complete with email, name, and address, so the threat hunter can put an end to the bot's activities in their area of operation.
Numerous other tools are also available. This is just a subset of the many that outlined by the InfoSec Institute. They are the currency, if you like, of threat analysis; any enterprise that seeks to bolster its threat hunting should try these and other tools to build their arsenal of defense.
Finding the Hard-to-Detect Threats
Network protection platform provider Bricata describes threat hunting as an answer to the prevailing glut of cyber threats that cause damage to the enterprise and its many users. Specifically, what's needed is to find those that aren't so easy to detect.
In their daily blog, Kaspersky Labs noted that threat hunting was a "hot" topic at RSA 2018. They say that threat hunting is just plain necessary (though there's not a uniform understanding of what it actually includes).
"Experts agree that it’s a necessary practice to counter modern APT attacks," they state. "What they do not completely agree on is what threat hunting actually is—which practices it comprises. And so they agreed to use the book How to Hunt for Security Threats, which says that threat hunting is an analyst-centric process that enables organisations to uncover hidden advanced threats missed by automated preventive and detection controls."
In their blog, Bricata cites Tim Crothers, who they say is "among the most prominent experts on the concept of threat hunting."
According to the post, Crothers said that the essence of threat hunting is to find unknown malicious activity, not just react to it. They paraphrase Crothers' description of threat hunting: "We can’t forgo the fundamentals, but a good threat hunting program is one of the ways to get ahead of the reactive cycle of firefighting."
As Bricata aptly summarises: "Most organisations have some sort of static detection in use. Often this is a combination of signature detection and rules-based detection tools aimed at detecting activity known to be malicious. While these are necessary and catch much of the basic malware, sophisticated threat actors are aware of these measures—they understand how these tools work and are good at evading them. As such, hunting becomes a method to find an activity that isn’t being detected."