Secondary surveillance radar situation screen display showing threat hunting

Threat Hunting Best Practices for a Secure Foundation

Cybersecurity will always require a layered approach with a system of checks and balances designed to prevent security breaches wherever and whenever possible. Threat hunting is a core component of every layered cybersecurity strategy because it acts as a check on alerts and a balance against cybercriminals. While not much about threat hunting has fundamentally changed over the years, attacks have. Breaches are more sinister, sneaky, and sophisticated. Adversaries are good at being bad actors who actively avoid detection even in the most secure and segmented networks.

The news gives regular reports about the big breaches against well-known companies we all thought were inviolable. However, we don’t hear about the other breaches. These are often against smaller companies, which are far more vulnerable to cybersecurity attacks because they are less likely to have a robust security strategy or plan in place. They usually have fewer resources but are expected to cover more ground with a smaller budget and staff. That said, company size doesn’t matter if you don’t have the data collection maturity to help you protect your network.

When and why to build a threat hunting team

Today’s attackers are more sophisticated and have incredible organizational skills (their understanding of the entire supply chain of their target and the SOC tech stack). To stay ahead of the attackers, you need to put a best practice into place and formalize the role of threat hunter in your IT Operations. Then when budget allows, build out the proactive parts of your IT/Security teams.

Threat hunting is a proactive approach to actively searching your network traffic to detect security threats. It’s the “I’m going to go looking for something that may or may not be there” attitude based on the premise that no system is completely secure.

If you are a team of one, a best practice is to put everything in place you need to secure your infrastructure. This means setting up your alerts, dashboards, scripts, etc., and then set aside time each day to look for trouble in your network traffic proactively. If you have the budget, you have more options to build out a team of investigators that can rival the CIA (e.g., SOC Analysts, Security Engineers, Incident Managers, Threat Intelligence Analysts, Threat Hunters, etc.).

Core team skills

Threat hunting is concerned with emerging threats rather than known attack methods, and as a result, people take the lead. Threat hunting starts when you observe “suspicious activity” that doesn’t match what you know about your environment or that matches a known threat pattern. You usually learn about these known patterns from media reports, word-of-mouth, or plain detective-like instinct.

A threat hunter has a unicorn-like combination of skills. Think detective investigating crimes. Pathologist performing autopsies. Philosopher solving analytical problems. The threat hunter is curious, thinks outside the box, knows how to ask questions, looks for patterns, and pursues anomalies relentlessly. Their goal is to uncover indications of attack (IOA) that have yet to be detected.

Threat hunters must have the time and authority to research and pursue hypotheses, not be bogged down in security alerts. The job is to outthink the attackers, identify new security incidents, and improve automated detection.

Technology and security analytics tools

Threat hunters need tools to do the job. Whether you have a dedicated security team or an IT team also tasked with security, centralized log management gives your team the “security camera” they need to detect, identify, remediate, and contain a threat. Security solutions, like SIEMs or endpoint management tools, only help when you fine-tune them.

Often security analytics tools use centralized log management (CLM) to detect behaviors that indicate malicious activity. They do this by collecting, normalizing, and analyzing network traffic for threat behavior to give threat hunters more data and a flexible approach to threat hunting.

CLM is a great way to manage your security spend because it fits with your approach to security and grows with your budget, all the way to the fully mature stages. It can also help you understand where strategies like network segmentation and access control are most effectively applied.

Supplementing threat hunting with AI and UEBA

AI and UEBA (stands for “User and Event Behavior Analytics” or “User and Entity Behavior Analytics”) are fantastic tools in the toolbox. But just like any tool, if you don’t use it properly, you can hurt yourself, damage the environment, and harm the tool. Until your incident response and log collection practices are at full maturity, you can’t, and wouldn’t want to, take advantage of AI and UEBA  because you don’t know what questions to ask. You need logs to understand what is normal and not normal so that an algorithm can analyze what is going on in your environment.

For example, you need to collect enough information to create a definition of “normal” for the number of failed login attempts. Otherwise, you can’t know if the activity is a brute force attack against an expired service account or just someone who keeps trying to remember their password.

Once you get “normal” patterns from your logs, you tell the AI to use this data for failed logins baseline. If you haven’t done the work and set the baseline at “3 failed login attempts,” your threat hunters will be following a lot of false leads to people who are just really forgetful. If you do the work, then you can set your baseline at 800 which means the algorithms can do what they are meant to do.

The bottom line is there is a time and a place for AI and UEBA, but if your environment is not mature, the tools can create more harm than good. Even at the optimal level of maturity, to make effective use of these technologies, you still need the threat hunter.

Threat hunting and the bottom line

According to the 2020 Cost of a Data Breach report, organizations saved $1.12 million by containing a breach in less than 200 days, compared to those who took 200 days or more to contain it. If your company collects and maintains valuable data, you are vulnerable to breaches. However, too many companies attempt threat hunting without establishing the right security foundations such as security operations, security hygiene (consistent practices to maintain system health), investigation and forensics (context, visibility, insight), technology (well-managed network segmentation and access control), and mature security operations processes (incident response and log collection). Combined with the fundamentals, threat hunting fills an essential and necessary gap in every security strategy.

For security teams and, by extension, the business, time directly relates to money. Having a threat hunting team or, at the very least, a dedicated threat hunter in your IT operation is the best way to balance risk vs. cost.