Threat Research Report Team

Best Practices for Automated Threat Hunting in Cybersecurity

Written by Gabriela Silk | May 19, 2022 8:11:26 PM

The process of proactively searching through networks and datasets to detect and respond to threats that evade traditional rule or signature based security controls, proactive cyber threat hunting uncovers malicious actors that have advanced past initial endpoint security defenses.

 

Businesses in every industry and governments in every nation are acutely aware of the risks posed by the rising level of cybercrime worldwide. From pranks and DDoS attacks to the hijacking of sensitive data and full shutdowns of vital infrastructure, cybercriminals in the 2020s threaten to run rings around even the most seasoned cybersecurity experts.

 

However, the right strategies and a more proactive stance against the threat of cybercrime can turn the tide of battle against this litany of bad actors. Cyber threat hunting, in the right hands and with the right tools, promises tactics and deliverables that halt cybercriminals in their tracks – long before meaningful harm can be done to systems, data and personnel.

 

Contents

What is Proactive Cyber Threat Hunting?
Threat Hunting Methodologies & Types of Investigations
Threat Hunting Techniques
Threat Hunting Steps
Where Does Threat Hunting Fit?
What is Required for Cyber Threat Hunting?
Threat Hunting Maturity Model
Benefits of Automation in Cyber Threat Hunting
Uptycs and Threat Hunting

 

What is Proactive Cyber Threat Hunting?

The old medical adage that it is better to pursue prevention than a cure is just as apt when describing proactive cyber threat hunting – as well as cybersecurity in general.

 

In almost every instance conceivable, it is far more advantageous for organizations of all kinds to identify and resolve attack surfaces and security exploits before bad actors have the chance to both recognize such opportunities, and – more crucially – to act upon them.

 

Proactive cyber threat hunting is designed to complement a given organization's existing tools and resources in cybersecurity. However, cyber threat hunting also goes a level deeper, analyzing usage data statistics, evaluating datasets within a given system, scrutinizing endpoint security protocols, and seeking out suspicious activity within a network overall.

 

However, the proactive nature of this kind of cybersecurity measure is what sets cyber threat hunting apart. For example, more traditional threat detection methodologies lean towards a more reactive and passive approach.

Conversely, proactive cyber threat hunting utilizes data in tandem with newly discovered intelligence as to real-time threat potential, and in that way can predict and position organizations as forewarned of vectors of attack.

Put simply, whereas much of cybersecurity is a reactive measure – an organization often bolsters its investment in the technology only after a damaging attack has already occurred – proactive cyber security investigates systems and processes at a deep, analytical level.

 

The process is designed to be enacted as though an attack has either already occurred or is inevitable in due course, with the key difference being it is instead a powerful preparatory measure.

 

Threat Hunting Methodologies & Types of Investigations

A key factor in cybercrime is that no two hackers are ever truly alike – each driven by motivators and attack incentives as individual as the culprits themselves.

 

As such, proactive cyber threat hunting utilizes a number of methods and tactics to identify key attack surfaces and potential breach opportunities. These vary by project, but most often include the examples as listed below.

 

- Hypothesis Driven Investigation

When cyber threat hunting is undertaken on the basis of hypothesis, an organization invites a specialist to put their experience, expertise and ingenuity to effective use in identifying and overcoming security risks throughout their network.

 

In such instances, hypotheses are formulated using the threat hunter’s own experience with similar networking infrastructure and past encounters with cyber crime.

 

However, the threat hunting hypothesis for a given project is also developed using environmental knowledge and overall threat intelligence, which is then combined with the tactics, techniques and procedures (TTP) that the threat hunting specialist most believes would be deployed against an organization.

- Investigation Based On Known Indicators of Compromise or Indicators of Attacks

All cybersecurity experts have a bedrock of knowledge regarding current indicators of compromise (IOC) and indicators of attack (IOA). These are cybersecurity flaws and exploits that circulate around the cyber threat hunting community to enable operatives to intelligently assess where they might be put to malicious use in other organizations.

 

To further reinforce the efficacy of IOC and IOA strategic application, cyber threat hunters utilize and further catalog tactical threat intelligence on the basis of their own investigation. Combined, this activity enables cyber threat hunters to hone in on potential or existing threat activity that more conventional and mainstream procedures may overlook.

- Advanced Analytics and Machine Learning Investigations

While the human element of any cyber threat hunting investigation is a truly vital one, most analyses are completed with the assistance of powerful machine learning and analytics procedures.

 

Through these means, vast quantities of data can be analyzed, with the goal of logging and identifying those inconsistencies which most likely represent either an unnoticed ongoing cyber attack, or a prime attack surface or entrypoint through which a bad actor can deploy such an attack.

- Tactics, Techniques, and Investigative Procedures

Throughout the above examples, cyber threat hunting professionals employ a strong working knowledge of the tactics and techniques commonly being circulated with the cybercriminal community today.

 

Similarly, best practices relating to investigation and threat detection are consistently updated, and each cyber threat hunting investigation is used by the operative as an opportunity to further develop knowledge in the field. Additionally, hunting for attack mannerisms typically use the same operational techniques. Consistency in this form is an advantage and is helpful to source or attribute the threat and leverage existing remediation methods that worked with these behaviors. 

 

 

Threat Hunting Techniques

In order to successfully complete any cyber threat hunting project, an investigator employs several techniques to identify, record and ultimately resolve cybersecurity threats.

The most common of these are detailed below.

 

- Baselining

Understanding how a given organization is supposed to function is vital in preventing erroneous reporting or inconsistent analysis. To this end, cyber threat hunting professionals use baselining tactics to distinguish the look and feel of normalcy within a given organization’s daily datasets, accessing devices, and broader workflow.

This also includes tactics such as monitoring the activity of typical systems administrators and other individuals with high levels systems access. By identifying the usual state of play, outlying activities or unusual network traffic becomes that much more simple to pinpoint.

- Attack Specific Hunts

When time is of the essence, attack specific hunts move rapidly in the pursuit of identifying and remedying attack surfaces and breach points – at speed and at scale.

Ordinarily, such a tactic is put to use when a specific type of attack or bad actor is suspected – although attack specific hunts are complementary with baselining too. Strategically combining the two often leverages strong positive results.

- Time Sensitivity

Cyber crime moves fast by its very nature, and often relies on speed to get into and out of a given network undetected. In this respect, proactive cyber threat hunting is similarly designed under the assumption that the investigating professional will need to act fast to identify and resolve any issues.

 

Another advantage to this tactic is that operatives are given the opportunity to keep pace with attackers’ changing best practices as those evolve over time. For example, not only is it a question of bad actors using the latest techniques to penetrate vulnerable systems – but often also reverting to older tactics in the hopes that nobody notices, assuming they are no longer used.

 

This approach to cyber threat hunting means that all bases are covered.

- Third Party Sources

Cyber threat hunters do not undertake their investigations on wits alone. The tools of the trade are multifaceted, but each offer distinct advantages in identifying and overcoming bad actors’ surreptitious intentions.

 

This includes geolocation technologies and IP lookup systems, as well as log detection systems and technologies designed specifically to prevent false positives from being flagged.

 

Threat Hunting Steps

Cyber threat hunting is a process that moves rapidly, yet nevertheless one that depends on a rigorous and structured set of tactics to be successful.

 

To enable a greater level of understanding as to your investigator’s modus operandi, details on the steps in cyber threat hunting are described below.

 

Step 1: Hypothesis

Creating a logical framework of investigation is vital when developing the best way by which to successfully hunt for and eliminate cyber attack threats. Using existing knowledge, threat detection methodology, a deep understanding of the organization under investigation and the likeliest tactics and techniques an attacker will attempt to deploy, a cyber threat hunting professional is able to put a detailed plan of action into motion.

Step 2: Collect and Process Intelligence and Data

No cyber threat hunting endeavor can succeed without data, metrics and information. This data needs to be collated, safely stored at a central access point under the operative’s command, and processed to identify risk vectors.

 

Often, security information and event management (SIEM) software is utilized in facilitating this goal, identifying and recording network and device activity across a given organization for comprehensive review.

Step 3: Trigger

A trigger point is created when a cyber threat hunting professional identifies a key area of attack or ongoing security breach. This can occur as early as the hypothesis stage of the investigation in many circumstances.

From this trigger, cyber threat hunters are able to redouble their efforts in honing in on a select area of code, networking infrastructure or ongoing attack.

Step 4: Investigation

Utilizing advanced technology and a capacity for processing and evaluating enormous volumes of data at speed, cyber threat hunters log, analyze and record any points of interest that have the potential to be malicious.

At this stage, the investigator is able to discern whether unusual activity captured through these means is simply innocent yet unusual network activity, or if it instead is evidence of an ongoing cyber attack against an organization.

Step 5: Response and Resolution

The ultimate goal of proactive cyber threat hunting is to not only identify any malicious activity going on within an organization, but also to rectify it and take the steps necessary to ensure a similar attack can never be repeated.

Likewise, detected vulnerabilities can be proactively remedied ahead of any such attack taking place – an even more ideal outcome.

 

Resolutions include the altering of system files or their means of storage; the deletion of malware and snooping apps; updates to firewalls and security patches; as well as passing best practices on to team members of a given organization to help its cybersecurity sustain its operational strength going forward.

 

Where Does Threat Hunting Fit?

Proactive cyber threat hunting is designed to be a complementary and nonintrusive strategy that operates in parallel with existing security and incident response procedures.

 

The goal of cyber threat hunting as a practice is to analyze and report data and network traffic in such a way that suspicious activities are monitored, recorded and can be actively investigated by specially trained professionals.

 

What is Required for Cyber Threat Hunting?

As with any discipline in cybersecurity, proactive cyber threat detection is not as simple as purchasing some software and sitting someone at a computer. It takes a resourceful mind, bespoke software and an enormous volume of data to accurately and effectively deploy.

 

- Human Capital

No computer ever devised can see something that looks suspicious as keenly as the human eye. Cyber threat hunting professionals are trained to adopt an investigative mindset, and the capacity to never stop learning – even honing their skills in fieldwork.

 

Cyber criminals go to extensive lengths to shield, conceal or simply distract from their presence in a given network – but efforts that may fool automated computer protocols cannot elude keen senses and a curious mind.

- A Wealth of Data

Full visibility of both the network of a given organization, as well as every one of its endpoints, is crucial to successful cyber threat hunting. As such, investigators rely on being able to accumulate and investigate enormous volumes of data, each element of which is meticulously detailed and – in certain circumstances – a vital clue as to the nature of an ongoing cyberattack.

- Threat Intelligence

Operating in an information silo simply doesn’t make for effective threat detection. Operatives will compare the data and intelligence they have during a project to the latest threat intelligence available among their contemporaries in the industry.

 

Likewise, any projects with any organization in which new threats are identified see this new intelligence shared rapidly among the hunter community.

- Organizational Models

An organizational model determines the size and scope of a given cyber threat hunting team, and should be expanded and budgeted accordingly.

 

A key area to get right first time here is ensuring that the team being deployed enjoys a skillset that is both diverse and complementary, guaranteeing nothing gets missed.

- Tools and Technology

Cyber threat hunters utilize specialized databases of techniques, tactics, attack avenues and investigative tools to conduct their work.

 

That includes tools for statistical analysis, vulnerability management protocols and threat intelligence providers who help them communicate with the wider industry.

 

Threat Hunting Maturity Model

The level of threat hunting maturity in any given organization depends upon the sophistication of its collated IT data. According to the SANS Institute, professionals grade the maturity of a given investigation using the below system.

Initial

Level 0 – automated reporting only, with almost no routine data collection.

Minimal

Level 1 – mid to high-range routine data collection, incorporating threat intelligence.

Procedural

Level 2 – a high level of data collection, together with analysis procedures as devised by third parties.

Innovative

Level 3 – extremely high data collection, with new data analysis methods devised in-house.

Leading

Level 4 – most data analysis is automated, with thorough and sophisticated data collection.

 

Benefits of Automation in Cyber Threat Hunting

As cybercriminals rely on prebuilt tools and cracking programs to do much of the legwork for them, so too are cybersecurity professionals equipped to enable automated systems to bear the brunt of time-consuming work.

Intelligently automating key elements of cyber threat hunting activity frees investigators up to apply their skills elsewhere, and enables the full investigation to move more rapidly.

 

- Data Collection

Collecting and examining enormous volumes of data is time consuming and, when undertaken manually, extremely difficult. Automation can more rapidly collate and identify useful data points in need of further investigation.

- Investigation Process

Through automation, recognized threats can be cataloged as high, mid and low risk – facilitating greater prioritization as security professionals respond to and remedy these issues accordingly.

Investigators are able to make more informed and incisive decisions when this level of automation is employed.

- Prevention Process

It is time consuming to manually adjust security protocols, patch vulnerable systems and relocate vulnerable files on a network. Automation is capable of undertaking these activities in seconds, creating real-time reactivity to security flaws the instant they are observed.

 

Uptycs and Threat Hunting

In both proactive and remedial cyber threat hunting, minimal and immediate response time to remediation remains crucial in the prevention of irreparable financial, institutional, and operational loss and damage to an organization.

Only as limited in detection and identification as the analytics and threat hunters that power it, when paired with comprehensive libraries and tools such as YARA and osquery, proactive threat hunting is the catalyst that makes the difference in the continuity of critical infrastructure.

Check out four recent use cases where YARA and osquery were integral in the remediation of three zero day exploits - Log4J, Log4Shell, and Spring4Shell, and assisted a financial institution in detecting advanced attackers.

Log4j CVE - 44228 | Scanning A Million Hosts in Less Than 30 Minutes

Log4j/Log4Shell Vulnerability Scanning and Exploit Detection in Uptycs osquery

Spring4Shell and CVE - 2022 - 22963: How They Work and How to Inventory Vulnerable Packages with Uptycs

 

Case Study: New Uptycs Customer Deploys YARA Scanning At Scale To Detect Advanced Attackers

 

To learn about the latest threat research conducted by Uptycs Threat Research team, check out our most recent threat bulletin below.