Threat Hunting and You: Why Content is Critical To Threat Hunting
In a changing and evolving threat landscape, how can you detect the unknown and mitigate the constant risk of breaches? Countless organizations have claimed to have the answer to this age-old dilemma by utilizing new technologies such as Machine Learning or Artificial Intelligence – however, one solution in the recent years, known as “Threat Hunting”, has proven to be particularly effective.
What Is Threat Hunting?
Many organizations and individuals have defined threat hunting in one way or another, but Sqrll (an organization that specialized in threat hunting, which was later acquired by Amazon Web Services in 2018) summarized it well and succinctly in their whitepaper “A Framework for Cyber Threat Hunting”. They defined it as “the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions” (Sqrll, 2018).
To provide an example of this in action, and highlight some of its downfalls, suppose your security team proactively initiates an assessment of your Active Directory environment for anomalous account activity and identifies a large amount of Windows Event Logs indicative of a Successful Login (EventID 4624), with a Logon Type 10 (Remote Interactive Login – this occurs when a user logs in via terminal services, remote assistance, or remote desktop). In doing so, they were exercising a core component of Threat Hunting – proactivity. In comparison to passively waiting for an alert to trigger due to the Windows Event Logs hitting a specified threshold, they proactively searched for the potential “bad.”
To further complicate this example, what if they found out that the account responsible for generating the Remote Interactive Login events belonged to the Domain Administrators group? Would they know what implications that could have, or what steps they should follow to contain, mitigate, and remediate any potential compromise or breach? It is in this that we see a downfall of threat hunting – because of individuals varying experience, knowledge, or aptitude, your security team may not know what to make of that large amount of Windows Event logs, or even be able to find the “bad” in the mountain of logs.
Why Is Content Needed?
Many enterprises do not have the resources available to build a threat hunting team, or even to effectively perform threat hunting at the levels they would like to. Because of this, they greatly rely on the generic content built into their SIEMs or other tool solutions, which is often prone to false-positives and lacks contextualized or enriched information to accompany it to assist in the investigational process – it merely provides a simple alert name and expects the analyst to decipher the proprietary naming schema. We spoke at length about this in our Positioning Paper (which you can read HERE), in which we summarized that, while many organizations aspire to achieve advanced threat hunting, they often still depend on alerts based on reactive security tools that are dedicated to finding the most obvious threats based on unsophisticated or generic rules/signatures or content. They don’t have the time or ability to generate advanced content to proactively attain a much deeper insight into the data being generated in their environment – that leaves the most dangerous threats still active in their systems. Often the greatest threat facing your organization is not the advanced nation state, but rather the lowly trojan that runs rampant throughout your network undetected due to not having proper detections in place, or the context to enable your analysts to respond effectively.
How Can Cyborg Security Help?
Cyborg specializes in the detection of adversarial toolsets and techniques. With decades of cumulative threat hunting, intelligence, and incident response experience, we have taken our knowledge of dealing with threat actors throughout Government, Defense, Technology, Healthcare, Media, and more, and developed Cyborg C.O.R.E. This platform provides you with contextualized, enriched, and validated detection logic to detect even the stealthiest of adversaries. In all our content, we include full playbooks, mitigation recommendations, and more, to enable your analysts to quickly and efficiently review, respond, and react to any anomalous events in your environment.
To learn more about Cyborg and the C.O.R.E. platform, please contact us.