Threat Hunting: how to proactively uncover cyber threats?
Introduction
Threat Hunting is an activity whose name is often used, rightly or wrongly. The term is used, for example, when searching for simple Indicators of Compromise (IOCs) or during complex investigations. We're going to try and define what this activity is and how it is carried out at Thales for our customers.
Threat Hunting is a proactive digital search carried out by an investigator, with the aim of uncovering a potential compromise or anomaly in an information system.
In practical terms, it begs the question of how a manual search on top of all the security solutions in place in a company could possibly reveal anything relevant where X/EDR, antivirus, proxy or other automated security solutions may already be in place. When alerts from these security products, as well as security and system audit logs, can be analysed by a 24/7 SOC analyst. What would be the added value of this activity?
What we need to understand first : What is Threat Hunting?
What is Threat Hunting?
Threat Hunting is the process of proactively searching for unknown or undetected threats in an organization, whether through the investigation of workstations, network artifacts or security logs. There are 2 main types of operational Threat Hunting.
Unstructured: In this case, the person in charge of the hunt will look for an Indicator of Compromise (IOC). These can be very varied, such as a cryptographic hash (file condensate), an IP address, a domain name, or even file locations or names.
In all cases, the search begins with "an event" of which we are already aware. Considering that the time between the receipt of an IOC and the companies' ability to use it can regularly exceed several days, it is necessary for the expert to be able to look for these indicators in the past.
For example, by searching for a phishing URL in the last month as soon as the IOC is received, to determine whether a user has been impacted over this period, and not just in the future. The problem could be the impossibility of being exhaustive with such manual processing, simply because of the volume of data. It is therefore important to: either drastically reduce the scope of searches based on various criteria (such as the sources of the IOC, its dangerousness, etc.), or implement large-scale automation to process the whole automatically.
In the context of a phishing attack, there is typically a time gap between when a victim generates a request to an Indicator of Compromise (IOC), such as a domain, and when security teams become aware of it. To be effective, it is important to have the ability to retrospectively search for any new IOCs. However, this can be a challenge in terms of the sheer volume of data, which Security Information and Event Management (SIEM) systems alone may not be able to address.
In the next stage, to complete the hunt, if the team uncovers an event associated with a new IOC, further manual analyses will be required, building upon the initial discoveries. For instance, in the case of a phishing domain that a user has connected to, the next step could involve analysing the user's email inbox or workstation to determine the origin of this connection. This process of pivoting and investigating new discoveries will continue until the incident is fully resolved. This emphasizes the advantages of proactive, manual threat hunting, where the hunting team must reconstruct the attack pathway by leveraging all accessible information in an unstructured manner.
Structured: This type of Threat Hunting is based on the search for suspicious tactics, techniques, and procedures (TTPs), as indicators of potential threats. The person in charge of the Threat Hunting hypothesizes about a potential attacker's methods and works to identify traces of that attack. Because Structured Threat Hunting is a proactive approach, it can uncover attackers who may have slipped through existing security solutions.
Let's take the example of a structured search through the identification of malware using "User Agents". A "User Agent" is a string of characters inserted into each web request by the browser, historically allowing the web server to adapt the content based on the browser. Implementing this type of detection within a Cyber Security Operation Centre (CSOC) would trigger an alert for each unidentified or weakly identified User Agent detected by CSOC tools. However, the number of User Agents circulating within an information system is significant, making this type of detection challenging to implement.
An approach through a Threat Hunter is more relevant: assuming that the majority of the computer fleet is healthy and only a few machines are compromised. These compromised machines can be identified by their "digital fingerprint," which is the User Agent. The Threat Hunter uses an EDR (Endpoint Detection and Response) solution to verify the legitimacy of the executables running on the computers that have generated network requests with these uncommon User Agents.
The ultimate goal is to uncover the deployment of a Remote Access Trojan (RAT), such as Cobalt Strike, which an automated detection system may not have discovered.
On the contrary, Threat Hunting is not intended to replace existing detection tools or a CSOC. Instead, it serves as an additional layer of security, working in tandem with traditional detection techniques. Implementing Threat Hunting requires a certain level of maturity in terms of information system security. Moreover, it is a time-intensive activity. It acts as a supplementary practice that could occur to incident management teams. The primary objective is to leverage the knowledge gained from previous incidents to uncover previously undetected threats.
Our response
Threat Hunting based on IOCs, or Retro Hunting, is directly integrated into our Thales CSOCs.
We have created a Passive DNS-based solution that allows us to generate alerts for network access activities occurring before the receipt of an Indicator of Compromise (IOC). This is achieved despite the large volume of data that needs to be processed. For every received domain, an alert is triggered as soon as an event is detected between the domain's initial usage and its appearance in our Threat Intelligence sources. Subsequently, a SOC analyst conducts a thorough investigation of this IOC in the SIEM or EDR system to confirm any potential compromise. This technique proves highly efficient in detecting phishing indicators since they are typically used only once.
In addition, we can set up a structured Threat Hunting program, called Sleuth Hunting.
We organize this activity around "HUNTs". A hunt is a detection recipe based on our knowledge of attackers' techniques, backed up by public or private reports, or incidents that we have dealt with in vivo. Hunts are carried out on a regular basis throughout the year with the aim to maximise the detection spectrum. The recurrence of this activity enables us to stay close to current cyber events. In fact, we are constantly adapting our hunts to different recently discovered topics. For example, by looking for connections made directly from certain perimeter devices, such as a firewall or VPN solution...
In all cases, a report is issued at the end of each month's hunt. It includes an explanation of the hunt carried out, the references that led to this investigation choice, such as the activities of malicious groups or the latest trends. Finally, it contains details on the work carried out as well as an associated conclusion. Depending on the findings, it may also contain suggestions for adapting use cases or improving security.
Conclusion
Threat Hunting serves as a crucial undertaking that helps identify unnoticed alerts. Moreover, our hunting activities enable the detection of unusual activities within the information system, such as "Shadow IT" or configuration discrepancies.
Additionally, Threat Hunting ensures the continuous operation of EDR solution logs and other logs, making them readily available in the event of an incident. Ultimately, Threat Hunting actively contributes to maintaining a healthy information system environment. Please feel free to reach out to our team for further information or to discuss the implementation of this service.