There is a major gap in today’s cyber security paradigm. Companies invest hundreds of thousands and even millions into security tools. Most traditional security tools fall into one of two categories: detection tools, which scan your systems for known threats, and response-based-tools, which focus on removing threats once evidence of a breach has been identified.
Most companies have a slew of detection and response based tools. Many are even passing their compliance audits with flying colors. If existing tools and compliance protocols were enough, then breach detection wouldn’t be a problem. Yet, it is. In fact, it still takes the average company over 6 months to detect a breach.
The truth is that across industries, IT leaders lack an effective approach to answering the following question: how do you know if you’ve been breached right now?
In this article, we’ll walk you through the basics of threat hunting. When done properly, the right threat hunting program will not only answer this question, but also identify signs of a breach within hours or days. That way, you can put out your cyber fires early on, instead of allowing them to damage all of your systems.
Threat intelligence and threat hunting are two separate yet complementary security approaches. Threat intelligence involves collecting information on emerging or existing threat actors, often through threat intel feeds, while threat hunting is an active process of searching for malicious actors on a network. It focuses on identifying threats based on behavior rather than relying solely on patterns or known indicators. The goal is to shorten the time between a security breach and the response to minimize potential damage.
It's essential to establish clear boundaries for threat hunting to prevent scope creep. Threat hunting involves validating the integrity of every system connected to the network, which can be a complex task. By narrowly defining the threat hunting process, it can be more efficient and better integrate with other security disciplines, such as forensic analysis and incident response.
The main purpose of a robust threat hunting solution is to shorten breach detection times. The best threat hunting solutions detect breaches within hours, instead of the industry average of months. This prevents damage from spreading and ensures that your IT assets are safe.
Furthermore, the best threat hunting tools empower lean teams to do more with less. Leveraging new advances in automation, many threat hunting vendors can cut down on the total amount of time it takes IT and security staff to identify and thwart threats. A robust threat hunting tool will enable your junior staff members to perform advanced, senior level tasks and cut down on the number of events that need to be reviewed. Instead of being numb from false positives and allowing a real threat to slip through, the entire team stays sharp because only true signals of concern are presented.
Finally, organizations have a variety of devices and systems. The best threat hunting tools are compatible across a wide array of devices – regardless of age or operating systems.
Use Real Intelligence Threat Analysis (RITA) framework to ingest
Zeek logs and detect the earliest stages of cyberattack.
Perform Threat Hunting across any
network-connected device with AC-Hunter.
False positives can hinder the efficiency of threat hunting efforts. Understanding the different types of false positives and implementing effective strategies for handling them will significantly streamline your threat hunting process, allowing you to focus on genuine threats and keeping your network secure.
Some common false positives include beacons and strobes, long connections, threat intelligence and blacklisted IPs, DNS false positives, rare client signatures, and certificate issues. By recognizing these types of false positives and employing strategies such as whitelisting specific domains, benign signatures, or IP addresses, you can reduce the time spent on false leads and focus on genuine threats.
Whitelisting is a popular method for managing false positives, as it removes benign traffic from view while still allowing for analysis by your threat hunting software. Additionally, filtering traffic out from packet capture can save CPU time and reduce storage needs. Implementing these strategies will help you better manage and analyze your network traffic, improving the efficiency and effectiveness of your threat hunting efforts.
To prevent re-analyzing benign or grey traffic repeatedly, consider the following strategies, ranging from the safest (least likely to hide malicious traffic) to less safe approaches (may inadvertently hide malicious traffic).
– IP Pairs: Whitelist connections between two IP addresses, ideal for situations like primary and secondary database servers.
– Server IP: Whitelist a single host IP when multiple internal machines communicate with a single external system, such as an NTP server.
– Subnet of Servers: Whitelist an entire subnet when numerous servers are located in a data center.
– ASN: Whitelist an Autonomous System Number (ASN) to cover all the organization’s computers regardless of their location. Exercise caution when using this method and ensure you trust the organization.
– Client IP: Whitelist specific internal IP addresses with caution, as it may blind you to potential malicious traffic from that IP.
Keep in mind that proxies and cloud providers can complicate whitelisting efforts:
– Be cautious when working with proxy IP addresses. Whitelisting a proxy IP can inadvertently hide malicious traffic going through the proxy.
– Use subnet and ASN whitelisting sparingly with cloud providers. Whitelisting a block of cloud-hosted machines can increase the risk of overlooking malicious activity.
RITA, the open-source threat hunting tool, doesn’t have native whitelisting, but you can create a text file with IP addresses to exclude from RITA output. Use separate whitelist files for each module if desired.
Whitelisting has its downsides, such as the software still needing to process and analyze the traffic. In cases where you’re sure certain traffic types don’t warrant attention, you can filter them out from packet capture. This reduces processing and storage needs, freeing up CPU time for remaining traffic analysis. To implement this with Zeek, add a filter in a “zeekargs=” line in the zeekctl.cfg file.
Schedule a personal demo of AC-Hunter today and discover the difference proactive threat hunting can make for your enterprise.